Creating Findings

In the next step, try out the upload plugins for creating issues. The various Dradis extensions help you import results from external tools into your penetration test. If you do not have a suitable result, just download the sample result from Burp Suite [3]: You just need to save the page as an HTML file; then, click on Upload in the menu at top right to open the Upload Manager (Figure 1).

Figure 1: Downloading a sample result with the Dradis Upload Manager.

Now select the Dradis::Plugins::Burp::Html plugin in step 1; leave the issue's draft status by selecting Draft in step 2, and then select the previously downloaded file in step 3. After the upload, you can monitor the import progress in the output console. When done, select All issues again, and you will see the sample data for grandjuice.store . As an analyst, you would now process the data and finalize for your own report. Set the status to Ready for Review when saving, which means that the report can be published after a quality check by another member of staff.

Generating a Report

Once you and your colleagues have entered all the findings, it's time to generate the final report. You can do this with the Export Manager, which you can access from the Export link in the menu at the top. The default is an HTML export that is based on one of the two ready-made Dradis templates.

Of course, with a little HTML knowledge, you can create your own templates and make them available in the Dradis ./templates/reports/html_export folder. When I clicked on Export for the sample run, my instance complained about not having sufficient access privileges to write the report. This warning seems to indicate a bug in the Docker image. Use docker ps to discover your container's name and then solve the problem with the command:

docker exec -ti -u root <containername> chown rails /app/app/views/tmp

You will then be able to export the report without an error message. The practical ability to export to Word and Excel file formats is reserved for users of the Pro version. Armed with your own HTML templates, though, you can achieve a similarly professional look when completing your report.

Conclusions

In this article, I provided insights into the basic use of Dradis. Even if the Community Edition is a little limited in terms of functionality in some respects, it is definitely suitable for the team-based preparation, implementation, and reporting of penetration tests.

In fact, you will find more use cases for Dradis and, with a little programming overhead, be able to develop additional plugins to import report data from the applications you regularly use, along with templates for exporting your final reports. With the use of different instances, courtesy of Docker and the like, you can implement multiple projects, as well.