Continue reading
diff --git a/site/search/search_index.json b/site/search/search_index.json
index 2eb4ab5..d8afd07 100644
--- a/site/search/search_index.json
+++ b/site/search/search_index.json
@@ -1 +1 @@
-{"config":{"lang":["en"],"separator":"[\\s\\-]+","pipeline":["stopWordFilter"]},"docs":[{"location":"","title":"Welcome to FACTION","text":"PenTesting Report Generation and Collaboration Engine
FACTION is your entire assessment workflow in a box. With FACTION you can:
-
Automate pen testing and security assessment Reports
-
Peer review and track changes for reports
-
Create customized DOCX templates for different assessment types and retests
-
Real-time collaboration with assessors via the web app and Burp Suite Extensions
-
Customizable vulnerability templates with over 75 prepopulated
-
Easily manage assessment teams and track progress across your organization
-
Track vulnerability remediation efforts with custom SLA warnings and alerts \u00a0
-
Full Rest API to integrate with other tools\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0
Other Features:\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0
-
LDAP Integration\u00a0 \u00a0 \u00a0 \u00a0
-
OAUTH2.0 Integration
-
SMTP integration\u00a0
-
Extendable with Custom Plugins similar to Burp Extender.
-
Custom Report Variables
Want to see it in action? -> Faction Video Overview
","tags":[]},{"location":"#quick-setup","title":"Quick Setup","text":"Requirements - Java JDK11 - Maven (for building the project)
Run the following commands to build the war file and deploy it to the docker container.
git clone git@github.com:factionsecurity/faction.git\ncd faction\nmvn clean compile war:war\ndocker-compose up --build\n
Once the containers are up you can navigate to http://127.0.0.1:8080 to access your FACTION instance. On the first boot, it will ask you to create an admin account.
","tags":[]},{"location":"#import-the-vulnerability-templates","title":"Import the Vulnerability Templates","text":" - Navigate to Admin -> Default Vulnerabilities
- Click Import from Faction
","tags":[]},{"location":"#customize-reports","title":"Customize reports","text":"You can find out more information about creating your own custom report templates here: Customize Report Templates
","tags":[]},{"location":"#burp-suite-extension","title":"Burp Suite Extension","text":"Burp Suite Extensions
","tags":[]},{"location":"#dont-want-to-host-it-yourself","title":"Don't want to host it yourself?","text":"We can provide hosting for your instance. All instances are single tenants so you don't have to worry about sharing infrastructure with untrusted parties. Hosted versions also come with other features like enhanced reporting. Navigate to https://www.factionsecurity.com to learn more.
","tags":[]},{"location":"#screenshots","title":"Screenshots","text":"Vulnerability Templates
Assessment Scheduling
Peer Review and Track Changes
","tags":[]},{"location":"Custom%20Security%20Report%20Templates/","title":"Custom Security Report Templates","text":"The Faction Report Designer allows you to create custom security report templates for each assessment type. When building reports you need to use the variables listed below. Entering these into your DOCX reports will auto-replace the assessment and vulnerability text when the report is generated. You can even use the same variables in many of the assessor input fields outside of the report template (like Risk Assessment Summaries) and it will auto-populate the fields when the report is generated.
You can download the sample templates here: Sample Templates
Note
You should disable spellcheck in your template document while adding variables. The spellcheck can cause the variables to contain attributes that will make the variable unrecognizable to the Faction document parser.
","tags":["Reporting","Customize","Variables"]},{"location":"Custom%20Security%20Report%20Templates/#general-variables","title":"GENERAL VARIABLES:","text":"All of these variables can be used anywhere in the DOCX template. Those with a star \u2b50\ufe0f can be used in the web interface to assist in creating common reusable templates.
- ${TOC}\u00a0\u2013 Placeholder for the Table of Contents
- ${summary1}\u00a0\u2013 The high level summary
- ${summary2}\u00a0\u2013 The objective and scope
- ${asmtId}\u00a0\u2013 Internal Database ID \u2b50\ufe0f
- ${asmtAppid}\u00a0\u2013 The assigned Application ID \u2b50\ufe0f
- ${asmtName}\u00a0\u2013 The Assessment Name \u2b50\ufe0f
- ${asmtAssessor}\u00a0\u2013 The first assessor assigned to the assessment \u2b50\ufe0f
- ${asmtAssessor_Email}\u00a0\u2013 The first assessor email address \u2b50\ufe0f
- ${asmtAssessors_Lines}\u00a0\u2013 All Assessors split into lines \u2b50\ufe0f
- ${asmtAssessors_Comma}\u00a0\u2013 All Assessors split into a comma delimited list \u2b50\ufe0f
- ${asmtAssessor_Bullets}\u00a0\u2013 All Assessors split into a bulleted list \u2b50\ufe0f
- ${remediation}\u00a0\u2013 The Remediation Person assigned to the assessment \u2b50\ufe0f
- ${riskCount*}\u00a0\u2013 The number of findings at the RiskLevel 0-9 \u2b50\ufe0f
- ${riskTotal}\u00a0\u2013 The total number of findings at all RiskLevels \u2b50\ufe0f
- ${asmtTeam}\u00a0\u2013 The Assessor Team Name \u2b50\ufe0f
- ${asmtType}\u00a0\u2013 The Type of the Assessment \u2b50\ufe0f
- ${asmtStart}\u00a0\u2013 The Start date of the assessment \u2b50\ufe0f
- ${asmtEnd}\u00a0\u2013 The End date of the assessment \u2b50\ufe0f
- ${asmtAccessKey}\u00a0\u2013 Guid to access the client retest queue. \u2b50\ufe0f
- ${today}\u00a0\u2013 Day the report is generated \u2b50\ufe0f
- ${cfXXXXXX}\u00a0\u2013 Custom Fields are ones you specify in the admin interface. These are all prefixed with \u201ccf\u201d \u2b50\ufe0f
- ${totalOpenVulns} - Can be used in retest reports to show a count of open vulnerabilities. (Since 1.3)
- ${totalClosedVulns} - Can be used in retest reports to show the total count of closed vulnerabilities. (Since 1.3)
","tags":["Reporting","Customize","Variables"]},{"location":"Custom%20Security%20Report%20Templates/#vulnerability-tables-variables","title":"VULNERABILITY TABLES VARIABLES:","text":"These are only available inside tables.
- ${vulnTable}\u00a0\u2013 This defines a table to be a vulnerability listing table.
- ${vulnTable Section_Name}\u00a0\u2013 This defines a table to be a vulnerability listing table for a section of vulnerabilities. See Reporting Sections(Paid Only Feature).
- ${vulnName}\u00a0\u2013 The Vulnerability name
- ${rec}\u00a0\u2013\u00a0Vulnerability Recommendation
- ${desc}\u00a0\u2013\u00a0Vulnerability Description
- ${category}\u00a0\u2013 Category of the vulnerability
- ${severity}\u00a0\u2013 Severity of each vulnerability.
- ${likelihood}\u00a0\u2013 Likelihood of the vulnerability
- ${impact}\u00a0\u2013 Impact of the vulnerability
- ${cvssScore}\u00a0\u2013 CVSS score of the vulnerability (Since v1.2)
- ${cvssString}\u00a0\u2013 CVSS vector of the vulnerability (Since v1.2)
- ${count}\u00a0\u2013 Row Count of the vulnerability
- ${tracking}\u00a0\u2013 Tracking number of the vulnerability
- ${vid}\u00a0\u2013 Vulnerability internal database id
- ${openedAt} - The date the vulnerability began tracking (Since 1.3)
- ${closedAt} - The date the vulnerability was closed (no longer tracked) (Since 1.3)
- ${remediationStatus} - Displays only \"Open\" or \"Closed\" (Since 1.3)
- ${cfXXXXXX}\u00a0\u2013 Custom Fields are ones you specify in the admin interface. These are all prefixed with \u201ccf\u201d
- ${color \u00a0key=value,key=value}\u00a0\u2013 The color of the text is based on key-value pairs.\u00a0See below for how to set up colors.
- ${cells key=value,key=value}\u00a0\u2013 The color of the table cell is based on key-value pairs.\u00a0\u00a0See below for how to set up colors.
- ${loop}\u00a0\u2013 This variable tells the report generator which row will be repeated.
- ${loop-*}\u00a0\u2013 This allows multiple rows to be repeated. Example ${loop-1} will repeat the row but the one below it.
- ${details}\u00a0\u2013 This will insert screenshots and exploit steps for each vulnerability.
- ${noIssuesText} - This is the default text displayed in the section if no vulnerabilities are reported. (Since 1.3.28)
","tags":["Reporting","Customize","Variables"]},{"location":"Custom%20Security%20Report%20Templates/#example-table-summary-table","title":"Example Table Summary Table","text":"${vulnTable} ${color Critical=C00000,High=FFC000} ID Finding Name Impact Severity ${loop} ${count}. ${vulnName} ${impact} ${severity}","tags":["Reporting","Customize","Variables"]},{"location":"Custom%20Security%20Report%20Templates/#example-table-detail-table","title":"Example Table Detail Table","text":"${vulnTable} ${cells Critical=8064a2,High=c0504d,Medium=e68e00, Low=33D7FF,Recommended=081417,Informational=657376} ${loop-5} ## 1\u00a0 ${vulnName} ${severity} CVSS: ${cvssString} ${cvssScore} Category: ${category} Description:${desc} Recommendation:${rec} ${details} **Why is the heading yellow?!?! Check here
","tags":["Reporting","Customize","Variables"]},{"location":"Custom%20Security%20Report%20Templates/#vulnerability-block-variables","title":"VULNERABILITY BLOCK VARIABLES:","text":"For when you do not want to use tables to display your vulnerability information. You can use the following variables for inserting vulnerability information outside of a table
- ${fiBegin} / ${fiEnd}\u00a0\u2013 Block to repeat against all findings.
- ${fiBegin Section_Name} / ${fiEnd Section_Name}\u00a0\u2013 Block to repeat a section of findings. See Reporting Sections (Paid Only Feature)
- ${vulnName}\u00a0\u2013 The Vulnerability name
- ${rec}\u00a0\u2013\u00a0Vulnerability Recommendation
- ${desc}\u00a0\u2013\u00a0Vulnerability Description
- ${category}\u00a0\u2013 Category of the vulnerability
- ${severity}\u00a0\u2013 Severity of each vulnerability.
- ${likelihood}\u00a0\u2013 Likelihood of the vulnerability
- ${impact}\u00a0\u2013 Impact of the vulnerability
- ${cvssScore}\u00a0\u2013 CVSS score of the vulnerability (Since 1.2)
- ${cvssString}\u00a0\u2013 CVSS vector of the vulnerability (Since 1.2)
- ${count}\u00a0\u2013 Row Count of the vulnerability
- ${tracking}\u00a0\u2013 Tracking number of the vulnerability
- ${vid}\u00a0\u2013 Vulnerability internal database id
- ${openedAt} - The date the vulnerability began tracking (Since 1.3)
- ${closedAt} - The date the vulnerability was closed (no longer tracked) (Since 1.3)
- ${remediationStatus} - Displays only \"Open\" or \"Closed\" (Since 1.3)
- ${cfXXXXXX}\u00a0\u2013 Custom Fields are ones you specify in the admin interface. These are all prefixed with \u201ccf\u201d
- ${details}\u00a0\u2013 This will insert screenshots and exploit steps for each vulnerability.
- ${color \u00a0key=value,key=value}\u00a0\u2013 The color of the text is based on key-value pairs.\u00a0See below for how to set up colors.
- ${fill key=value,key=value}\u00a0\u2013 The color of the background elements is based on key-value pairs.\u00a0\u00a0See below for how to set up colors.
- ${noIssuesText} - This is the default text displayed in the section if no vulnerabilities are reported. (Since 1.3.28)
","tags":["Reporting","Customize","Variables"]},{"location":"Custom%20Security%20Report%20Templates/#example-block-findings","title":"Example Block Findings","text":"**Why is the heading yellow?!?! Check here
","tags":["Reporting","Customize","Variables"]},{"location":"Custom%20Security%20Report%20Templates/#reporting-sections-enterprisepaid-feature","title":"Reporting Sections (Enterprise/Paid Feature)","text":"You can put findings into different sections of your report for paid versions and certain sponsored tiers of Faction. You may want to use sections if you are doing different types of pen tests in one report and need to keep these sections separated. For example, you can segregate findings into Application Security and Network Security Sections.
To use sections you need to create the section names in the Faction Report Designer:
Once the sections are created in the UI, you can add them to the report in two ways. 1. Vulnerability Block Variables: ${fiBegin Your_Section_Name}/${fiEnd Your_Section_Name} 2. Vulnerability Table Variables:${vulnTable Your_Section_Name}`
Below is an example of how the template variables work:
","tags":["Reporting","Customize","Variables"]},{"location":"Custom%20Security%20Report%20Templates/#css-formatting","title":"CSS FORMATTING:","text":"All of the text generated from Faction is HTML. You can control how it is rendered in the DOCX format using the CSS editor in the Report Designer. You will need to set the CSS to match your report templates. Things like font and size will need to match. Images will need to be forced to resize to the correct dimensions to fit in your reports.
","tags":["Reporting","Customize","Variables"]},{"location":"Custom%20Security%20Report%20Templates/#setting-severity-colors","title":"SETTING SEVERITY COLORS:","text":"When building reports you most likely will set the text or cell to the color that matches the severity of the finding. To achieve this in FACTION you need to set a default color in the docx template that matches the severity category (i.e. Overall, Likelihood, and Impact). These default colors are in the table below:
Category Color Hex Overall Severity #FAC701 Likelihood #FAC702 Impact #FAC703 For Example, a table in MS Word below has pre-filled the color codes for each severity name and category.
Right-click the overall severity variable,\u00a0${severity}; you can see the default hex code for this color is #FAC701. Likelihood would be set to #FAC02, and Impact would be set to #FAC703.
Setting the background color for cells works in much the same way. Notice we use the ${cells} variable instead.
Right-click on the cell and set the color you may only want to use the Overall severity option but you can have multiple cells with each category if you wish.
Below is an example of the generated report table with colors replaced.
","tags":["Reporting","Customize","Variables"]},{"location":"Custom%20Variables/","title":"Custom Variables","text":"You can use custom variables to add additional features to Faction. These variables can be used to add additional information to vulnerabilities like a CVSS score or to populate additional data in reports like \"product owner\", \"cost center\", etc.
Note
Faction 1.2 and above has CVSS Scoring built in. You can still use this information as a guide to add your own custom variables.
","tags":["Reporting","Customize"]},{"location":"Custom%20Variables/#adding-a-cvss-score","title":"Adding a CVSS Score","text":"As of Faction version 1.1.25.1, Faction does not have CVSS scores built in but you can add your own easily.
","tags":["Reporting","Customize"]},{"location":"Custom%20Variables/#step-1-add-custom-fields-in-admin","title":"Step 1 : Add Custom Fields in Admin","text":"Navigate to Admin -> Settings and add two Custom Fields: CVSS3.1 and CVSS String with variable names cvss3 and cvssstring.
The Name will be what is displayed in the UI and the variable name will be used in the report template. We want to apply this to Vulnerability so that it will be available when we add vulnerabilities to the assessment.
","tags":["Reporting","Customize"]},{"location":"Custom%20Variables/#step-2-update-the-report-template","title":"Step 2: Update the Report Template","text":"We need to change our report template to include the new variables in the vulnerability section of the template. In this case, we already have a table with vulnerability information and we need to add another row to this table with the new variables. The default template can be downloaded here.
Notice all custom field variables are pre-populated with cf. If we defined a custom field with a variable of cvss3 then the reporting variable will be ${cfcvss3}.
Note: We needed to change the loop variable to inform the Faction reporting engine that the number of rows in the table has changed from 4 to 5. If you are not changing the number of rows then this update is not necessary.
","tags":["Reporting","Customize"]},{"location":"Custom%20Variables/#step-3-add-a-new-vulnerability-to-the-assessment","title":"Step 3: Add a New Vulnerability to the Assessment","text":"When you add a vulnerability to the assessment the custom fields will be available in the form as shown below:
Entering the CVSS score will be automatically saved and a report can now be generated with these new Fields.
","tags":["Reporting","Customize"]},{"location":"Faction%20App%20Store%20Extensions/","title":"Faction App Store Extensions","text":"Below is a List of Approved Faction Extensions. These all work with Faction 1.2+
Name Developer URL Faction Jira Integration Faction Security https://github.com/factionsecurity/Faction-Jira-Extension Faction Vulnerability Bar Chart Faction Security https://github.com/factionsecurity/Faction-Vulnerability-Bar-Chart","tags":["App Store","API"]},{"location":"Faction%20App%20Store%20Extensions/#submit-an-extension","title":"Submit an Extension","text":"Send an email to develop [ at ] factionsecurity [dot] com with a link to your github and a brief explanation of what it does.
","tags":["App Store","API"]},{"location":"Faction%20Severity%20Rating%20and%20CVSS%20Scoring/","title":"Faction Severity Rating and CVSS Scoring","text":"Native:
CVSS:
FACTION's severity rankings are easily customizable to how you perform assessments. You can even create different severity options for the type of assessment.
FACTION has 3 options to choose:
- Native Severity - This is simply High, Medium, Low, etc type rankings. Faction let you set up to 10 levels and can rename them to anything that works for your process.
- CVSS 3.1 - This option enables First.org CVSS 3.1 Severity Scoring and was introduced in FACTION 1.2
- CVSS 4.0 = This option enables First.org CVSS 4.0 Scoring and was introduced in FACTION 1.2
","tags":["CVSS","Vulnerability","Core Features"]},{"location":"Faction%20Severity%20Rating%20and%20CVSS%20Scoring/#native-severity-ranking","title":"Native Severity Ranking","text":" By default, assessments are enabled with Native Severity Ranking. You can choose up to 10 levels. The most common severity names are pre-populated when you install FACTION. You are free to change these names to anything you wish. If your process uses a different nomenclature then you can change Critical to P1 and High to P2 for example.
You can find this setting in Templates -> Default Vulnerabilities.
When Native Severity Ranking is enabled, the following options are available when adding a new vulnerability:
","tags":["CVSS","Vulnerability","Core Features"]},{"location":"Faction%20Severity%20Rating%20and%20CVSS%20Scoring/#changing-the-severity-scoring-system","title":"Changing the Severity Scoring System","text":"The severity scoring system is set for each assessment type. You can change this or create new assessment types by navigating to Admin -> Settings:
Notice above that each assessment has a different scoring system. To change the assessment scoring system then simply click the edit button an select the scoring system from the drop-down.
","tags":["CVSS","Vulnerability","Core Features"]},{"location":"Faction%20Severity%20Rating%20and%20CVSS%20Scoring/#cvss-31-and-40-severity-ranking","title":"CVSS 3.1 and 4.0 Severity Ranking","text":"When changing the scoring system to CVSS 3.1 or 4.0, it changes the vulnerability UI and adds CVSS Calculators to the page.
Clicking on the calculator button next to the CVSS Vector will open a dialog that will build the CVSS vector for you and update the score.
","tags":["CVSS","Vulnerability","Core Features"]},{"location":"How%20to%20Use%20BurpSuite%20with%20Faction/","title":"How to Use BurpSuite with Faction","text":"Faction has a tight integration with BurpSuite and you can now find our extension in the BApp Store. Here are a few things you can do with the Faction Burp Integration. 1. See your assessment and retest queues. 2. Instant access to your assessment scope and other details. 3. View all findings you and your co-pentesters are reporting. 4. Replay payloads from other pentesters. 5. Add issues in Faction directly from BurpSuite.
","tags":["burpsuite","integrations","api"]},{"location":"How%20to%20Use%20BurpSuite%20with%20Faction/#install-the-burp-faction-integration","title":"Install the Burp Faction Integration","text":"You can install the Faction Integration directly from the BApp store. 1. Open Burp then Click Extensions->BApp Store 3. Search for Faction 4. Click Install
","tags":["burpsuite","integrations","api"]},{"location":"How%20to%20Use%20BurpSuite%20with%20Faction/#set-up-faction","title":"Set Up Faction","text":"In BurpSuite navigate to the Faction tab after you have installed the Faction Integration. From here you need to enter the URL and API key for your user.
The URL will be your domain plus api. Ex https://faction-test.factionsecurity.com/api
You can retrieve your API Key in Faction by accessing your profile in the upper right corner of the Faction Web Interface.
","tags":["burpsuite","integrations","api"]},{"location":"How%20to%20Use%20BurpSuite%20with%20Faction/#access-your-assessment-queue","title":"Access Your Assessment Queue","text":"Now that Faction is configured you should be able to see you current assessment queue as shown below:
Clicking on an assessment will show you the scope, any vulnerabilities that have been reported, and notes that your team has shared with you.
If you select one of the vulnerabilities you can see its full details including screenshots.
","tags":["burpsuite","integrations","api"]},{"location":"How%20to%20Use%20BurpSuite%20with%20Faction/#enter-findings-into-faction-from-burp","title":"Enter Findings into Faction From Burp","text":"Lets say you find an XSS attack and have verified it with BurpSuite. You can add the finding to Faction without ever leaving Burp. Just select the request or response that you want to enter into the report and select \"Add New Finding\" as shown below:
Now you will be presented with the vulnerability findings dialog. Here you can search for an existing vulnerability template to auto populate the details and recommendations.
Next ensure its being sent to the right assessment. The option will default to the last assessment you selected in the previous section on Access your Assessment Queue
Next you have several options.
- Select the severity or leave the default
- Check or uncheck to include the request and/or response. When checked it will include these options in code blocks in the final report.
- \"Snip cookies\" when checked will remove all cookies from being added to the report and replace them with
[...snip...] - \"Extract Selection\" when checked will only add the portion of the code you selected in Burp to the report. This is most useful trying to only show the reflected script in the response instead of the full response.
- Exploit Steps can be included and supports MarkDown Syntax. Note Screenshots are available though the Burp Extension currently. For this you still need to add them to the Web UI.
Now you can click Save to add it to Faction. All this allows issues to be added seamlessly without breaking your flow. The final result will look something like this.
","tags":["burpsuite","integrations","api"]},{"location":"How%20to%20Use%20BurpSuite%20with%20Faction/#replay-findings","title":"Replay Findings","text":"The Faction Burp Integration has the ability to replay findings if you included the request in the details. Notice the hyperlink above the request when you select a vulnerability in the Faction BurpSuite Integration.
If you click the hyperlink it will add it to your Burp Repeater. This allows you to replay your own findings and findings from your co-pentesters. The same feature is available for retests!
","tags":["burpsuite","integrations","api"]},{"location":"How%20to%20Use%20BurpSuite%20with%20Faction/#add-scan-findings","title":"Add Scan Findings","text":"Anything found in the BurpSuite Scanner can be added directly into Faction using the BurpSuite Integration as well. Just select the issues you want to add and then choose \"Send Issues to Faction\"
Below shows that all issues were combined into two distinct issues.
Notice that if you select more than one of the same issue that it will aggregate the URLs into one finding:
","tags":["burpsuite","integrations","api"]},{"location":"How%20to%20Use%20BurpSuite%20with%20Faction/#wrapping-up","title":"Wrapping Up","text":"All of these features have been implemented to make adding issues to pen-testing reports easy and to not break your flow. Nothing worse that being in the zone and then have stop to mess with report formatting or ensuring you capture all the right data in your notes to use later. With Faction you can just add the issues as you find them and move on with your pentest.
","tags":["burpsuite","integrations","api"]},{"location":"Importing%20Your%20Vulnerability%20Templates%20Via%20the%20API/","title":"Importing Your Vulnerability Templates Via the API","text":"You may have developed your own vulnerability templates over the years, or you may prefer editing them in another editor such as Obsidian or Sublime, rather than using the web interface. Regardless of your approach, Faction enables you to upload your templates in CSV and JSON formats via the API. Additionally, reports can be generated in markdown, HTML, or a combination of both.
The api docs can be found on your instance by navigating to https: //YourHost/api-docs:
","tags":["API","Core Features","Vulnerability"]},{"location":"Importing%20Your%20Vulnerability%20Templates%20Via%20the%20API/#generating-an-api-key","title":"Generating an API Key","text":"You must have the API Key permission on your user to use the API. It it not set by default.
After enabling the setting, you can access your API Key by navigating to your profile, located in the upper right corner of the Faction interface. Simply clicking anywhere inside the API key box will reveal the key to you.
","tags":["API","Core Features","Vulnerability"]},{"location":"Importing%20Your%20Vulnerability%20Templates%20Via%20the%20API/#csv-file-structure","title":"CSV File Structure","text":"Id* Name Category Id* Category Name* Description Recommendation Severity Id Impact Id Likelihood Id active If the ID field is empty, a new vulnerability will be created. If the ID field is populated, it will overwrite the vulnerability with the same ID.
If the Category ID is missing, the categoryName field is required. If a category with the same name exists, the existing category will be used.
If the categoryName does not match an existing category, a new category will be created.
If the Category ID is populated, the Category Name field is ignored.
","tags":["API","Core Features","Vulnerability"]},{"location":"Importing%20Your%20Vulnerability%20Templates%20Via%20the%20API/#example-1-create-a-new-vulnerability-template-in-csv","title":"Example 1: Create a New Vulnerability Template in CSV","text":"Example CSV
,\"Cross Site Scripting\",, Unvalidated Input, \"XSS is Bad and stuff..\\n```\\nCode snippet\\n```\", \"Fix it! here is a link [here](https://www.a.b.com)\", 4, 4,4,true\n
The provided example will create a new template for cross-site scripting. Here are a few key points to note:
-
The first column (ID column) is left blank. Since there is no ID specified, a new template will be created.
-
The third column (Category ID) is also blank, so Faction will refer to the fourth column (Category Name). If Unvalidated Input is not already a category in Faction, it will be created.
-
The Description and Recommendation fields are written in markdown syntax. Ensure that these columns are enclosed in double quotes (\") and that new lines are properly escaped (\\n).
-
The severity IDs must correspond to the severity levels configured in Faction. You can find these numbers in Admin->Settings-> Risk Level Settings. The default severity levels are: Critical (5), High (4), Medium (3), Low (2), Recommended (1), Informational (0). Ensure that the severity IDs match these levels accordingly.
Submit through the API
curl -X 'POST' \\ \n'http://localhost:8080/api/vulnerabilities/csv/default' \\ \n-H 'accept: application/json' \\ \n-H 'FACTION-API-KEY: 6be51daa-6f6f-42d3-8b04-b924a0045eff' \\ \n-H 'Content-Type: text/plain' \\ \n-d ',\"Cross Site Scripting\",, Unvalidated Input, \"XSS is Bad and stuff..\\n```\\nCode snippet\\n```\", \"Fix it! here is a link [here](https://www.a.b.com)\", 4, 4,4,true'\n
","tags":["API","Core Features","Vulnerability"]},{"location":"Importing%20Your%20Vulnerability%20Templates%20Via%20the%20API/#example-2-updating-a-vulnerability-template-in-csv","title":"Example 2: Updating a Vulnerability Template in CSV","text":"First, you need to download the current list of vulnerabilities from the API.
Get a CSV List of Default Vulnerabilities
curl -X 'GET' \\ \n'http://localhost:8080/api/vulnerabilities/csv/default' \\ \n-H 'accept: text/csv' \\ \n-H 'FACTION-API-KEY: 6be51daa-6f6f-42d3-8b04-b924a0045eff'\n
Example Response:
\"2\",\"Generic Vulnerability\",\"2\",\"Uncategorized\",\"\",\"\",\"4\",\"4\",\"4\",\"true\" \"18\",\"Cross Site Scripting\",\"4\",\"Unvalidated Input\",\"<p>XSS is Bad and stuff..</p> <pre><code>Code snippet </code></pre> <br />\",\"<p>Fix it! here is a link <a href=\"\"https://www.a.b.com\"\">here</a></p> <br />\",\"4\",\"4\",\"4\",\"true\"\n
Now to Update a Template Let's update the Cross Site Scripting Template by changing the description to the following.
XSS is fun to exploit with this code snippet\\n ```\\nSnipity snip\\n```\n
The API Request would look like this:
curl -X 'POST' \\ \n'http://localhost:8080/api/vulnerabilities/csv/default' \\ \n-H 'accept: application/json' \\ \n-H 'FACTION-API-KEY: 6be51daa-6f6f-42d3-8b04-b924a0045eff' \\ \n-H 'Content-Type: text/plain' \\ \n-d '\"18\",\"Cross Site Scripting\",\"4\",\"Unvalidated Input\",\"XSS is fun to exploit with this code snippet\\n ```\\nSnipity snip\\n```\",\"<p>Fix it! here is a link <a href=\"\"https://www.a.b.com\"\">here</a></p> <br />\",\"4\",\"4\",\"4\",\"true\"'\n
Now if we pull the list again the results look like this: Request
curl -X 'GET' \\ \n'http://localhost:8080/api/vulnerabilities/csv/default' \\ \n-H 'accept: text/csv' \\ \n-H 'FACTION-API-KEY: 6be51daa-6f6f-42d3-8b04-b924a0045eff'\n
Response
\"2\",\"Generic Vulnerability\",\"2\",\"Uncategorized\",\"\",\"\",\"4\",\"4\",\"4\",\"true\" \"18\",\"Cross Site Scripting\",\"4\",\"Unvalidated Input\",\"<p>XSS is fun to exploit with this code snippet</p> <pre><code>Snipity snip </code></pre> <br />\",\"<p>Fix it! here is a link <a href=\"\"https://www.a.b.com\"\">here</a></p> <br /> <br />\",\"4\",\"4\",\"4\",\"true\"\n
","tags":["API","Core Features","Vulnerability"]},{"location":"Importing%20Your%20Vulnerability%20Templates%20Via%20the%20API/#json-file-structure","title":"JSON File Structure","text":" [\n {\n \"Id\": 2,\n \"Name\": \"Generic Vulnerability\",\n \"CategoryId\": 2,\n \"CategoryName\": \"Uncategorized\",\n \"Description\": \"\",\n \"Recommendation\": \"\",\n \"SeverityId\": 4,\n \"LikelihoodId\": 4,\n \"ImpactId\": 4,\n \"Active\": true\n }\n ]\n
If the ID is missing, a new vulnerability will be created. If the ID is populated, it will overwrite the vulnerability with the same ID.
If the Category ID is missing, the categoryName is required. If a category with the same name exists, the existing category will be used.
If the categoryName does not match an existing category, a new category will be created.
If the Category ID is populated, the Category Name field is ignored.
","tags":["API","Core Features","Vulnerability"]},{"location":"Importing%20Your%20Vulnerability%20Templates%20Via%20the%20API/#example-1-create-all-new-vulnerability-template-in-json","title":"Example 1: Create All New Vulnerability Template in JSON","text":"Example JSON
[\n {\n \"Name\": \"Cross Site Scripting\",\n \"CategoryName\": \"Unvalidated Input\",\n \"Description\": \"XSS is Bad and stuff..\\n```\\nCode snippet\\n```\",\n \"Recommendation\": \"Fix it! here is a link [here](https://www.a.b.com)\",\n \"LikelihoodId\": 4,\n \"ImpactId\": 4,\n \"SeverityId\": 4,\n \"Active\": true\n }\n]\n
The provided example will create a new template for cross-site scripting. Here are a few key points to note:
-
The ID is missing. Since there isn't an ID to relate it, a new template will be created.
-
The CategoryId is missing, so Faction will need to look at the CategoryName. If Unvalidated Input is not already a category, then Faction will create it.
-
The Description and Recommendation fields are written in markdown syntax.
-
Ensure that the severity IDs match the severity levels you have set in Faction. You can find these numbers in Admin->Settings-> Risk Level Settings. The defaults are Critical (5), High (4), Medium (3), Low (2), Recommended (1), Informational (0).
The API Request looks like this to add this vulnerability template:
curl -X 'POST' \\ \n'http://localhost:8080/api/vulnerabilities/default' \\ \n-H 'accept: application/json' \\ \n-H 'FACTION-API-KEY: a0d2fff7-7462-458c-ba7b-d93d99b7280a' \\ \n-H 'Content-Type: application/json' \\ \n-d '[ \n { \n \"Name\": \"Cross Site Scripting\", \n \"CategoryName\": \"Unvalidated Input\", \n \"Description\": \"XSS is Bad and stuff..\\n```\\nCode snippet\\n```\",\n \"Recommendation\": \"Fix it! here is a link [here](https://www.a.b.com)\",\n \"LikelihoodId\": 4, \n \"ImpactId\": 4, \n \"SeverityId\": 4, \n \"Active\": true \n } \n]'\n
","tags":["API","Core Features","Vulnerability"]},{"location":"Importing%20Your%20Vulnerability%20Templates%20Via%20the%20API/#example-2-updating-a-vulnerability-template-in-json","title":"Example 2: Updating a Vulnerability Template in JSON","text":"First, you need to download the current list of vulnerabilities from the API.
Get a JSON List of Default Vulnerabilities
curl -X 'GET' \\ \n'http://localhost:8080/api/vulnerabilities/default' \\ \n-H 'accept: application/json' \\ \n-H 'FACTION-API-KEY: a0d2fff7-7462-458c-ba7b-d93d99b7280a'\n
Response:
[\n {\n \"CategoryId\": 2,\n \"ImpactId\": 4,\n \"Active\": true,\n \"Description\": \"\",\n \"CategoryName\": \"Uncategorized\",\n \"LikelihoodId\": 4,\n \"Id\": 2,\n \"Recommendation\": \"\",\n \"SeverityId\": 4,\n \"Name\": \"Generic Vulnerability\"\n },\n {\n \"CategoryId\": 4,\n \"ImpactId\": 4,\n \"Active\": true,\n \"Description\": \"XSS is Bad and stuff..\\n```\\nCode snippet\\n```\",\n \"CategoryName\": \"Unvalidated Input\",\n \"LikelihoodId\": 4,\n \"Id\": 5,\n \"Recommendation\": \"Fix it! here is a link [here](https://www.a.b.com)\",\n \"SeverityId\": 4,\n \"Name\": \"Cross Site Scripting\"\n }\n]\n
Now to Update a Template Let's update the Cross-Site Scripting Template by changing the description to the following.
XSS is fun to exploit with this code snippet\\n ```\\nSnipity snip\\n```\n
The API Request would look like this:
curl -X 'POST' \\\n 'http://localhost:8080/api/vulnerabilities/default' \\\n -H 'accept: application/json' \\\n -H 'FACTION-API-KEY: a0d2fff7-7462-458c-ba7b-d93d99b7280a' \\\n -H 'Content-Type: application/json' \\\n -d '[ {\n \"CategoryId\": 4,\n \"ImpactId\": 4,\n \"Active\": true,\n \"Description\": \"XSS is fun to exploit with this code snippet\\n ```\\nSnipity snip\\n```\",\n \"CategoryName\": \"Unvalidated Input\",\n \"LikelihoodId\": 4,\n \"Id\": 5,\n \"Recommendation\": \"Fix it! here is a link [here](https://www.a.b.com)\",\n \"SeverityId\": 4,\n \"Name\": \"Cross Site Scripting\"\n }]'\n
Now if we pull the list again the results look like this: Request
curl -X 'GET' \\ \n'http://localhost:8080/api/vulnerabilities/default' \\ \n-H 'accept: text/csv' \\ \n-H 'FACTION-API-KEY: 6be51daa-6f6f-42d3-8b04-b924a0045eff'\n
Response
[\n {\n \"CategoryId\": 2,\n \"ImpactId\": 4,\n \"Active\": true,\n \"Description\": \"\",\n \"CategoryName\": \"Uncategorized\",\n \"LikelihoodId\": 4,\n \"Id\": 2,\n \"Recommendation\": \"\",\n \"SeverityId\": 4,\n \"Name\": \"Generic Vulnerability\"\n },\n {\n \"CategoryId\": 4,\n \"ImpactId\": 4,\n \"Active\": true,\n \"Description\": \"<p>XSS is fun to exploit with this code snippet</p>\\n<pre><code>Snipity snip\\n</code></pre>\\n<br />\",\n \"CategoryName\": \"Unvalidated Input\",\n \"LikelihoodId\": 4,\n \"Id\": 5,\n \"Recommendation\": \"<p>Fix it! here is a link <a href=\\\"https://www.a.b.com\\\">here</a></p>\\n<br />\",\n \"SeverityId\": 4,\n \"Name\": \"Cross Site Scripting\"\n }\n]\n
","tags":["API","Core Features","Vulnerability"]},{"location":"Importing%20Your%20Vulnerability%20Templates%20Via%20the%20API/#using-swagger","title":"Using Swagger","text":"Instead of using CURL as show above you can use the API docs pages to submit directly to your API to test things out.
Just navigate to https: //YourHost/api-docs and select any of the API's available. You will need your API Key that can be found in your profile.
Below is an example of using swagger to update a Template with JSON.
","tags":["API","Core Features","Vulnerability"]},{"location":"Integrate%20Faction%20into%20OIDC%20Solutions/","title":"Integrate Faction into OIDC Solutions","text":"Faction seamlessly integrates with your existing enterprise authentication solutions, ensuring a smooth and secure user experience. Leveraging widely adopted solutions such as LDAP and OIDC, Faction effortlessly integrates into any enterprise environment. Our platform is designed to adapt to your authentication infrastructure, providing a hassle-free implementation process and enhancing the overall efficiency of your organization\u2019s security framework. With Faction, you can trust in a unified and streamlined authentication experience tailored to your enterprise needs.
The article will walk through the steps needed to integrate\u00a0Faction\u00a0into\u00a0Google Auth, Auth0, or Ping Identity
","tags":["Authentication","Core Features"]},{"location":"Integrate%20Faction%20into%20OIDC%20Solutions/#google-oidc-setup","title":"Google OIDC Setup","text":" - Log into your company\u2019s\u00a0Google API Console.
- Click on\u00a0Credentials\u00a0from the left navigation.
- Click\u00a0+ Create Credentials\u00a0from the top navigation.
- Select\u00a0OAuth Client ID.
- Select\u00a0Web Application\u00a0as the application type.
- Name the application something specific like\u00a0Faction OIDC Integration.\u00a0But the name does not matter.
- Under\u00a0Authorized redirect URLs\u00a0click\u00a0+ ADD URI.
- Enter the domain of your Faction Instance and append\u00a0/oauth/callback?client_name=OidcClient\u00a0to the path. Example: If you used Faction to host the site your URL would look like this: https://furry-hyena-1111.factionsecurity.com/oauth/callback?client_name=OidcClient
- Then Click\u00a0Create.
- Take Note of the\u00a0Client Id\u00a0and\u00a0Client Secret. This will be used later in the Faction Admin Section.
Your Setup should look like the following:
","tags":["Authentication","Core Features"]},{"location":"Integrate%20Faction%20into%20OIDC%20Solutions/#auth0-oauth-setup","title":"Auth0 OAuth Setup","text":" - Log into your\u00a0Auth0 Console.
- Select\u00a0Applications\u00a0in the left navigation.
- Click\u00a0+ Create Application
- Select\u00a0Regular Web Application.
- Name it something like\u00a0Faction OAuth Integration.
- Click\u00a0Create.
- Ignore the Quick Start screen and Click\u00a0Settings.
- In the\u00a0Allowed Callback URLs, enter the domain of your Faction Instance and append\u00a0/oauth/callback?client_name=OidcClient\u00a0to the path. Example: If you used\u00a0Faction\u00a0to host the site your URL would look like: https://furry-hyena-1111.factionsecurity.com/oauth/callback?client_name=OidcClient
- Take Note of the\u00a0Client Id\u00a0and\u00a0Client Secret. This will be used later in the Faction Admin.
- Scroll down to the bottom and Click\u00a0Advanced\u00a0and then\u00a0Endpoints
- Take note of the\u00a0OpenId Configuration\u00a0URL
","tags":["Authentication","Core Features"]},{"location":"Integrate%20Faction%20into%20OIDC%20Solutions/#ping-identity-setup","title":"Ping Identity Setup","text":" - Log into Ping Identity Console
- Select Applications.
- Add a New Application.
- Give the Application a name like Faction.
- Select OIDC Web App.
- Click Save.
- Open the newly created application and select the Configuration tab:
- Click the Edit Button in the upper right corner
- Scroll down to the Redirect URI Section and enter your Host Name with the path
/oauth/*. (Example: https://furry-hyena-1111.factionsecurity.com/oauth/*) - Click Enable Redirect Patterns.
- Click Save.
- Scroll up to the top of the configuration.
- Expend URLs and take note of the the OIDC Discovery Endpoint. This will be used later in the Configure Faction Section.
- Take Note of the Client Id and the Client Secret. These will be used in the Configure Faction Section
- Click the Attribute Mappings tab.
- Add email as an attribute.
- Click Save.
","tags":["Authentication","Core Features"]},{"location":"Integrate%20Faction%20into%20OIDC%20Solutions/#configure-faction","title":"Configure Faction","text":" - Log into\u00a0Faction\u00a0as an admin user.
- Navigate to\u00a0Admin\u00a0->\u00a0Users.
- In the\u00a0OAuth2.0 Configuration\u00a0enter the Client Id you noted earlier from either Auth0, Google, or Ping.
- Enter the\u00a0Client Secret\u00a0you noted earlier.
- Enter the\u00a0Discovery URL\u00a0as follows:
- Google: https://accounts.google.com/.well-known/openid-configuration
- Auth0:\u00a0Enter the\u00a0Open Id Configuration\u00a0URL you noted in step 11 above.
- Ping: Enter the OIDC Discovery Endpoint from step 13 above.
- Click\u00a0Save
","tags":["Authentication","Core Features"]},{"location":"Integrate%20Faction%20into%20OIDC%20Solutions/#adding-an-oauth-user","title":"Adding an OAuth User","text":" - Under\u00a0Admin -> Users, Click\u00a0Add User.
- The Username should be part of the user\u2019s email address before the @ symbol. If the email is\u00a0test.user@yourcompany.com\u00a0then the username is test.user
- \u2b50\ufe0fLeave the Password Field Blank.\u2b50\ufe0f
- Enter the\u00a0First\u00a0and\u00a0Last\u00a0name.
- Enter the\u00a0email\u00a0address that is used by the OAuth solution to authenticate the user.
- Select\u00a0OAuth 2.0\u00a0as the Authentication Method.
- Click\u00a0Save Changes.
When the new user reaches the Login Screen they can enter just their username without a password and click\u00a0Login. Faction will redirect the user to the configured Authentication Provider and redirect back.
","tags":["Authentication","Core Features"]},{"location":"Managed%20FACTION%20Setup/","title":"Managed FACTION Setup","text":"Below are the Minimal Faction Setup Instructions required to get you all set up and ready to start collaborating on assessments in just a few minutes. With a Faction managed account, we host the servers and maintain the updates for you. Your instance will be hosted in a single-tenant environment to ensure your data is secure. With just a few clicks you will be up and running in minutes.
","tags":["Cloud Hosted","Setup"]},{"location":"Managed%20FACTION%20Setup/#create-your-managed-account","title":"Create Your Managed Account","text":"Every account that gets created will get its own single-tenant instance. To create a new instance go to\u00a0https://portal.factionsecurity.com,\u00a0Create an Account, and Select a tier that meets your team's needs.
This will begin creating your instance of Faction. Wait until the spinner shows a green checkbox before you attempt to access your site. You can then click the URL in the site list to take you to your new Faction Instance.
","tags":["Cloud Hosted","Setup"]},{"location":"Managed%20FACTION%20Setup/#create-an-admin-user","title":"Create an Admin User","text":"The first time you access Faction you will be presented with a page to create your admin account. Here you need to enter basic information about the user and the option to create a team.\u00a0Hacking Team\u00a0is the default.
","tags":["Cloud Hosted","Setup"]},{"location":"Managed%20FACTION%20Setup/#adding-default-vulnerability-templates","title":"Adding Default Vulnerability Templates","text":"The Faction Default vulnerability database is what makes generating reports quick and painless for pen-testing teams. You can upload your templates or start with an open-source list from\u00a0https://github.com/factionsecurity/data
To add the VulnDB data into Faction just navigate to\u00a0Admin->\u00a0Default Vulnerabilities\u00a0and click\u00a0Update from VulnDB. This will import all of their vulnerabilities and set default Categories for the vulnerabilities.
","tags":["Cloud Hosted","Setup"]},{"location":"Managed%20FACTION%20Setup/#setting-custom-risk-levels-optional","title":"Setting Custom Risk Levels (Optional)","text":"By default, Faction adds\u00a0Critical,\u00a0High,\u00a0Medium,\u00a0Low,\u00a0Recommended, and\u00a0Informational\u00a0risk levels but you have up to 9 that can be set and the defaults can be changed to anything that works for your environment. For instance,\u00a0Critical\u00a0can be changed to\u00a0Priority 1.
","tags":["Cloud Hosted","Setup"]},{"location":"Managed%20FACTION%20Setup/#vulnerability-tracking-and-remediation-slas","title":"Vulnerability Tracking and Remediation SLAs","text":"Different Tiers allow enhanced features within Faction. The\u00a0Teams Tier\u00a0and above have verification and vulnerability tracking enabled. In\u00a0Admin Settings\u00a0you can set custom times to alert when the vulnerability needs to be remediated based on its risk setting. For instance, you can set a reminder that a\u00a0Critical\u00a0vulnerability needs to be remediated 30 days after it's reported and set a past due date of 60 days. This will trigger Faction to alert the correct teams that important issues are close to being past due to ensure issues get closed on time and are never forgotten.
Any values that are missing a date will not be tracked by Faction.
","tags":["Cloud Hosted","Setup"]},{"location":"Managed%20FACTION%20Setup/#assessment-checklists","title":"Assessment Checklists","text":"For some assessments, you will want to add checklists to ensure all critical issues are tested. Below is an example of some potential checks that might need to happen on every assessment to ensure applications are tested consistently.
Once the above is created it will be available in assessments where the assessor can pass/fail the checklist item and even add notes related to why it failed or why it\u2019s not necessary for the application being tested.
","tags":["Cloud Hosted","Setup"]},{"location":"Managed%20FACTION%20Setup/#additional-configuration-options","title":"Additional Configuration Options","text":"The higher-level tiers allow you to configure other options like LDAP and OAuth. You can find additional information below on these settings:
- Integrate Faction Into OAuth Solutions
- Customizing Faction for Self Hosting
- Extending Faction
","tags":["Cloud Hosted","Setup"]},{"location":"Remediation%20Tracking%2C%20Custom%20SLAs%2C%20Retests/","title":"Remediation Tracking, Custom SLAs, Retests","text":"FACTION has remediation tracking built in! When you close out an assessment all the vulnerabilities in that assessment start tracking based on your custom SLAs. With the custom SLAs you can set reminders when a vulnerabilities is approaching a due data and another when the it is past due.
","tags":["Remediation","Retests","Core Features"]},{"location":"Remediation%20Tracking%2C%20Custom%20SLAs%2C%20Retests/#setting-custom-slas","title":"Setting Custom SLAs","text":"Navigate to Templates -> Default Vulnerabilities. Here you find a table that lets you set your vulnerability tracking times.
Each vulnerability severity level will have a Warning date and a Past Due date. These are measured in days after the assessment is completed. All empty inputs represent Untracked issues.
In the above screenshot, Critical vulnerabilities will have a remediation due date that is 60 days and a warning set at 30 days after the assessment is completed. High vulnerabilities are expected to be remediated in 120 days and have a warning at 60 days after assessment completion. Note that all other vulnerabilities are not tracked by FACTION because the inputs are all blank.
","tags":["Remediation","Retests","Core Features"]},{"location":"Remediation%20Tracking%2C%20Custom%20SLAs%2C%20Retests/#remediation-dashboards-and-retests","title":"Remediation Dashboards and Retests","text":"You can see the status of all past and approaching due dates in the Remediation Queue.
This dashboard allows assessment teams to easily see all issues that require remediation and the current state of the vulnerability.
In the above screenshot, there is one issue that is Past Due and several others that are close to being past due. Clicking on the past due issue lets you easily schedule it for retest as shown below:
","tags":["Remediation","Retests","Core Features"]},{"location":"Remediation%20Tracking%2C%20Custom%20SLAs%2C%20Retests/#adding-follow-up-notes","title":"Adding Follow Up Notes","text":"You can add notes to all tracked vulnerabilities. You can add follow-up notes from the development teams, annotate delays in schedules, or other information you might need later to stay on top of the remediation.
The Note History stores not only notes but also tracks the passing and failing of retests.
","tags":["Remediation","Retests","Core Features"]},{"location":"Self-Hosted%20FACTION%20Setup/","title":"Self Hosted FACTION Setup","text":"If you decide to self-host Faction instead of using the\u00a0Managed Solution\u00a0then you will need to ensure you include the proper Environment variables so that Faction integrates into your environment.
","tags":["Self Hosted","Setup"]},{"location":"Self-Hosted%20FACTION%20Setup/#requirements","title":"Requirements","text":" - Tomcat 9
- Java 11
- Mongo 7
- maven
","tags":["Self Hosted","Setup"]},{"location":"Self-Hosted%20FACTION%20Setup/#option-1-docker-compose","title":"Option 1: Docker Compose","text":"Download the code from GitHub and run the following commands
git clone git@github.com:factionsecurity/faction.git\ncd faction\nmvn clean compile war:war\ndocker-compose up --build\n
","tags":["Self Hosted","Setup"]},{"location":"Self-Hosted%20FACTION%20Setup/#updating-faction","title":"Updating Faction","text":"New releases can be found here. You can either pull a new release of Faction and build it yourself as shown above or If you don't want to perform the Maven install you can download the faction.war file directly and put it into the targets folder.
","tags":["Self Hosted","Setup"]},{"location":"Self-Hosted%20FACTION%20Setup/#option-2-install-tomcat-and-mongo","title":"Option 2: Install Tomcat and Mongo","text":"Check back, instructions will be updated soon
","tags":["Self Hosted","Setup"]},{"location":"Self-Hosted%20FACTION%20Setup/#custom-environment-variables","title":"Custom Environment Variables","text":"## Mongo Database configs \n\nFACTION_MONGO_HOST=127.0.0.1. #requireed \nFACTION_MONGO_DATABASE=faction #required \nFACTION_MONGO_USER=faction_mongo_user #optional \nFACTION_MONGO_PASSWORD=faction_mongo_pass #optional \nFACTION_MONGO_AUTH_DATABASE=admin #optional \n\nFACTION_SECRET_KEY=faction_encryption_key #required \n\nFACTION_REPORT_STORAGE=aws #optional \nFACTION_BUCKET_NAME=your-bucket #optional \nFACTION_TIER=teams #required \nFACTION_USERS=100 #optional \n\nFACTION_SMTP_SERVER=smtp.server.com #optional \nFACTION_SMTP_USER=sysadmin #optional \nFACTION_SMTP_PORT=587 #optional\n
","tags":["Self Hosted","Setup"]},{"location":"Self-Hosted%20FACTION%20Setup/#mongo-database-variables","title":"Mongo Database Variables","text":" - FACTION_MONGO_HOST\u00a0(Required): This is the hostname or ip address where your mongo database i location
- FACTION_MONGO_DATABASE\u00a0(Required): The name of the mongo database. This can be anything you want. On initial loading of the application it will create the database and all collections.
- FACTION_MONGO_USER\u00a0(O_ptional_): If you use authentication (and you should) then this user has access to the database.
- FACTION_MONGO_PASSWORD\u00a0(Optional): Only required if you use the FACTION_MONGO_USER environment variable.
- FACTION_MONGO_AUTH_DATABASE\u00a0(Optional): The default authentication database is\u00a0admin.\u00a0If you want to use another then you can use this variable.
","tags":["Self Hosted","Setup"]},{"location":"Self-Hosted%20FACTION%20Setup/#other-variables","title":"Other Variables","text":" - FACTION_SECRET_KEY\u00a0(Required): This is the key used for all symmetric key encryption.
- FACTION_REPORT_STORAGE\u00a0(Optional): This variable has two options:\u00a0local\u00a0or\u00a0aws. If you include\u00a0aws\u00a0then you also need to set\u00a0AWS_ACCESS_KEY_ID\u00a0and\u00a0AWS_SECRET_ACCESS_KEY\u00a0and create the an s3 bucket location in AWS.\u00a0You can also use IAM permissions instead of including the AWS Keys. When using\u00a0local\u00a0\u00a0the default directory location is\u00a0/opt/faction.\u00a0If this variable is not set,\u00a0local\u00a0will be used as default.
- FACTION_BUCKET_NAME\u00a0(Optional): S3 Bucket Name to to store Faction files.
- FACTION_TIER\u00a0(Required): Only use the value\u00a0team\u00a0here
- FACTION_USERS\u00a0(Required): The user limit. you can set this to any value that makes sense for your organization.
","tags":["Self Hosted","Setup"]},{"location":"Self-Hosted%20FACTION%20Setup/#email-variables","title":"Email Variables","text":"These settings (FACTION_SMTP_SERVER, FACTION_SMTP_USER< FACTION_SMTP_PORT) are just used for the initial setup of Faction. They will be overridden when you save or test emails in the admin settings pages. This is useful for doing deployments in Kubernetes or ECS.
","tags":["Self Hosted","Setup"]},{"location":"Table%20of%20Contents%20Numbering/","title":"Table of Contents Numbering","text":"Faction's open-source versions will not automatically update the Table of Contents page numbering though the hyperlinks all work as expected. You can do this manually by clicking the table and selecting Update Field on the generated report.
The enterprise versions of Faction will automatically update the numbering for you as well as provide other additional reporting features like different finding sections (i.e. Application Security Pen Test Findings Section and Network Security Findings Section) and DOCX and PDF export options.
Contact us here to learn more.
","tags":["Reporting","Enterprise","Paid Feature","Managed"]},{"location":"Using%20Markdown%20in%20Reports/","title":"Using Markdown in Reports","text":"When exploiting a vulnerability in a penetration test it is important to capture your attack steps quickly and thoroughly so you don't have to spend extra time remembering and re-validating what you did when it's time to report on the finding. Nothing can break your flow more than having to stop what you are doing to format text, fix hyperlinks, or build numbered lists of steps. Markdown is one of the quickest ways to type formatted text and capture these details effortlessly.
Pro Tip!
The API fully supports Markdown. This makes it easy to develop automated tools that can add issues or other text to Faction with formatted text via the API.
Faction supports markdown by default in all editors. Here are some examples of how you can use markdown:
","tags":["Markdown","Reporting","Core Features","Burp Suite"]},{"location":"Using%20Markdown%20in%20Reports/#exploit-steps","title":"Exploit Steps","text":"Entering exploit steps is easier with markdown. You can enter the following text and it will automatically show you the formated view on the right.
__Steps to Reproduce__:\n1. Go to the home page.\n2. Click Login.\n3. Enter `<script>alert(123);</script>` in the username parameter. \n
","tags":["Markdown","Reporting","Core Features","Burp Suite"]},{"location":"Using%20Markdown%20in%20Reports/#faction-burp-suite-extension","title":"Faction Burp Suite Extension","text":"If you find a vulnerability while using the Faction Burp extension, you can add the finding and all details directly through the extension. Below is an example of cross-site scripting:
In Burp Suite, select the request and select Add New Finding:
A dialog box will open that lets you search for the vulnerability type (in this case Cross Site Scripting) and allow you to enter your details on how to recreate the exploit.
Now if we navigate back into Faction and view the details we will see the exploit steps displayed in rich text.
","tags":["Markdown","Reporting","Core Features","Burp Suite"]},{"location":"Using%20the%20Faction%20Burp%20Suite%20Extension/","title":"Using the Faction Burp Suite Extension","text":"The Faction BurpSuite Extension makes much of what is available in the Web UI available right inside Burp Suite. With this extension, you can:
- Access all assessments and retests assigned to you
- Access Assessment notes
- Create and update findings
- Extract parts of the request and responses to add to the assessment report
- Add finding details in markdown
- Replay requests you or other assessors have reported
","tags":["Burp Suite","API","Penetration Testing"]},{"location":"Using%20the%20Faction%20Burp%20Suite%20Extension/#configure-the-extension","title":"Configure the Extension","text":"You can download the extension here . We also hoping to have it added to the BApp store soon.
Once installed in Burp, Navigate to the config tab. You need two things to configure:
- Your API key- This can be found in the Faction Web UI, under your profile (top upper right). If you do not have an API key then your administrator needs to give you the API permission.
- API URL - The API URL is most commonly something like
https://myserver.com/api. If you login to something different like http://myserver.com:8080/myfaction, then your API URL will be http://myserver.com:8080/myfaction/api
Once configured, It should look something like this:
","tags":["Burp Suite","API","Penetration Testing"]},{"location":"Using%20the%20Faction%20Burp%20Suite%20Extension/#severity-mapping","title":"Severity Mapping","text":"Severity Mapping is used to convert vulnerability severities that Burp Suite Reports to the custom severities you set in Faction. More on setting custom severities can be found here
Let's say your process requires that Criticals are called P1s and Highs are called P2s. Burp's Vulnerability Scanner finds a Critical issue that you want to report in Faction. You can now simply right-click the finding and add it to Faction and the extension will map the Critical to P1.
","tags":["Burp Suite","API","Penetration Testing"]},{"location":"Using%20the%20Faction%20Burp%20Suite%20Extension/#viewing-the-queues","title":"Viewing the Queues","text":"When you select Queues you will see both your assessments (left) and retests (right) queue. You can select an item in either table to view the data. This gives you all the information you need to start your assessment or verification without even logging into the Web UI.
","tags":["Burp Suite","API","Penetration Testing"]},{"location":"Using%20the%20Faction%20Burp%20Suite%20Extension/#selecting-an-assessment","title":"Selecting an Assessment","text":"From the Queues page, select your currently working assessment. This will set this assessment as the default assessment for all other dialog boxes, for example when adding a new vulnerability it will be reported in this assessment.
Once you select the assessment in the table, click Assessment. Now you will see the scope and shared notes about the assessment.
This keeps all the common information about the assessment handy, like in-scope URLs, test credentials, and even notes you want to share with other assessors on the same project.
","tags":["Burp Suite","API","Penetration Testing"]},{"location":"Using%20the%20Faction%20Burp%20Suite%20Extension/#enter-a-new-finding","title":"Enter a New Finding","text":"","tags":["Burp Suite","API","Penetration Testing"]},{"location":"Using%20the%20Faction%20Burp%20Suite%20Extension/#update-an-existing-finding","title":"Update an Existing Finding","text":"","tags":["Burp Suite","API","Penetration Testing"]},{"location":"Using%20the%20Faction%20Burp%20Suite%20Extension/#selecting-a-retest","title":"Selecting a Retest","text":"","tags":["Burp Suite","API","Penetration Testing"]},{"location":"tags/","title":"Tags","text":"","tags":[]},{"location":"tags/#api","title":"API","text":" - Faction App Store Extensions
- Importing Your Vulnerability Templates Via the API
- Using the Faction Burp Suite Extension
- App Store Extension API
- JIRA App Integration Example
- REST API
","tags":[]},{"location":"tags/#app-store","title":"App Store","text":" - Faction App Store Extensions
- App Store Extension API
- JIRA App Integration Example
- Faction App Store
","tags":[]},{"location":"tags/#authentication","title":"Authentication","text":" - Integrate Faction into OIDC Solutions
","tags":[]},{"location":"tags/#boilerplate","title":"Boilerplate","text":"","tags":[]},{"location":"tags/#burp-suite","title":"Burp Suite","text":" - Using Markdown in Reports
- Using the Faction Burp Suite Extension
","tags":[]},{"location":"tags/#cvss","title":"CVSS","text":" - Faction Severity Rating and CVSS Scoring
","tags":[]},{"location":"tags/#cloud-hosted","title":"Cloud Hosted","text":"","tags":[]},{"location":"tags/#core-features","title":"Core Features","text":" - Faction Severity Rating and CVSS Scoring
- Importing Your Vulnerability Templates Via the API
- Integrate Faction into OIDC Solutions
- Remediation Tracking, Custom SLAs, Retests
- Using Markdown in Reports
- Faction Boilerplates
","tags":[]},{"location":"tags/#customize","title":"Customize","text":" - Custom Security Report Templates
- Custom Variables
","tags":[]},{"location":"tags/#customizing","title":"Customizing","text":"","tags":[]},{"location":"tags/#enterprise","title":"Enterprise","text":" - Table of Contents Numbering
","tags":[]},{"location":"tags/#managed","title":"Managed","text":" - Table of Contents Numbering
","tags":[]},{"location":"tags/#markdown","title":"Markdown","text":" - Using Markdown in Reports
","tags":[]},{"location":"tags/#paid-feature","title":"Paid Feature","text":" - Table of Contents Numbering
","tags":[]},{"location":"tags/#penetration-testing","title":"Penetration Testing","text":" - Using the Faction Burp Suite Extension
","tags":[]},{"location":"tags/#remediation","title":"Remediation","text":" - Remediation Tracking, Custom SLAs, Retests
","tags":[]},{"location":"tags/#reporting","title":"Reporting","text":" - Custom Security Report Templates
- Custom Variables
- Table of Contents Numbering
- Using Markdown in Reports
- How To Generate a Vulnerability Report in Faction
","tags":[]},{"location":"tags/#retests","title":"Retests","text":" - Remediation Tracking, Custom SLAs, Retests
","tags":[]},{"location":"tags/#self-hosted","title":"Self Hosted","text":" - Self Hosted FACTION Setup
","tags":[]},{"location":"tags/#setup","title":"Setup","text":" - Managed FACTION Setup
- Self Hosted FACTION Setup
","tags":[]},{"location":"tags/#variables","title":"Variables","text":" - Custom Security Report Templates
","tags":[]},{"location":"tags/#vulnerability","title":"Vulnerability","text":" - Faction Severity Rating and CVSS Scoring
- Importing Your Vulnerability Templates Via the API
","tags":[]},{"location":"tags/#api_1","title":"api","text":" - How to Use BurpSuite with Faction
","tags":[]},{"location":"tags/#burpsuite","title":"burpsuite","text":" - How to Use BurpSuite with Faction
","tags":[]},{"location":"tags/#hello-world","title":"hello world","text":"","tags":[]},{"location":"tags/#integrations","title":"integrations","text":" - How to Use BurpSuite with Faction
","tags":[]},{"location":"APIS/App%20Store%20Extension%20API/","title":"App Store Extension API","text":"","tags":["API","App Store"]},{"location":"APIS/App%20Store%20Extension%20API/#introduction","title":"Introduction","text":"Faction has an API similar to what you might find in BurpSuite Extensions. You can create custom modules in jar files and upload them to the Faction AppStore. Once uploaded, Faction will perform your custom processing when certain events are triggered like finalizing and assessment, creating a report, or failing a retest.
You can even extend things like the Application Inventory Search so that it queries an external database to return results before scheduling assessments.
You can download an example\u00a0Extension here.
Below is a list of the current Hooks:
","tags":["API","App Store"]},{"location":"APIS/App%20Store%20Extension%20API/#faction-extension-apis","title":"Faction Extension APIs","text":"","tags":["API","App Store"]},{"location":"APIS/App%20Store%20Extension%20API/#application-inventory-extension","title":"Application Inventory Extension","text":"public class MyPlugin extends BaseExtension implements com.faction.extender.ApplicationInventory{\n\n @Override\n public InventoryResult[] search(String arg0, String arg1) {\n\n return null;\n }\n}\n
- Triggers on Assessment Scheduling and will then query external sources instead of the local database. - Can search based on Application ID or Application name. It will return an InventoryResult Object (explained later)","tags":["API","App Store"]},{"location":"APIS/App%20Store%20Extension%20API/#assessment-manager-extension","title":"Assessment Manager Extension","text":"public class MyPlugin extends BaseExtension implements com.faction.extender.AssessmentManager{\n\n @Override\n public AssessmentManagerResult assessmentChange(Assessment arg0, List<Vulnerability> arg1, Operation arg2) {\n\n return null;\n }\n\n}\n
Typical use case scenario: When an assessor finalizes an assessment this module can send all the vulnerabilities to another tracking system like JIRA and return the tracking numbers to Faction. - Triggers on Assessment Create, Update, Delete, Finalized, Peer Review Created, Peer Review Complete, Peer Review Accepted
- Accepts the Triggered Assessment and List of vulnerabilities associated with the assessment.
- Returns AssessmentManagerResult, that is the updated Assessment and updated List of vulnerabilities
- If the return object is null Faction will not update locally
","tags":["API","App Store"]},{"location":"APIS/App%20Store%20Extension%20API/#update-reports","title":"Update Reports","text":"public class VulnerabilityBarChart extends BaseExtension implements com.faction.extender.ReportManager {\n\n @Override\n public String reportCreate(Assessment asmt, List<Vulnerability> vulns, String reportText) {\n\n return reportText;\n\n}\n
This method triggers every time a report is created or regenerated. It can be used to for you to add custom variables to reports and update those variables with HTML. An example of this can be found here which demonstrates how to add bar charts to vulnerability reports. - Triggers on report create or regenerate
- Can update Text in reports
- Output can be HTML or raw text
- If returns null then nothing will be changed by this extension
","tags":["API","App Store"]},{"location":"APIS/App%20Store%20Extension%20API/#vulnerability-manager-extension","title":"Vulnerability\u00a0Manager Extension","text":"public class MyPlugin extends BaseExtension extends BaseExtension implements com.faction.extender.VulnerabilityManager{\n\n @Override\n public Vulnerability vulnChange(Assessment arg0, Vulnerability arg1, Operation arg2) {\n // TODO Auto-generated method stub\n return null;\n }\n}\n
Typical use case scenario: When an assessor creates or updates a vulnerability the module can send\u00a0the\u00a0vulnerability to another tracking system like JIRA and return the tracking\u00a0number to Faction. - Triggers on Assessment Create, Update, Delete
- Accepts the Triggered Assessment and vulnerability that is being processed.
- Returns\u00a0the updated vulnerability
- If the return object is null then Faction will not update locally
","tags":["API","App Store"]},{"location":"APIS/App%20Store%20Extension%20API/#verificationretest-manager-extension","title":"Verification(Retest) Manager Extension","text":"public class MyPlugin extends BaseExtension extends BaseExtension implements com.faction.extender.VerificationManager{\n\n @Override\n public void verificationChange(User arg0, Vulnerability arg1, String arg2, Date arg3, Date arg4, Operation arg5) {\n\n }\n}\n
- Triggers on\u00a0Pass, Fail, Cancel, Assigned
- Accepts the Triggered\u00a0Assigned User, Vulnerability Assigned, Start and end dates for the verification.
- Returns\u00a0the updated vulnerability
","tags":["API","App Store"]},{"location":"APIS/App%20Store%20Extension%20API/#additional-resources","title":"Additional Resources","text":" - Building a JIRA Extension
","tags":["API","App Store"]},{"location":"APIS/JIRA%20App%20Integration%20Example/","title":"JIRA App Integration Example","text":"Faction can extend its functionality on the server side. If you are familiar with writing BurpSuite extensions then this process should be somewhat familiar to you. If you are not it\u2019s OK. We will walk through the specifics below.
In this example, we will create a JIRA plugin that will create issues for each vulnerability when the assessment is finalized.
The source code for this example can be\u00a0downloaded here.
","tags":["API","App Store"]},{"location":"APIS/JIRA%20App%20Integration%20Example/#extension-requirements","title":"Extension Requirements","text":" - Create a new Eclipse Maven Java Project.
- Modify your\u00a0pom.xml\u00a0file to enable the Faction Extender API and ensure your manifest includes Title, Version, Author, and URL as shown below.
<project xmlns=\"http://maven.apache.org/POM/4.0.0\"\n xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\n xsi:schemaLocation=\"http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd\">\n <modelVersion>4.0.0</modelVersion>\n\n <groupId>faction-jira-extension</groupId>\n <artifactId>faction-jira-extension</artifactId>\n <version>1.0</version>\n <name>Faction Jira Extension</name>\n <dependencies>\n <dependency>\n <groupId>com.factionsecurity</groupId>\n <artifactId>faction-extender</artifactId>\n <version>2.5</version>\n </dependency>\n </dependencies>\n <build>\n <plugins>\n <plugin>\n <artifactId>maven-assembly-plugin</artifactId>\n <configuration>\n <descriptorRefs>\n <descriptorRef>jar-with-dependencies</descriptorRef>\n </descriptorRefs>\n <archive>\n <manifestEntries>\n <Title>${project.name}</Title>\n <Version>${project.version}</Version>\n <Author>Josh Summitt</Author>\n <URL>https://www.factionsecurity.com</URL>\n </manifestEntries>\n </archive>\n </configuration>\n </plugin>\n </plugins>\n </build>\n</project>\n
- Create the following folders and files. They can be empty for now. We will fill this out in the next section below. The maven-assembly-plugin will ensure your manifest is set up correctly for Faction to be able to import your extension with the proper information.
","tags":["API","App Store"]},{"location":"APIS/JIRA%20App%20Integration%20Example/#extension-file-and-folder-requirements","title":"Extension File and Folder Requirements","text":"We need to update the extension resources from Step 3 above. Below is a description of the files.
resources/META-INF/resouces/config.json : This file is a JSON key-value pair of options you want to be configurable by the end user. These options become input boxes in the Faction App Store UI. resources/META-INF/resources/description.md : This is the extension description and help files that will be displayed when the extension is loaded in the Faction App Store UIresources/META-INF/resources/logo.png: This is a PNG log that will be displayed as the Apps icon in the Faction App Store UIresources/META-INF/services/*: This file is required for Faction to be able to load your extension.
","tags":["API","App Store"]},{"location":"APIS/JIRA%20App%20Integration%20Example/#configjson","title":"config.json","text":"These are the key value pairs that will display in the Faction App Store UI and allow users to make changes that affect the behavior of the extensions. For a Jira plugin you would want the API, the Jira Host and the Jira Username configured. That would look like the following
{\n \"Jira Host\" : {\n \"type\": \"text\",\n \"value\": \"https://yourhost.com\"\n },\n \"Jira API Key\" : {\n \"type\": \"password\",\n \"value\": \"your api key\"\n },\n \"Jira Email\": {\n \"type\" : \"text\",\n \"value\": \"your@email.com\"\n }\n}\n
Any values you set in your extension will be the \"Default\" values that will display to the end user. They can be blank if you do not what to set a predefined value.
The type attribute can only be text or password. password attributes are not displayed in the UI when the user enters the data and do not get returned to the UI once saved.
","tags":["API","App Store"]},{"location":"APIS/JIRA%20App%20Integration%20Example/#descriptionmd","title":"description.md","text":"This is where you describe your extension to end users and support most markdown elements. You should use this to fully describe what the extension does, why the user should install it, and how the end user should configure it to work correctly.
","tags":["API","App Store"]},{"location":"APIS/JIRA%20App%20Integration%20Example/#logopng","title":"logo.png","text":"This will be the logo in a PNG format that will display as an icon for your project.
","tags":["API","App Store"]},{"location":"APIS/JIRA%20App%20Integration%20Example/#services","title":"services","text":"The resources/META-INF/services/ files have a specific naming convention so that Faction can load your classes. The file must be named one of the following:
com.faction.extender.AssessmentManagercom.faction.extender.ApplicationInventorycom.faction.extender.ReportManagercom.faction.extender.VerificationManagercom.faction.extender.VulnerabilityManager
The content of each file is the name of your class that instantiates this functionality. In this example, we are only triggering the AssessmentManager therefore the file name would be com.faction.extender.AssessmentManager and the contents of the file would be org.faction.JiraPlugin
","tags":["API","App Store"]},{"location":"APIS/JIRA%20App%20Integration%20Example/#create-the-jira-plugin-class","title":"Create The Jira Plugin Class","text":"Now that the basic set up is complete we can create our Jira Class that actually does something!
Create a Class named\u00a0JiraPlugin\u00a0in\u00a0src/main/java. This class will implement\u00a0\u00a0com.fuse.extender.AssessmentManager\u00a0as shown below. This code will trigger whenever a change happens to an assessment. You can use the\u00a0Operation\u00a0enum to control what happens as different events change the assessment.
package org.faction;\n\npublic class JiraPlugin extends BaseExtension implements com.faction.extender.AssessmentManager{\n @Override\n public AssessmentManagerResult assessmentChange(Assessment assessment, List<Vulnerability> vulnerabilities, Operation arg2) {\n AssessmentManagerResult result = new AssessmentManagerResult();\n return result\n }\n}\n
Note that above it returns\u00a0AssessmentManagerResult.\u00a0This object will update Faction\u2019s database if the values change when this function returns. If you Return\u00a0null\u00a0it will NOT update Faction and only just send/process information.
","tags":["API","App Store"]},{"location":"APIS/JIRA%20App%20Integration%20Example/#send-this-issues-to-jira-on-assessment-finalized","title":"Send this Issues to Jira on Assessment Finalized","text":"Now we have a basic functional block of code we need to make it perform the action of sending all vulnerabilities to Jira only when the assessment is finalized. To do this we create an if statement that checks the Operation enum equals Finalized and then sends the issues with our custom function sendVulnerabilityToJira(). We then get the tracking ID from Jira and update Faction so the tracking ID's are in sync.
import com.fuse.elements.Assessment;\nimport com.fuse.elements.Vulnerability;\n\npublic class JiraPlugin extends BaseExtension implements com.faction.extender.AssessmentManager{\n\n @Override\n public AssessmentManagerResult assessmentChange(Assessment assessment, List<Vulnerability> vulns, Operation opcode) {\n String project =\"KAN\"; //Default Jira Project Name.\n\n if(opcode == Operation.Finalize) {\n //Integration into vulnerability management system\n for(Vulnerability vuln : vulns) {\n //this can update vulns and send the updated values back into Faction\n String issueId = sendVulnerbilityToJira(vuln, project);\n if(issueId != null) {\n vuln.setTracking(issueId); //Update Faction's Tracking ID\n }\n }\n }\n AssessmentManagerResult result = new AssessmentManagerResult();\n result.setAssessment(assessment);\n result.setVulnerabilities(vulns);\n return result; //Send back the updated results\n }\n}\n
You can see the full implementation here
","tags":["API","App Store"]},{"location":"APIS/JIRA%20App%20Integration%20Example/#install-it-in-your-faction","title":"Install It In Your Faction","text":"Build the jar file by running:
mvn clean compile assembly:single\n
This will create a jar file named\u00a0something like JiraPlugin-0.0.1-SNAPSHOT-jar-with-dependencies.jar\u00a0in your ./target folder.\u00a0
Upload it to Admin->App Store->Install Extension. It should display like this:
If all looks good, click install.
It will be installed initially as disabled. You can configure it before you enable it by clicking on the extension in the list:
Once you configure the settings you can enable it.
Now when an assessment is finalized it will add All the findings to JIRA as shown in the following screenshot:
","tags":["API","App Store"]},{"location":"APIS/REST%20API/","title":"REST API","text":"The Rest API enables you to integrate FACTION into your unique environment. With the API you can:
- Add vulnerabilities from other tools
- Upload your custom vulnerability templates
- Schedule Assessments and Retests
- Track remediation
- Manage Users
- and much more.
The easiest way to access the REST API for your faction instance is to click on your profile in the top right corner. Here you will find a link to the Swagger API docs and access to your API Key
If you select \"Click here for API docs\" it will redirect you to the Swagger docs for your Faction Instance. You can use this page to make requests to the API directly in the browser.
","tags":["API"]},{"location":"blog/2024/03/25/faction-app-store/","title":"Faction App Store","text":"\u2728 We are excited to release the first iteration of the Faction App Store! \u2728
The App Store is where developers can build custom integrations with Faction. These can be anything from sending vulnerabilities to external bug trackers to adding custom graphics to your automated pentest reports!
We want to make this process really easy and took inspiration from Burp Suite on the design. If you have ever made an extension for Burp then you should be able to get up and running pretty quickly.
","tags":["App Store"]},{"location":"blog/2024/03/25/faction-app-store/#what-can-be-extended","title":"What Can Be Extended?","text":"With this initial release, you can extend Faction by:
- Including your own application inventory database to the application search features and populate results in Faction like the Application ID, Distribution Lists, and Application Name.
- Triggers when an assessment state changes (created, updated, or finalized). You can use this to send emails to a distribution list that an assessment has been scheduled for certain dates. When the assessment is finalized you can choose to send only the vulnerabilities of a certain criticality to an external tracking system as well as send to different tracking systems depending on the type of assessment.
- Triggers when a vulnerability state is changed. When a tracked vulnerability is retested and pass/fail, you can create a custom workflow and alert key stakeholders that the issue succeeded or failed.
- Update reports when they are generated. You can use this to add custom variables to your reporting templates and replace the contents with data from an external system or add custom charts and graphics to give your reports a more polished look.
The full documentation on the API can be found here
","tags":["App Store"]},{"location":"blog/2024/03/25/faction-app-store/#custom-settings","title":"Custom Settings","text":"Extensions are built so that you can add your own configuration options that can be stored in the Faction Database. Things like a user-editable hostname or API key can be configured in your extension. Based on how you set up your configuration you can make data like passwords and API keys hidden in the UI and encrypted at rest.
","tags":["App Store"]},{"location":"blog/2024/03/25/faction-app-store/#extension-chain","title":"Extension Chain","text":"Extensions can be chained in any order. Once you add apps and enable them in Faction, the UI allows you to drag the extension to anywhere in the list. This allows you to create one extension that processes data and returns a result that can be processed by the next extension.
Before Order Change After Order Change You can use this to create one extension that returns a JIRA Tracking number for all vulnerabilities in the finalized assessment, they take those numbers and process them into another system and on and on down the chain.
","tags":["App Store"]},{"location":"blog/2024/03/25/faction-app-store/#example-extensions","title":"Example Extensions","text":"You can review the source code for our initial apps here. This list will grow over time but currently, there are 2 (JIRA Integration, Vulnerability Bar Charts).
","tags":["App Store"]},{"location":"blog/2024/03/25/faction-app-store/#submit-your-own","title":"Submit Your Own","text":"We can't think of everything! We encourage developers to submit their own extensions and we will add them to our list of Approved Extensions. Send an email to develop [ at ] factionsecurity [dot] com with a link to your GitHub and a brief explanation of what it does.
","tags":["App Store"]},{"location":"blog/2024/03/25/faction-app-store/#conclusion","title":"Conclusion","text":"We hope you enjoy the new App Store and other new features that are part of this 1.2 Release. Faction is open-source and free to use. Please leave us feedback in either our GitHub Discussion Boards or by submitting Issues.
If you want to help support the project and ensure its longevity then consider being a sponsor... It's good karma! \u2764\ufe0f
Sponsor Options
- GitHub Sponsor
- Patreon
- Open Collective
","tags":["App Store"]},{"location":"blog/2024/03/16/faction-boilerplates/","title":"Faction Boilerplates","text":"If you have been doing penetration testing for any length of time you probably have a personal database of vulnerability descriptions, recommendations as well as other text snippets you will inject into various places of your reports. What if, Instead of keeping these in separate files on various computers, they were all included in your reporting software?!@! \ud83e\udd2f
Faction IS your database for global boilerplate, default vulnerability templates, personal flare, and just about anything else you can imagine (well...sorta \ud83e\udd14). Let's walk through how this is done.
","tags":["Core Features","Boilerplate","Customizing"]},{"location":"blog/2024/03/16/faction-boilerplates/#vulnerability-templates","title":"Vulnerability Templates","text":"Let's start with the obvious.... Faction includes over 75 default vulnerability templates when you start. These vulnerability templates include both descriptions and recommendations and are fully customizable by you. You can start with our templates or upload your own as described here.
When writing your report, type the name of the vulnerability and it will auto-populate in the UI as shown below:
Once selected your report will automatically include the severity of the finding, the description, and the recommendation! \ud83d\udca5 Something that would have taken you 30 min to an hour is complete in just a few seconds.
These are fully editable in the Default Vulnerabilities section. You can add new ones, update the pre-packaged ones, or delete them all and upload all your own with the Faction API.
","tags":["Core Features","Boilerplate","Customizing"]},{"location":"blog/2024/03/16/faction-boilerplates/#assessment-templates","title":"Assessment Templates","text":"Faction has the option of creating global and personal boilerplates that you can easily add to your reports. Global templates are shared with everyone while personal templates are only available to you.
","tags":["Core Features","Boilerplate","Customizing"]},{"location":"blog/2024/03/16/faction-boilerplates/#global-assessment-templates","title":"Global Assessment Templates","text":"In Faction, Navigate to Templates -> Assessment Templates. Here you have the option to create text that will be available to all assessors in the platform. This is useful for creating things like Different High-Level Summaries for different report types or adding common risk summaries.
Notice you can include most faction variables in your templates and they will be auto-populated in the generated report.
As the security assessor, you can easily add these to different sections of your report. Below is a screen-share of using Global Templates in your reports.
","tags":["Core Features","Boilerplate","Customizing"]},{"location":"blog/2024/03/16/faction-boilerplates/#user-assessment-templates","title":"User Assessment Templates","text":"User Assessment Templates work the same as the Global Assessment Templates but are specific to your user account. This can allow you to add your own flare to a report that you might not want to share with the rest of the team.
To add a User Template just start typing into any of Faction's text editors and then click the Save button in the Template section. Note that User Templates have a different icon beside them in the Template List.
Below is a walk though of how you would add User templates to save and later recall user-defined boilerplate text.
","tags":["Core Features","Boilerplate","Customizing"]},{"location":"blog/2024/03/15/hello-world/","title":"Hello World","text":"Hey! Just starting the FACTION blog. Stay tuned here for new updates, tips, and tricks on getting the most out of FACTION. \ud83c\udf89
FACTION 1.2 will be released this month (March'24) with loads of new features. The most notable features are the inclusion of the Faction App Store which will make it simple for developers to write extensions and integrations.
","tags":["hello world"]},{"location":"blog/archive/2024/","title":"2024","text":""},{"location":"tags/","title":"Tags","text":"","tags":[]},{"location":"tags/#api","title":"API","text":" - Faction App Store Extensions
- Importing Your Vulnerability Templates Via the API
- Using the Faction Burp Suite Extension
- App Store Extension API
- JIRA App Integration Example
- REST API
","tags":[]},{"location":"tags/#app-store","title":"App Store","text":" - Faction App Store Extensions
- App Store Extension API
- JIRA App Integration Example
- Faction App Store
","tags":[]},{"location":"tags/#authentication","title":"Authentication","text":" - Integrate Faction into OIDC Solutions
","tags":[]},{"location":"tags/#boilerplate","title":"Boilerplate","text":"","tags":[]},{"location":"tags/#burp-suite","title":"Burp Suite","text":" - Using Markdown in Reports
- Using the Faction Burp Suite Extension
","tags":[]},{"location":"tags/#cvss","title":"CVSS","text":" - Faction Severity Rating and CVSS Scoring
","tags":[]},{"location":"tags/#cloud-hosted","title":"Cloud Hosted","text":"","tags":[]},{"location":"tags/#core-features","title":"Core Features","text":" - Faction Severity Rating and CVSS Scoring
- Importing Your Vulnerability Templates Via the API
- Integrate Faction into OIDC Solutions
- Remediation Tracking, Custom SLAs, Retests
- Using Markdown in Reports
- Faction Boilerplates
","tags":[]},{"location":"tags/#customize","title":"Customize","text":" - Custom Security Report Templates
- Custom Variables
","tags":[]},{"location":"tags/#customizing","title":"Customizing","text":"","tags":[]},{"location":"tags/#enterprise","title":"Enterprise","text":" - Table of Contents Numbering
","tags":[]},{"location":"tags/#managed","title":"Managed","text":" - Table of Contents Numbering
","tags":[]},{"location":"tags/#markdown","title":"Markdown","text":" - Using Markdown in Reports
","tags":[]},{"location":"tags/#paid-feature","title":"Paid Feature","text":" - Table of Contents Numbering
","tags":[]},{"location":"tags/#penetration-testing","title":"Penetration Testing","text":" - Using the Faction Burp Suite Extension
","tags":[]},{"location":"tags/#remediation","title":"Remediation","text":" - Remediation Tracking, Custom SLAs, Retests
","tags":[]},{"location":"tags/#reporting","title":"Reporting","text":" - Custom Security Report Templates
- Custom Variables
- Table of Contents Numbering
- Using Markdown in Reports
- How To Generate a Vulnerability Report in Faction
","tags":[]},{"location":"tags/#retests","title":"Retests","text":" - Remediation Tracking, Custom SLAs, Retests
","tags":[]},{"location":"tags/#self-hosted","title":"Self Hosted","text":" - Self Hosted FACTION Setup
","tags":[]},{"location":"tags/#setup","title":"Setup","text":" - Managed FACTION Setup
- Self Hosted FACTION Setup
","tags":[]},{"location":"tags/#variables","title":"Variables","text":" - Custom Security Report Templates
","tags":[]},{"location":"tags/#vulnerability","title":"Vulnerability","text":" - Faction Severity Rating and CVSS Scoring
- Importing Your Vulnerability Templates Via the API
","tags":[]},{"location":"tags/#api_1","title":"api","text":" - How to Use BurpSuite with Faction
","tags":[]},{"location":"tags/#burpsuite","title":"burpsuite","text":" - How to Use BurpSuite with Faction
","tags":[]},{"location":"tags/#hello-world","title":"hello world","text":"","tags":[]},{"location":"tags/#integrations","title":"integrations","text":" - How to Use BurpSuite with Faction
","tags":[]}]}
\ No newline at end of file
+{"config":{"lang":["en"],"separator":"[\\s\\-]+","pipeline":["stopWordFilter"]},"docs":[{"location":"","title":"Welcome to FACTION","text":"PenTesting Report Generation and Collaboration Engine
FACTION is your entire assessment workflow in a box. With FACTION you can:
-
Automate pen testing and security assessment Reports
-
Peer review and track changes for reports
-
Create customized DOCX templates for different assessment types and retests
-
Real-time collaboration with assessors via the web app and Burp Suite Extensions
-
Customizable vulnerability templates with over 75 prepopulated
-
Easily manage assessment teams and track progress across your organization
-
Track vulnerability remediation efforts with custom SLA warnings and alerts \u00a0
-
Full Rest API to integrate with other tools\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0
Other Features:\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0
-
LDAP Integration\u00a0 \u00a0 \u00a0 \u00a0
-
OAUTH2.0 Integration
-
SMTP integration\u00a0
-
Extendable with Custom Plugins similar to Burp Extender.
-
Custom Report Variables
Want to see it in action? -> Faction Video Overview
","tags":[]},{"location":"#quick-setup","title":"Quick Setup","text":"Requirements - Java JDK11 - Maven (for building the project)
Run the following commands to build the war file and deploy it to the docker container.
git clone git@github.com:factionsecurity/faction.git\ncd faction\nmvn clean compile war:war\ndocker-compose up --build\n
Once the containers are up you can navigate to http://127.0.0.1:8080 to access your FACTION instance. On the first boot, it will ask you to create an admin account.
","tags":[]},{"location":"#import-the-vulnerability-templates","title":"Import the Vulnerability Templates","text":" - Navigate to Admin -> Default Vulnerabilities
- Click Import from Faction
","tags":[]},{"location":"#customize-reports","title":"Customize reports","text":"You can find out more information about creating your own custom report templates here: Customize Report Templates
","tags":[]},{"location":"#burp-suite-extension","title":"Burp Suite Extension","text":"Burp Suite Extensions
","tags":[]},{"location":"#dont-want-to-host-it-yourself","title":"Don't want to host it yourself?","text":"We can provide hosting for your instance. All instances are single tenants so you don't have to worry about sharing infrastructure with untrusted parties. Hosted versions also come with other features like enhanced reporting. Navigate to https://www.factionsecurity.com to learn more.
","tags":[]},{"location":"#screenshots","title":"Screenshots","text":"Vulnerability Templates
Assessment Scheduling
Peer Review and Track Changes
","tags":[]},{"location":"Custom%20Security%20Report%20Templates/","title":"Custom Security Report Templates","text":"The Faction Report Designer allows you to create custom security report templates for each assessment type. When building reports you need to use the variables listed below. Entering these into your DOCX reports will auto-replace the assessment and vulnerability text when the report is generated. You can even use the same variables in many of the assessor input fields outside of the report template (like Risk Assessment Summaries) and it will auto-populate the fields when the report is generated.
You can download the sample templates here: Sample Templates
Note
You should disable spellcheck in your template document while adding variables. The spellcheck can cause the variables to contain attributes that will make the variable unrecognizable to the Faction document parser.
","tags":["Reporting","Customize","Variables"]},{"location":"Custom%20Security%20Report%20Templates/#general-variables","title":"GENERAL VARIABLES:","text":"All of these variables can be used anywhere in the DOCX template. Those with a star \u2b50\ufe0f can be used in the web interface to assist in creating common reusable templates.
- ${TOC}\u00a0\u2013 Placeholder for the Table of Contents
- ${summary1}\u00a0\u2013 The high level summary
- ${summary2}\u00a0\u2013 The objective and scope
- ${asmtId}\u00a0\u2013 Internal Database ID \u2b50\ufe0f
- ${asmtAppid}\u00a0\u2013 The assigned Application ID \u2b50\ufe0f
- ${asmtName}\u00a0\u2013 The Assessment Name \u2b50\ufe0f
- ${asmtAssessor}\u00a0\u2013 The first assessor assigned to the assessment \u2b50\ufe0f
- ${asmtAssessor_Email}\u00a0\u2013 The first assessor email address \u2b50\ufe0f
- ${asmtAssessors_Lines}\u00a0\u2013 All Assessors split into lines \u2b50\ufe0f
- ${asmtAssessors_Comma}\u00a0\u2013 All Assessors split into a comma delimited list \u2b50\ufe0f
- ${asmtAssessor_Bullets}\u00a0\u2013 All Assessors split into a bulleted list \u2b50\ufe0f
- ${remediation}\u00a0\u2013 The Remediation Person assigned to the assessment \u2b50\ufe0f
- ${riskCount*}\u00a0\u2013 The number of findings at the RiskLevel 0-9 \u2b50\ufe0f
- ${riskTotal}\u00a0\u2013 The total number of findings at all RiskLevels \u2b50\ufe0f
- ${asmtTeam}\u00a0\u2013 The Assessor Team Name \u2b50\ufe0f
- ${asmtType}\u00a0\u2013 The Type of the Assessment \u2b50\ufe0f
- ${asmtStart}\u00a0\u2013 The Start date of the assessment \u2b50\ufe0f
- ${asmtEnd}\u00a0\u2013 The End date of the assessment \u2b50\ufe0f
- ${asmtAccessKey}\u00a0\u2013 Guid to access the client retest queue. \u2b50\ufe0f
- ${today}\u00a0\u2013 Day the report is generated \u2b50\ufe0f
- ${cfXXXXXX}\u00a0\u2013 Custom Fields are ones you specify in the admin interface. These are all prefixed with \u201ccf\u201d \u2b50\ufe0f
- ${totalOpenVulns} - Can be used in retest reports to show a count of open vulnerabilities. (Since 1.3)
- ${totalClosedVulns} - Can be used in retest reports to show the total count of closed vulnerabilities. (Since 1.3)
","tags":["Reporting","Customize","Variables"]},{"location":"Custom%20Security%20Report%20Templates/#vulnerability-tables-variables","title":"VULNERABILITY TABLES VARIABLES:","text":"These are only available inside tables.
- ${vulnTable}\u00a0\u2013 This defines a table to be a vulnerability listing table.
- ${vulnTable Section_Name}\u00a0\u2013 This defines a table to be a vulnerability listing table for a section of vulnerabilities. See Reporting Sections(Paid Only Feature).
- ${vulnName}\u00a0\u2013 The Vulnerability name
- ${rec}\u00a0\u2013\u00a0Vulnerability Recommendation
- ${desc}\u00a0\u2013\u00a0Vulnerability Description
- ${category}\u00a0\u2013 Category of the vulnerability
- ${severity}\u00a0\u2013 Severity of each vulnerability.
- ${likelihood}\u00a0\u2013 Likelihood of the vulnerability
- ${impact}\u00a0\u2013 Impact of the vulnerability
- ${cvssScore}\u00a0\u2013 CVSS score of the vulnerability (Since v1.2)
- ${cvssString}\u00a0\u2013 CVSS vector of the vulnerability (Since v1.2)
- ${count}\u00a0\u2013 Row Count of the vulnerability
- ${tracking}\u00a0\u2013 Tracking number of the vulnerability
- ${vid}\u00a0\u2013 Vulnerability internal database id
- ${openedAt} - The date the vulnerability began tracking (Since 1.3)
- ${closedAt} - The date the vulnerability was closed (no longer tracked) (Since 1.3)
- ${remediationStatus} - Displays only \"Open\" or \"Closed\" (Since 1.3)
- ${cfXXXXXX}\u00a0\u2013 Custom Fields are ones you specify in the admin interface. These are all prefixed with \u201ccf\u201d
- ${color \u00a0key=value,key=value}\u00a0\u2013 The color of the text is based on key-value pairs.\u00a0See below for how to set up colors.
- ${cells key=value,key=value}\u00a0\u2013 The color of the table cell is based on key-value pairs.\u00a0\u00a0See below for how to set up colors.
- ${loop}\u00a0\u2013 This variable tells the report generator which row will be repeated.
- ${loop-*}\u00a0\u2013 This allows multiple rows to be repeated. Example ${loop-1} will repeat the row but the one below it.
- ${details}\u00a0\u2013 This will insert screenshots and exploit steps for each vulnerability.
- ${noIssuesText} - This is the default text displayed in the section if no vulnerabilities are reported. (Since 1.3.28)
","tags":["Reporting","Customize","Variables"]},{"location":"Custom%20Security%20Report%20Templates/#example-table-summary-table","title":"Example Table Summary Table","text":"${vulnTable} ${color Critical=C00000,High=FFC000} ID Finding Name Impact Severity ${loop} ${count}. ${vulnName} ${impact} ${severity}","tags":["Reporting","Customize","Variables"]},{"location":"Custom%20Security%20Report%20Templates/#example-table-detail-table","title":"Example Table Detail Table","text":"${vulnTable} ${cells Critical=8064a2,High=c0504d,Medium=e68e00, Low=33D7FF,Recommended=081417,Informational=657376} ${loop-5} ## 1\u00a0 ${vulnName} ${severity} CVSS: ${cvssString} ${cvssScore} Category: ${category} Description:${desc} Recommendation:${rec} ${details} **Why is the heading yellow?!?! Check here
","tags":["Reporting","Customize","Variables"]},{"location":"Custom%20Security%20Report%20Templates/#vulnerability-block-variables","title":"VULNERABILITY BLOCK VARIABLES:","text":"For when you do not want to use tables to display your vulnerability information. You can use the following variables for inserting vulnerability information outside of a table
- ${fiBegin} / ${fiEnd}\u00a0\u2013 Block to repeat against all findings.
- ${fiBegin Section_Name} / ${fiEnd Section_Name}\u00a0\u2013 Block to repeat a section of findings. See Reporting Sections (Paid Only Feature)
- ${vulnName}\u00a0\u2013 The Vulnerability name
- ${rec}\u00a0\u2013\u00a0Vulnerability Recommendation
- ${desc}\u00a0\u2013\u00a0Vulnerability Description
- ${category}\u00a0\u2013 Category of the vulnerability
- ${severity}\u00a0\u2013 Severity of each vulnerability.
- ${likelihood}\u00a0\u2013 Likelihood of the vulnerability
- ${impact}\u00a0\u2013 Impact of the vulnerability
- ${cvssScore}\u00a0\u2013 CVSS score of the vulnerability (Since 1.2)
- ${cvssString}\u00a0\u2013 CVSS vector of the vulnerability (Since 1.2)
- ${count}\u00a0\u2013 Row Count of the vulnerability
- ${tracking}\u00a0\u2013 Tracking number of the vulnerability
- ${vid}\u00a0\u2013 Vulnerability internal database id
- ${openedAt} - The date the vulnerability began tracking (Since 1.3)
- ${closedAt} - The date the vulnerability was closed (no longer tracked) (Since 1.3)
- ${remediationStatus} - Displays only \"Open\" or \"Closed\" (Since 1.3)
- ${cfXXXXXX}\u00a0\u2013 Custom Fields are ones you specify in the admin interface. These are all prefixed with \u201ccf\u201d
- ${details}\u00a0\u2013 This will insert screenshots and exploit steps for each vulnerability.
- ${color \u00a0key=value,key=value}\u00a0\u2013 The color of the text is based on key-value pairs.\u00a0See below for how to set up colors.
- ${fill key=value,key=value}\u00a0\u2013 The color of the background elements is based on key-value pairs.\u00a0\u00a0See below for how to set up colors.
- ${noIssuesText} - This is the default text displayed in the section if no vulnerabilities are reported. (Since 1.3.28)
","tags":["Reporting","Customize","Variables"]},{"location":"Custom%20Security%20Report%20Templates/#example-block-findings","title":"Example Block Findings","text":"**Why is the heading yellow?!?! Check here
","tags":["Reporting","Customize","Variables"]},{"location":"Custom%20Security%20Report%20Templates/#reporting-sections-enterprisepaid-feature","title":"Reporting Sections (Enterprise/Paid Feature)","text":"You can put findings into different sections of your report for paid versions and certain sponsored tiers of Faction. You may want to use sections if you are doing different types of pen tests in one report and need to keep these sections separated. For example, you can segregate findings into Application Security and Network Security Sections.
To use sections you need to create the section names in the Faction Report Designer:
Once the sections are created in the UI, you can add them to the report in two ways. 1. Vulnerability Block Variables: ${fiBegin Your_Section_Name}/${fiEnd Your_Section_Name} 2. Vulnerability Table Variables:${vulnTable Your_Section_Name}`
Below is an example of how the template variables work:
","tags":["Reporting","Customize","Variables"]},{"location":"Custom%20Security%20Report%20Templates/#css-formatting","title":"CSS FORMATTING:","text":"All of the text generated from Faction is HTML. You can control how it is rendered in the DOCX format using the CSS editor in the Report Designer. You will need to set the CSS to match your report templates. Things like font and size will need to match. Images will need to be forced to resize to the correct dimensions to fit in your reports.
","tags":["Reporting","Customize","Variables"]},{"location":"Custom%20Security%20Report%20Templates/#setting-severity-colors","title":"SETTING SEVERITY COLORS:","text":"When building reports you most likely will set the text or cell to the color that matches the severity of the finding. To achieve this in FACTION you need to set a default color in the docx template that matches the severity category (i.e. Overall, Likelihood, and Impact). These default colors are in the table below:
Category Color Hex Overall Severity #FAC701 Likelihood #FAC702 Impact #FAC703 For Example, a table in MS Word below has pre-filled the color codes for each severity name and category.
Right-click the overall severity variable,\u00a0${severity}; you can see the default hex code for this color is #FAC701. Likelihood would be set to #FAC02, and Impact would be set to #FAC703.
Setting the background color for cells works in much the same way. Notice we use the ${cells} variable instead.
Right-click on the cell and set the color you may only want to use the Overall severity option but you can have multiple cells with each category if you wish.
Below is an example of the generated report table with colors replaced.
","tags":["Reporting","Customize","Variables"]},{"location":"Custom%20Variables/","title":"Custom Variables","text":"You can use custom variables to add additional features to Faction. These variables can be used to add additional information to vulnerabilities like a CVSS score or to populate additional data in reports like \"product owner\", \"cost center\", etc.
Note
Faction 1.2 and above has CVSS Scoring built in. You can still use this information as a guide to add your own custom variables.
","tags":["Reporting","Customize"]},{"location":"Custom%20Variables/#adding-a-cvss-score","title":"Adding a CVSS Score","text":"As of Faction version 1.1.25.1, Faction does not have CVSS scores built in but you can add your own easily.
","tags":["Reporting","Customize"]},{"location":"Custom%20Variables/#step-1-add-custom-fields-in-admin","title":"Step 1 : Add Custom Fields in Admin","text":"Navigate to Admin -> Settings and add two Custom Fields: CVSS3.1 and CVSS String with variable names cvss3 and cvssstring.
The Name will be what is displayed in the UI and the variable name will be used in the report template. We want to apply this to Vulnerability so that it will be available when we add vulnerabilities to the assessment.
","tags":["Reporting","Customize"]},{"location":"Custom%20Variables/#step-2-update-the-report-template","title":"Step 2: Update the Report Template","text":"We need to change our report template to include the new variables in the vulnerability section of the template. In this case, we already have a table with vulnerability information and we need to add another row to this table with the new variables. The default template can be downloaded here.
Notice all custom field variables are pre-populated with cf. If we defined a custom field with a variable of cvss3 then the reporting variable will be ${cfcvss3}.
Note: We needed to change the loop variable to inform the Faction reporting engine that the number of rows in the table has changed from 4 to 5. If you are not changing the number of rows then this update is not necessary.
","tags":["Reporting","Customize"]},{"location":"Custom%20Variables/#step-3-add-a-new-vulnerability-to-the-assessment","title":"Step 3: Add a New Vulnerability to the Assessment","text":"When you add a vulnerability to the assessment the custom fields will be available in the form as shown below:
Entering the CVSS score will be automatically saved and a report can now be generated with these new Fields.
","tags":["Reporting","Customize"]},{"location":"Faction%20App%20Store%20Extensions/","title":"Faction App Store Extensions","text":"Below is a List of Approved Faction Extensions. These all work with Faction 1.2+
Name Developer URL Faction Jira Integration Faction Security https://github.com/factionsecurity/Faction-Jira-Extension Faction Vulnerability Bar Chart Faction Security https://github.com/factionsecurity/Faction-Vulnerability-Bar-Chart","tags":["App Store","API"]},{"location":"Faction%20App%20Store%20Extensions/#submit-an-extension","title":"Submit an Extension","text":"Send an email to develop [ at ] factionsecurity [dot] com with a link to your github and a brief explanation of what it does.
","tags":["App Store","API"]},{"location":"Faction%20Severity%20Rating%20and%20CVSS%20Scoring/","title":"Faction Severity Rating and CVSS Scoring","text":"Native:
CVSS:
FACTION's severity rankings are easily customizable to how you perform assessments. You can even create different severity options for the type of assessment.
FACTION has 3 options to choose:
- Native Severity - This is simply High, Medium, Low, etc type rankings. Faction let you set up to 10 levels and can rename them to anything that works for your process.
- CVSS 3.1 - This option enables First.org CVSS 3.1 Severity Scoring and was introduced in FACTION 1.2
- CVSS 4.0 = This option enables First.org CVSS 4.0 Scoring and was introduced in FACTION 1.2
","tags":["CVSS","Vulnerability","Core Features"]},{"location":"Faction%20Severity%20Rating%20and%20CVSS%20Scoring/#native-severity-ranking","title":"Native Severity Ranking","text":" By default, assessments are enabled with Native Severity Ranking. You can choose up to 10 levels. The most common severity names are pre-populated when you install FACTION. You are free to change these names to anything you wish. If your process uses a different nomenclature then you can change Critical to P1 and High to P2 for example.
You can find this setting in Templates -> Default Vulnerabilities.
When Native Severity Ranking is enabled, the following options are available when adding a new vulnerability:
","tags":["CVSS","Vulnerability","Core Features"]},{"location":"Faction%20Severity%20Rating%20and%20CVSS%20Scoring/#changing-the-severity-scoring-system","title":"Changing the Severity Scoring System","text":"The severity scoring system is set for each assessment type. You can change this or create new assessment types by navigating to Admin -> Settings:
Notice above that each assessment has a different scoring system. To change the assessment scoring system then simply click the edit button an select the scoring system from the drop-down.
","tags":["CVSS","Vulnerability","Core Features"]},{"location":"Faction%20Severity%20Rating%20and%20CVSS%20Scoring/#cvss-31-and-40-severity-ranking","title":"CVSS 3.1 and 4.0 Severity Ranking","text":"When changing the scoring system to CVSS 3.1 or 4.0, it changes the vulnerability UI and adds CVSS Calculators to the page.
Clicking on the calculator button next to the CVSS Vector will open a dialog that will build the CVSS vector for you and update the score.
","tags":["CVSS","Vulnerability","Core Features"]},{"location":"How%20to%20Use%20BurpSuite%20with%20Faction/","title":"How to Use BurpSuite with Faction","text":"Faction has a tight integration with BurpSuite and you can now find our extension in the BApp Store. Here are a few things you can do with the Faction Burp Integration. 1. See your assessment and retest queues. 2. Instant access to your assessment scope and other details. 3. View all findings you and your co-pentesters are reporting. 4. Replay payloads from other pentesters. 5. Add issues in Faction directly from BurpSuite.
","tags":["burpsuite","integrations","api"]},{"location":"How%20to%20Use%20BurpSuite%20with%20Faction/#install-the-burp-faction-integration","title":"Install the Burp Faction Integration","text":"You can install the Faction Integration directly from the BApp store. 1. Open Burp then Click Extensions->BApp Store 3. Search for Faction 4. Click Install
","tags":["burpsuite","integrations","api"]},{"location":"How%20to%20Use%20BurpSuite%20with%20Faction/#set-up-faction","title":"Set Up Faction","text":"In BurpSuite navigate to the Faction tab after you have installed the Faction Integration. From here you need to enter the URL and API key for your user.
The URL will be your domain plus api. Ex https://faction-test.factionsecurity.com/api
You can retrieve your API Key in Faction by accessing your profile in the upper right corner of the Faction Web Interface.
","tags":["burpsuite","integrations","api"]},{"location":"How%20to%20Use%20BurpSuite%20with%20Faction/#access-your-assessment-queue","title":"Access Your Assessment Queue","text":"Now that Faction is configured you should be able to see you current assessment queue as shown below:
Clicking on an assessment will show you the scope, any vulnerabilities that have been reported, and notes that your team has shared with you.
If you select one of the vulnerabilities you can see its full details including screenshots.
","tags":["burpsuite","integrations","api"]},{"location":"How%20to%20Use%20BurpSuite%20with%20Faction/#enter-findings-into-faction-from-burp","title":"Enter Findings into Faction From Burp","text":"Lets say you find an XSS attack and have verified it with BurpSuite. You can add the finding to Faction without ever leaving Burp. Just select the request or response that you want to enter into the report and select \"Add New Finding\" as shown below:
Now you will be presented with the vulnerability findings dialog. Here you can search for an existing vulnerability template to auto populate the details and recommendations.
Next ensure its being sent to the right assessment. The option will default to the last assessment you selected in the previous section on Access your Assessment Queue
Next you have several options.
- Select the severity or leave the default
- Check or uncheck to include the request and/or response. When checked it will include these options in code blocks in the final report.
- \"Snip cookies\" when checked will remove all cookies from being added to the report and replace them with
[...snip...] - \"Extract Selection\" when checked will only add the portion of the code you selected in Burp to the report. This is most useful trying to only show the reflected script in the response instead of the full response.
- Exploit Steps can be included and supports MarkDown Syntax. Note Screenshots are available though the Burp Extension currently. For this you still need to add them to the Web UI.
Now you can click Save to add it to Faction. All this allows issues to be added seamlessly without breaking your flow. The final result will look something like this.
","tags":["burpsuite","integrations","api"]},{"location":"How%20to%20Use%20BurpSuite%20with%20Faction/#replay-findings","title":"Replay Findings","text":"The Faction Burp Integration has the ability to replay findings if you included the request in the details. Notice the hyperlink above the request when you select a vulnerability in the Faction BurpSuite Integration.
If you click the hyperlink it will add it to your Burp Repeater. This allows you to replay your own findings and findings from your co-pentesters. The same feature is available for retests!
","tags":["burpsuite","integrations","api"]},{"location":"How%20to%20Use%20BurpSuite%20with%20Faction/#add-scan-findings","title":"Add Scan Findings","text":"Anything found in the BurpSuite Scanner can be added directly into Faction using the BurpSuite Integration as well. Just select the issues you want to add and then choose \"Send Issues to Faction\"
Below shows that all issues were combined into two distinct issues.
Notice that if you select more than one of the same issue that it will aggregate the URLs into one finding:
","tags":["burpsuite","integrations","api"]},{"location":"How%20to%20Use%20BurpSuite%20with%20Faction/#wrapping-up","title":"Wrapping Up","text":"All of these features have been implemented to make adding issues to pen-testing reports easy and to not break your flow. Nothing worse that being in the zone and then have stop to mess with report formatting or ensuring you capture all the right data in your notes to use later. With Faction you can just add the issues as you find them and move on with your pentest.
","tags":["burpsuite","integrations","api"]},{"location":"Importing%20Your%20Vulnerability%20Templates%20Via%20the%20API/","title":"Importing Your Vulnerability Templates Via the API","text":"You may have developed your own vulnerability templates over the years, or you may prefer editing them in another editor such as Obsidian or Sublime, rather than using the web interface. Regardless of your approach, Faction enables you to upload your templates in CSV and JSON formats via the API. Additionally, reports can be generated in markdown, HTML, or a combination of both.
The api docs can be found on your instance by navigating to https: //YourHost/api-docs:
","tags":["API","Core Features","Vulnerability"]},{"location":"Importing%20Your%20Vulnerability%20Templates%20Via%20the%20API/#generating-an-api-key","title":"Generating an API Key","text":"You must have the API Key permission on your user to use the API. It it not set by default.
After enabling the setting, you can access your API Key by navigating to your profile, located in the upper right corner of the Faction interface. Simply clicking anywhere inside the API key box will reveal the key to you.
","tags":["API","Core Features","Vulnerability"]},{"location":"Importing%20Your%20Vulnerability%20Templates%20Via%20the%20API/#csv-file-structure","title":"CSV File Structure","text":"Id* Name Category Id* Category Name* Description Recommendation Severity Id Impact Id Likelihood Id active If the ID field is empty, a new vulnerability will be created. If the ID field is populated, it will overwrite the vulnerability with the same ID.
If the Category ID is missing, the categoryName field is required. If a category with the same name exists, the existing category will be used.
If the categoryName does not match an existing category, a new category will be created.
If the Category ID is populated, the Category Name field is ignored.
","tags":["API","Core Features","Vulnerability"]},{"location":"Importing%20Your%20Vulnerability%20Templates%20Via%20the%20API/#example-1-create-a-new-vulnerability-template-in-csv","title":"Example 1: Create a New Vulnerability Template in CSV","text":"Example CSV
,\"Cross Site Scripting\",, Unvalidated Input, \"XSS is Bad and stuff..\\n```\\nCode snippet\\n```\", \"Fix it! here is a link [here](https://www.a.b.com)\", 4, 4,4,true\n
The provided example will create a new template for cross-site scripting. Here are a few key points to note:
-
The first column (ID column) is left blank. Since there is no ID specified, a new template will be created.
-
The third column (Category ID) is also blank, so Faction will refer to the fourth column (Category Name). If Unvalidated Input is not already a category in Faction, it will be created.
-
The Description and Recommendation fields are written in markdown syntax. Ensure that these columns are enclosed in double quotes (\") and that new lines are properly escaped (\\n).
-
The severity IDs must correspond to the severity levels configured in Faction. You can find these numbers in Admin->Settings-> Risk Level Settings. The default severity levels are: Critical (5), High (4), Medium (3), Low (2), Recommended (1), Informational (0). Ensure that the severity IDs match these levels accordingly.
Submit through the API
curl -X 'POST' \\ \n'http://localhost:8080/api/vulnerabilities/csv/default' \\ \n-H 'accept: application/json' \\ \n-H 'FACTION-API-KEY: 6be51daa-6f6f-42d3-8b04-b924a0045eff' \\ \n-H 'Content-Type: text/plain' \\ \n-d ',\"Cross Site Scripting\",, Unvalidated Input, \"XSS is Bad and stuff..\\n```\\nCode snippet\\n```\", \"Fix it! here is a link [here](https://www.a.b.com)\", 4, 4,4,true'\n
","tags":["API","Core Features","Vulnerability"]},{"location":"Importing%20Your%20Vulnerability%20Templates%20Via%20the%20API/#example-2-updating-a-vulnerability-template-in-csv","title":"Example 2: Updating a Vulnerability Template in CSV","text":"First, you need to download the current list of vulnerabilities from the API.
Get a CSV List of Default Vulnerabilities
curl -X 'GET' \\ \n'http://localhost:8080/api/vulnerabilities/csv/default' \\ \n-H 'accept: text/csv' \\ \n-H 'FACTION-API-KEY: 6be51daa-6f6f-42d3-8b04-b924a0045eff'\n
Example Response:
\"2\",\"Generic Vulnerability\",\"2\",\"Uncategorized\",\"\",\"\",\"4\",\"4\",\"4\",\"true\" \"18\",\"Cross Site Scripting\",\"4\",\"Unvalidated Input\",\"<p>XSS is Bad and stuff..</p> <pre><code>Code snippet </code></pre> <br />\",\"<p>Fix it! here is a link <a href=\"\"https://www.a.b.com\"\">here</a></p> <br />\",\"4\",\"4\",\"4\",\"true\"\n
Now to Update a Template Let's update the Cross Site Scripting Template by changing the description to the following.
XSS is fun to exploit with this code snippet\\n ```\\nSnipity snip\\n```\n
The API Request would look like this:
curl -X 'POST' \\ \n'http://localhost:8080/api/vulnerabilities/csv/default' \\ \n-H 'accept: application/json' \\ \n-H 'FACTION-API-KEY: 6be51daa-6f6f-42d3-8b04-b924a0045eff' \\ \n-H 'Content-Type: text/plain' \\ \n-d '\"18\",\"Cross Site Scripting\",\"4\",\"Unvalidated Input\",\"XSS is fun to exploit with this code snippet\\n ```\\nSnipity snip\\n```\",\"<p>Fix it! here is a link <a href=\"\"https://www.a.b.com\"\">here</a></p> <br />\",\"4\",\"4\",\"4\",\"true\"'\n
Now if we pull the list again the results look like this: Request
curl -X 'GET' \\ \n'http://localhost:8080/api/vulnerabilities/csv/default' \\ \n-H 'accept: text/csv' \\ \n-H 'FACTION-API-KEY: 6be51daa-6f6f-42d3-8b04-b924a0045eff'\n
Response
\"2\",\"Generic Vulnerability\",\"2\",\"Uncategorized\",\"\",\"\",\"4\",\"4\",\"4\",\"true\" \"18\",\"Cross Site Scripting\",\"4\",\"Unvalidated Input\",\"<p>XSS is fun to exploit with this code snippet</p> <pre><code>Snipity snip </code></pre> <br />\",\"<p>Fix it! here is a link <a href=\"\"https://www.a.b.com\"\">here</a></p> <br /> <br />\",\"4\",\"4\",\"4\",\"true\"\n
","tags":["API","Core Features","Vulnerability"]},{"location":"Importing%20Your%20Vulnerability%20Templates%20Via%20the%20API/#json-file-structure","title":"JSON File Structure","text":" [\n {\n \"Id\": 2,\n \"Name\": \"Generic Vulnerability\",\n \"CategoryId\": 2,\n \"CategoryName\": \"Uncategorized\",\n \"Description\": \"\",\n \"Recommendation\": \"\",\n \"SeverityId\": 4,\n \"LikelihoodId\": 4,\n \"ImpactId\": 4,\n \"Active\": true\n }\n ]\n
If the ID is missing, a new vulnerability will be created. If the ID is populated, it will overwrite the vulnerability with the same ID.
If the Category ID is missing, the categoryName is required. If a category with the same name exists, the existing category will be used.
If the categoryName does not match an existing category, a new category will be created.
If the Category ID is populated, the Category Name field is ignored.
","tags":["API","Core Features","Vulnerability"]},{"location":"Importing%20Your%20Vulnerability%20Templates%20Via%20the%20API/#example-1-create-all-new-vulnerability-template-in-json","title":"Example 1: Create All New Vulnerability Template in JSON","text":"Example JSON
[\n {\n \"Name\": \"Cross Site Scripting\",\n \"CategoryName\": \"Unvalidated Input\",\n \"Description\": \"XSS is Bad and stuff..\\n```\\nCode snippet\\n```\",\n \"Recommendation\": \"Fix it! here is a link [here](https://www.a.b.com)\",\n \"LikelihoodId\": 4,\n \"ImpactId\": 4,\n \"SeverityId\": 4,\n \"Active\": true\n }\n]\n
The provided example will create a new template for cross-site scripting. Here are a few key points to note:
-
The ID is missing. Since there isn't an ID to relate it, a new template will be created.
-
The CategoryId is missing, so Faction will need to look at the CategoryName. If Unvalidated Input is not already a category, then Faction will create it.
-
The Description and Recommendation fields are written in markdown syntax.
-
Ensure that the severity IDs match the severity levels you have set in Faction. You can find these numbers in Admin->Settings-> Risk Level Settings. The defaults are Critical (5), High (4), Medium (3), Low (2), Recommended (1), Informational (0).
The API Request looks like this to add this vulnerability template:
curl -X 'POST' \\ \n'http://localhost:8080/api/vulnerabilities/default' \\ \n-H 'accept: application/json' \\ \n-H 'FACTION-API-KEY: a0d2fff7-7462-458c-ba7b-d93d99b7280a' \\ \n-H 'Content-Type: application/json' \\ \n-d '[ \n { \n \"Name\": \"Cross Site Scripting\", \n \"CategoryName\": \"Unvalidated Input\", \n \"Description\": \"XSS is Bad and stuff..\\n```\\nCode snippet\\n```\",\n \"Recommendation\": \"Fix it! here is a link [here](https://www.a.b.com)\",\n \"LikelihoodId\": 4, \n \"ImpactId\": 4, \n \"SeverityId\": 4, \n \"Active\": true \n } \n]'\n
","tags":["API","Core Features","Vulnerability"]},{"location":"Importing%20Your%20Vulnerability%20Templates%20Via%20the%20API/#example-2-updating-a-vulnerability-template-in-json","title":"Example 2: Updating a Vulnerability Template in JSON","text":"First, you need to download the current list of vulnerabilities from the API.
Get a JSON List of Default Vulnerabilities
curl -X 'GET' \\ \n'http://localhost:8080/api/vulnerabilities/default' \\ \n-H 'accept: application/json' \\ \n-H 'FACTION-API-KEY: a0d2fff7-7462-458c-ba7b-d93d99b7280a'\n
Response:
[\n {\n \"CategoryId\": 2,\n \"ImpactId\": 4,\n \"Active\": true,\n \"Description\": \"\",\n \"CategoryName\": \"Uncategorized\",\n \"LikelihoodId\": 4,\n \"Id\": 2,\n \"Recommendation\": \"\",\n \"SeverityId\": 4,\n \"Name\": \"Generic Vulnerability\"\n },\n {\n \"CategoryId\": 4,\n \"ImpactId\": 4,\n \"Active\": true,\n \"Description\": \"XSS is Bad and stuff..\\n```\\nCode snippet\\n```\",\n \"CategoryName\": \"Unvalidated Input\",\n \"LikelihoodId\": 4,\n \"Id\": 5,\n \"Recommendation\": \"Fix it! here is a link [here](https://www.a.b.com)\",\n \"SeverityId\": 4,\n \"Name\": \"Cross Site Scripting\"\n }\n]\n
Now to Update a Template Let's update the Cross-Site Scripting Template by changing the description to the following.
XSS is fun to exploit with this code snippet\\n ```\\nSnipity snip\\n```\n
The API Request would look like this:
curl -X 'POST' \\\n 'http://localhost:8080/api/vulnerabilities/default' \\\n -H 'accept: application/json' \\\n -H 'FACTION-API-KEY: a0d2fff7-7462-458c-ba7b-d93d99b7280a' \\\n -H 'Content-Type: application/json' \\\n -d '[ {\n \"CategoryId\": 4,\n \"ImpactId\": 4,\n \"Active\": true,\n \"Description\": \"XSS is fun to exploit with this code snippet\\n ```\\nSnipity snip\\n```\",\n \"CategoryName\": \"Unvalidated Input\",\n \"LikelihoodId\": 4,\n \"Id\": 5,\n \"Recommendation\": \"Fix it! here is a link [here](https://www.a.b.com)\",\n \"SeverityId\": 4,\n \"Name\": \"Cross Site Scripting\"\n }]'\n
Now if we pull the list again the results look like this: Request
curl -X 'GET' \\ \n'http://localhost:8080/api/vulnerabilities/default' \\ \n-H 'accept: text/csv' \\ \n-H 'FACTION-API-KEY: 6be51daa-6f6f-42d3-8b04-b924a0045eff'\n
Response
[\n {\n \"CategoryId\": 2,\n \"ImpactId\": 4,\n \"Active\": true,\n \"Description\": \"\",\n \"CategoryName\": \"Uncategorized\",\n \"LikelihoodId\": 4,\n \"Id\": 2,\n \"Recommendation\": \"\",\n \"SeverityId\": 4,\n \"Name\": \"Generic Vulnerability\"\n },\n {\n \"CategoryId\": 4,\n \"ImpactId\": 4,\n \"Active\": true,\n \"Description\": \"<p>XSS is fun to exploit with this code snippet</p>\\n<pre><code>Snipity snip\\n</code></pre>\\n<br />\",\n \"CategoryName\": \"Unvalidated Input\",\n \"LikelihoodId\": 4,\n \"Id\": 5,\n \"Recommendation\": \"<p>Fix it! here is a link <a href=\\\"https://www.a.b.com\\\">here</a></p>\\n<br />\",\n \"SeverityId\": 4,\n \"Name\": \"Cross Site Scripting\"\n }\n]\n
","tags":["API","Core Features","Vulnerability"]},{"location":"Importing%20Your%20Vulnerability%20Templates%20Via%20the%20API/#using-swagger","title":"Using Swagger","text":"Instead of using CURL as show above you can use the API docs pages to submit directly to your API to test things out.
Just navigate to https: //YourHost/api-docs and select any of the API's available. You will need your API Key that can be found in your profile.
Below is an example of using swagger to update a Template with JSON.
","tags":["API","Core Features","Vulnerability"]},{"location":"Integrate%20Faction%20into%20OIDC%20Solutions/","title":"Integrate Faction into OIDC Solutions","text":"Faction seamlessly integrates with your existing enterprise authentication solutions, ensuring a smooth and secure user experience. Leveraging widely adopted solutions such as LDAP and OIDC, Faction effortlessly integrates into any enterprise environment. Our platform is designed to adapt to your authentication infrastructure, providing a hassle-free implementation process and enhancing the overall efficiency of your organization\u2019s security framework. With Faction, you can trust in a unified and streamlined authentication experience tailored to your enterprise needs.
The article will walk through the steps needed to integrate\u00a0Faction\u00a0into\u00a0Google Auth, Auth0, or Ping Identity
","tags":["Authentication","Core Features"]},{"location":"Integrate%20Faction%20into%20OIDC%20Solutions/#google-oidc-setup","title":"Google OIDC Setup","text":" - Log into your company\u2019s\u00a0Google API Console.
- Click on\u00a0Credentials\u00a0from the left navigation.
- Click\u00a0+ Create Credentials\u00a0from the top navigation.
- Select\u00a0OAuth Client ID.
- Select\u00a0Web Application\u00a0as the application type.
- Name the application something specific like\u00a0Faction OIDC Integration.\u00a0But the name does not matter.
- Under\u00a0Authorized redirect URLs\u00a0click\u00a0+ ADD URI.
- Enter the domain of your Faction Instance and append\u00a0/oauth/callback?client_name=OidcClient\u00a0to the path. Example: If you used Faction to host the site your URL would look like this: https://furry-hyena-1111.factionsecurity.com/oauth/callback?client_name=OidcClient
- Then Click\u00a0Create.
- Take Note of the\u00a0Client Id\u00a0and\u00a0Client Secret. This will be used later in the Faction Admin Section.
Your Setup should look like the following:
","tags":["Authentication","Core Features"]},{"location":"Integrate%20Faction%20into%20OIDC%20Solutions/#auth0-oauth-setup","title":"Auth0 OAuth Setup","text":" - Log into your\u00a0Auth0 Console.
- Select\u00a0Applications\u00a0in the left navigation.
- Click\u00a0+ Create Application
- Select\u00a0Regular Web Application.
- Name it something like\u00a0Faction OAuth Integration.
- Click\u00a0Create.
- Ignore the Quick Start screen and Click\u00a0Settings.
- In the\u00a0Allowed Callback URLs, enter the domain of your Faction Instance and append\u00a0/oauth/callback?client_name=OidcClient\u00a0to the path. Example: If you used\u00a0Faction\u00a0to host the site your URL would look like: https://furry-hyena-1111.factionsecurity.com/oauth/callback?client_name=OidcClient
- Take Note of the\u00a0Client Id\u00a0and\u00a0Client Secret. This will be used later in the Faction Admin.
- Scroll down to the bottom and Click\u00a0Advanced\u00a0and then\u00a0Endpoints
- Take note of the\u00a0OpenId Configuration\u00a0URL
","tags":["Authentication","Core Features"]},{"location":"Integrate%20Faction%20into%20OIDC%20Solutions/#ping-identity-setup","title":"Ping Identity Setup","text":" - Log into Ping Identity Console
- Select Applications.
- Add a New Application.
- Give the Application a name like Faction.
- Select OIDC Web App.
- Click Save.
- Open the newly created application and select the Configuration tab:
- Click the Edit Button in the upper right corner
- Scroll down to the Redirect URI Section and enter your Host Name with the path
/oauth/*. (Example: https://furry-hyena-1111.factionsecurity.com/oauth/*) - Click Enable Redirect Patterns.
- Click Save.
- Scroll up to the top of the configuration.
- Expend URLs and take note of the the OIDC Discovery Endpoint. This will be used later in the Configure Faction Section.
- Take Note of the Client Id and the Client Secret. These will be used in the Configure Faction Section
- Click the Attribute Mappings tab.
- Add email as an attribute.
- Click Save.
","tags":["Authentication","Core Features"]},{"location":"Integrate%20Faction%20into%20OIDC%20Solutions/#configure-faction","title":"Configure Faction","text":" - Log into\u00a0Faction\u00a0as an admin user.
- Navigate to\u00a0Admin\u00a0->\u00a0Users.
- In the\u00a0OAuth2.0 Configuration\u00a0enter the Client Id you noted earlier from either Auth0, Google, or Ping.
- Enter the\u00a0Client Secret\u00a0you noted earlier.
- Enter the\u00a0Discovery URL\u00a0as follows:
- Google: https://accounts.google.com/.well-known/openid-configuration
- Auth0:\u00a0Enter the\u00a0Open Id Configuration\u00a0URL you noted in step 11 above.
- Ping: Enter the OIDC Discovery Endpoint from step 13 above.
- Click\u00a0Save
","tags":["Authentication","Core Features"]},{"location":"Integrate%20Faction%20into%20OIDC%20Solutions/#adding-an-oauth-user","title":"Adding an OAuth User","text":" - Under\u00a0Admin -> Users, Click\u00a0Add User.
- The Username should be part of the user\u2019s email address before the @ symbol. If the email is\u00a0test.user@yourcompany.com\u00a0then the username is test.user
- \u2b50\ufe0fLeave the Password Field Blank.\u2b50\ufe0f
- Enter the\u00a0First\u00a0and\u00a0Last\u00a0name.
- Enter the\u00a0email\u00a0address that is used by the OAuth solution to authenticate the user.
- Select\u00a0OAuth 2.0\u00a0as the Authentication Method.
- Click\u00a0Save Changes.
When the new user reaches the Login Screen they can enter just their username without a password and click\u00a0Login. Faction will redirect the user to the configured Authentication Provider and redirect back.
","tags":["Authentication","Core Features"]},{"location":"Managed%20FACTION%20Setup/","title":"Managed FACTION Setup","text":"Below are the Minimal Faction Setup Instructions required to get you all set up and ready to start collaborating on assessments in just a few minutes. With a Faction managed account, we host the servers and maintain the updates for you. Your instance will be hosted in a single-tenant environment to ensure your data is secure. With just a few clicks you will be up and running in minutes.
","tags":["Cloud Hosted","Setup"]},{"location":"Managed%20FACTION%20Setup/#create-your-managed-account","title":"Create Your Managed Account","text":"Every account that gets created will get its own single-tenant instance. To create a new instance go to\u00a0https://portal.factionsecurity.com,\u00a0Create an Account, and Select a tier that meets your team's needs.
This will begin creating your instance of Faction. Wait until the spinner shows a green checkbox before you attempt to access your site. You can then click the URL in the site list to take you to your new Faction Instance.
","tags":["Cloud Hosted","Setup"]},{"location":"Managed%20FACTION%20Setup/#create-an-admin-user","title":"Create an Admin User","text":"The first time you access Faction you will be presented with a page to create your admin account. Here you need to enter basic information about the user and the option to create a team.\u00a0Hacking Team\u00a0is the default.
","tags":["Cloud Hosted","Setup"]},{"location":"Managed%20FACTION%20Setup/#adding-default-vulnerability-templates","title":"Adding Default Vulnerability Templates","text":"The Faction Default vulnerability database is what makes generating reports quick and painless for pen-testing teams. You can upload your templates or start with an open-source list from\u00a0https://github.com/factionsecurity/data
To add the VulnDB data into Faction just navigate to\u00a0Admin->\u00a0Default Vulnerabilities\u00a0and click\u00a0Update from VulnDB. This will import all of their vulnerabilities and set default Categories for the vulnerabilities.
","tags":["Cloud Hosted","Setup"]},{"location":"Managed%20FACTION%20Setup/#setting-custom-risk-levels-optional","title":"Setting Custom Risk Levels (Optional)","text":"By default, Faction adds\u00a0Critical,\u00a0High,\u00a0Medium,\u00a0Low,\u00a0Recommended, and\u00a0Informational\u00a0risk levels but you have up to 9 that can be set and the defaults can be changed to anything that works for your environment. For instance,\u00a0Critical\u00a0can be changed to\u00a0Priority 1.
","tags":["Cloud Hosted","Setup"]},{"location":"Managed%20FACTION%20Setup/#vulnerability-tracking-and-remediation-slas","title":"Vulnerability Tracking and Remediation SLAs","text":"Different Tiers allow enhanced features within Faction. The\u00a0Teams Tier\u00a0and above have verification and vulnerability tracking enabled. In\u00a0Admin Settings\u00a0you can set custom times to alert when the vulnerability needs to be remediated based on its risk setting. For instance, you can set a reminder that a\u00a0Critical\u00a0vulnerability needs to be remediated 30 days after it's reported and set a past due date of 60 days. This will trigger Faction to alert the correct teams that important issues are close to being past due to ensure issues get closed on time and are never forgotten.
Any values that are missing a date will not be tracked by Faction.
","tags":["Cloud Hosted","Setup"]},{"location":"Managed%20FACTION%20Setup/#assessment-checklists","title":"Assessment Checklists","text":"For some assessments, you will want to add checklists to ensure all critical issues are tested. Below is an example of some potential checks that might need to happen on every assessment to ensure applications are tested consistently.
Once the above is created it will be available in assessments where the assessor can pass/fail the checklist item and even add notes related to why it failed or why it\u2019s not necessary for the application being tested.
","tags":["Cloud Hosted","Setup"]},{"location":"Managed%20FACTION%20Setup/#additional-configuration-options","title":"Additional Configuration Options","text":"The higher-level tiers allow you to configure other options like LDAP and OAuth. You can find additional information below on these settings:
- Integrate Faction Into OAuth Solutions
- Customizing Faction for Self Hosting
- Extending Faction
","tags":["Cloud Hosted","Setup"]},{"location":"Remediation%20Tracking%2C%20Custom%20SLAs%2C%20Retests/","title":"Remediation Tracking, Custom SLAs, Retests","text":"FACTION has remediation tracking built in! When you close out an assessment all the vulnerabilities in that assessment start tracking based on your custom SLAs. With the custom SLAs you can set reminders when a vulnerabilities is approaching a due data and another when the it is past due.
","tags":["Remediation","Retests","Core Features"]},{"location":"Remediation%20Tracking%2C%20Custom%20SLAs%2C%20Retests/#setting-custom-slas","title":"Setting Custom SLAs","text":"Navigate to Templates -> Default Vulnerabilities. Here you find a table that lets you set your vulnerability tracking times.
Each vulnerability severity level will have a Warning date and a Past Due date. These are measured in days after the assessment is completed. All empty inputs represent Untracked issues.
In the above screenshot, Critical vulnerabilities will have a remediation due date that is 60 days and a warning set at 30 days after the assessment is completed. High vulnerabilities are expected to be remediated in 120 days and have a warning at 60 days after assessment completion. Note that all other vulnerabilities are not tracked by FACTION because the inputs are all blank.
","tags":["Remediation","Retests","Core Features"]},{"location":"Remediation%20Tracking%2C%20Custom%20SLAs%2C%20Retests/#remediation-dashboards-and-retests","title":"Remediation Dashboards and Retests","text":"You can see the status of all past and approaching due dates in the Remediation Queue.
This dashboard allows assessment teams to easily see all issues that require remediation and the current state of the vulnerability.
In the above screenshot, there is one issue that is Past Due and several others that are close to being past due. Clicking on the past due issue lets you easily schedule it for retest as shown below:
","tags":["Remediation","Retests","Core Features"]},{"location":"Remediation%20Tracking%2C%20Custom%20SLAs%2C%20Retests/#adding-follow-up-notes","title":"Adding Follow Up Notes","text":"You can add notes to all tracked vulnerabilities. You can add follow-up notes from the development teams, annotate delays in schedules, or other information you might need later to stay on top of the remediation.
The Note History stores not only notes but also tracks the passing and failing of retests.
","tags":["Remediation","Retests","Core Features"]},{"location":"Self-Hosted%20FACTION%20Setup/","title":"Self Hosted FACTION Setup","text":"If you decide to self-host Faction instead of using the\u00a0Managed Solution\u00a0then you will need to ensure you include the proper Environment variables so that Faction integrates into your environment.
","tags":["Self Hosted","Setup"]},{"location":"Self-Hosted%20FACTION%20Setup/#requirements","title":"Requirements","text":" - Tomcat 9
- Java 11
- Mongo 7
- maven
","tags":["Self Hosted","Setup"]},{"location":"Self-Hosted%20FACTION%20Setup/#option-1-docker-compose","title":"Option 1: Docker Compose","text":"Download the code from GitHub and run the following commands
git clone git@github.com:factionsecurity/faction.git\ncd faction\nmvn clean compile war:war\ndocker-compose up --build\n
","tags":["Self Hosted","Setup"]},{"location":"Self-Hosted%20FACTION%20Setup/#updating-faction","title":"Updating Faction","text":"New releases can be found here. You can either pull a new release of Faction and build it yourself as shown above or If you don't want to perform the Maven install you can download the faction.war file directly and put it into the targets folder.
","tags":["Self Hosted","Setup"]},{"location":"Self-Hosted%20FACTION%20Setup/#option-2-install-tomcat-and-mongo","title":"Option 2: Install Tomcat and Mongo","text":"Check back, instructions will be updated soon
","tags":["Self Hosted","Setup"]},{"location":"Self-Hosted%20FACTION%20Setup/#custom-environment-variables","title":"Custom Environment Variables","text":"## Mongo Database configs \n\nFACTION_MONGO_HOST=127.0.0.1. #requireed \nFACTION_MONGO_DATABASE=faction #required \nFACTION_MONGO_USER=faction_mongo_user #optional \nFACTION_MONGO_PASSWORD=faction_mongo_pass #optional \nFACTION_MONGO_AUTH_DATABASE=admin #optional \n\nFACTION_SECRET_KEY=faction_encryption_key #required \n\nFACTION_REPORT_STORAGE=aws #optional \nFACTION_BUCKET_NAME=your-bucket #optional \nFACTION_TIER=teams #required \nFACTION_USERS=100 #optional \n\nFACTION_SMTP_SERVER=smtp.server.com #optional \nFACTION_SMTP_USER=sysadmin #optional \nFACTION_SMTP_PORT=587 #optional\n
","tags":["Self Hosted","Setup"]},{"location":"Self-Hosted%20FACTION%20Setup/#mongo-database-variables","title":"Mongo Database Variables","text":" - FACTION_MONGO_HOST\u00a0(Required): This is the hostname or ip address where your mongo database i location
- FACTION_MONGO_DATABASE\u00a0(Required): The name of the mongo database. This can be anything you want. On initial loading of the application it will create the database and all collections.
- FACTION_MONGO_USER\u00a0(O_ptional_): If you use authentication (and you should) then this user has access to the database.
- FACTION_MONGO_PASSWORD\u00a0(Optional): Only required if you use the FACTION_MONGO_USER environment variable.
- FACTION_MONGO_AUTH_DATABASE\u00a0(Optional): The default authentication database is\u00a0admin.\u00a0If you want to use another then you can use this variable.
","tags":["Self Hosted","Setup"]},{"location":"Self-Hosted%20FACTION%20Setup/#other-variables","title":"Other Variables","text":" - FACTION_SECRET_KEY\u00a0(Required): This is the key used for all symmetric key encryption.
- FACTION_REPORT_STORAGE\u00a0(Optional): This variable has two options:\u00a0local\u00a0or\u00a0aws. If you include\u00a0aws\u00a0then you also need to set\u00a0AWS_ACCESS_KEY_ID\u00a0and\u00a0AWS_SECRET_ACCESS_KEY\u00a0and create the an s3 bucket location in AWS.\u00a0You can also use IAM permissions instead of including the AWS Keys. When using\u00a0local\u00a0\u00a0the default directory location is\u00a0/opt/faction.\u00a0If this variable is not set,\u00a0local\u00a0will be used as default.
- FACTION_BUCKET_NAME\u00a0(Optional): S3 Bucket Name to to store Faction files.
- FACTION_TIER\u00a0(Required): Only use the value\u00a0team\u00a0here
- FACTION_USERS\u00a0(Required): The user limit. you can set this to any value that makes sense for your organization.
","tags":["Self Hosted","Setup"]},{"location":"Self-Hosted%20FACTION%20Setup/#email-variables","title":"Email Variables","text":"These settings (FACTION_SMTP_SERVER, FACTION_SMTP_USER< FACTION_SMTP_PORT) are just used for the initial setup of Faction. They will be overridden when you save or test emails in the admin settings pages. This is useful for doing deployments in Kubernetes or ECS.
","tags":["Self Hosted","Setup"]},{"location":"Table%20of%20Contents%20Numbering/","title":"Table of Contents Numbering","text":"Faction's open-source versions will not automatically update the Table of Contents page numbering though the hyperlinks all work as expected. You can do this manually by clicking the table and selecting Update Field on the generated report.
The enterprise versions of Faction will automatically update the numbering for you as well as provide other additional reporting features like different finding sections (i.e. Application Security Pen Test Findings Section and Network Security Findings Section) and DOCX and PDF export options.
Contact us here to learn more.
","tags":["Reporting","Enterprise","Paid Feature","Managed"]},{"location":"Using%20Markdown%20in%20Reports/","title":"Using Markdown in Reports","text":"When exploiting a vulnerability in a penetration test it is important to capture your attack steps quickly and thoroughly so you don't have to spend extra time remembering and re-validating what you did when it's time to report on the finding. Nothing can break your flow more than having to stop what you are doing to format text, fix hyperlinks, or build numbered lists of steps. Markdown is one of the quickest ways to type formatted text and capture these details effortlessly.
Pro Tip!
The API fully supports Markdown. This makes it easy to develop automated tools that can add issues or other text to Faction with formatted text via the API.
Faction supports markdown by default in all editors. Here are some examples of how you can use markdown:
","tags":["Markdown","Reporting","Core Features","Burp Suite"]},{"location":"Using%20Markdown%20in%20Reports/#exploit-steps","title":"Exploit Steps","text":"Entering exploit steps is easier with markdown. You can enter the following text and it will automatically show you the formated view on the right.
__Steps to Reproduce__:\n1. Go to the home page.\n2. Click Login.\n3. Enter `<script>alert(123);</script>` in the username parameter. \n
","tags":["Markdown","Reporting","Core Features","Burp Suite"]},{"location":"Using%20Markdown%20in%20Reports/#faction-burp-suite-extension","title":"Faction Burp Suite Extension","text":"If you find a vulnerability while using the Faction Burp extension, you can add the finding and all details directly through the extension. Below is an example of cross-site scripting:
In Burp Suite, select the request and select Add New Finding:
A dialog box will open that lets you search for the vulnerability type (in this case Cross Site Scripting) and allow you to enter your details on how to recreate the exploit.
Now if we navigate back into Faction and view the details we will see the exploit steps displayed in rich text.
","tags":["Markdown","Reporting","Core Features","Burp Suite"]},{"location":"Using%20the%20Faction%20Burp%20Suite%20Extension/","title":"Using the Faction Burp Suite Extension","text":"The Faction BurpSuite Extension makes much of what is available in the Web UI available right inside Burp Suite. With this extension, you can:
- Access all assessments and retests assigned to you
- Access Assessment notes
- Create and update findings
- Extract parts of the request and responses to add to the assessment report
- Add finding details in markdown
- Replay requests you or other assessors have reported
","tags":["Burp Suite","API","Penetration Testing"]},{"location":"Using%20the%20Faction%20Burp%20Suite%20Extension/#configure-the-extension","title":"Configure the Extension","text":"You can download the extension here . We also hoping to have it added to the BApp store soon.
Once installed in Burp, Navigate to the config tab. You need two things to configure:
- Your API key- This can be found in the Faction Web UI, under your profile (top upper right). If you do not have an API key then your administrator needs to give you the API permission.
- API URL - The API URL is most commonly something like
https://myserver.com/api. If you login to something different like http://myserver.com:8080/myfaction, then your API URL will be http://myserver.com:8080/myfaction/api
Once configured, It should look something like this:
","tags":["Burp Suite","API","Penetration Testing"]},{"location":"Using%20the%20Faction%20Burp%20Suite%20Extension/#severity-mapping","title":"Severity Mapping","text":"Severity Mapping is used to convert vulnerability severities that Burp Suite Reports to the custom severities you set in Faction. More on setting custom severities can be found here
Let's say your process requires that Criticals are called P1s and Highs are called P2s. Burp's Vulnerability Scanner finds a Critical issue that you want to report in Faction. You can now simply right-click the finding and add it to Faction and the extension will map the Critical to P1.
","tags":["Burp Suite","API","Penetration Testing"]},{"location":"Using%20the%20Faction%20Burp%20Suite%20Extension/#viewing-the-queues","title":"Viewing the Queues","text":"When you select Queues you will see both your assessments (left) and retests (right) queue. You can select an item in either table to view the data. This gives you all the information you need to start your assessment or verification without even logging into the Web UI.
","tags":["Burp Suite","API","Penetration Testing"]},{"location":"Using%20the%20Faction%20Burp%20Suite%20Extension/#selecting-an-assessment","title":"Selecting an Assessment","text":"From the Queues page, select your currently working assessment. This will set this assessment as the default assessment for all other dialog boxes, for example when adding a new vulnerability it will be reported in this assessment.
Once you select the assessment in the table, click Assessment. Now you will see the scope and shared notes about the assessment.
This keeps all the common information about the assessment handy, like in-scope URLs, test credentials, and even notes you want to share with other assessors on the same project.
","tags":["Burp Suite","API","Penetration Testing"]},{"location":"Using%20the%20Faction%20Burp%20Suite%20Extension/#enter-a-new-finding","title":"Enter a New Finding","text":"","tags":["Burp Suite","API","Penetration Testing"]},{"location":"Using%20the%20Faction%20Burp%20Suite%20Extension/#update-an-existing-finding","title":"Update an Existing Finding","text":"","tags":["Burp Suite","API","Penetration Testing"]},{"location":"Using%20the%20Faction%20Burp%20Suite%20Extension/#selecting-a-retest","title":"Selecting a Retest","text":"","tags":["Burp Suite","API","Penetration Testing"]},{"location":"tags/","title":"Tags","text":"","tags":[]},{"location":"tags/#api","title":"API","text":" - Faction App Store Extensions
- Importing Your Vulnerability Templates Via the API
- Using the Faction Burp Suite Extension
- App Store Extension API
- JIRA App Integration Example
- REST API
","tags":[]},{"location":"tags/#app-store","title":"App Store","text":" - Faction App Store Extensions
- App Store Extension API
- JIRA App Integration Example
- Faction App Store
","tags":[]},{"location":"tags/#authentication","title":"Authentication","text":" - Integrate Faction into OIDC Solutions
","tags":[]},{"location":"tags/#boilerplate","title":"Boilerplate","text":"","tags":[]},{"location":"tags/#burp-suite","title":"Burp Suite","text":" - Using Markdown in Reports
- Using the Faction Burp Suite Extension
","tags":[]},{"location":"tags/#cvss","title":"CVSS","text":" - Faction Severity Rating and CVSS Scoring
","tags":[]},{"location":"tags/#cloud-hosted","title":"Cloud Hosted","text":"","tags":[]},{"location":"tags/#core-features","title":"Core Features","text":" - Faction Severity Rating and CVSS Scoring
- Importing Your Vulnerability Templates Via the API
- Integrate Faction into OIDC Solutions
- Remediation Tracking, Custom SLAs, Retests
- Using Markdown in Reports
- Faction Boilerplates
","tags":[]},{"location":"tags/#customize","title":"Customize","text":" - Custom Security Report Templates
- Custom Variables
","tags":[]},{"location":"tags/#customizing","title":"Customizing","text":"","tags":[]},{"location":"tags/#enterprise","title":"Enterprise","text":" - Table of Contents Numbering
","tags":[]},{"location":"tags/#managed","title":"Managed","text":" - Table of Contents Numbering
","tags":[]},{"location":"tags/#markdown","title":"Markdown","text":" - Using Markdown in Reports
","tags":[]},{"location":"tags/#paid-feature","title":"Paid Feature","text":" - Table of Contents Numbering
","tags":[]},{"location":"tags/#penetration-testing","title":"Penetration Testing","text":" - Using the Faction Burp Suite Extension
","tags":[]},{"location":"tags/#remediation","title":"Remediation","text":" - Remediation Tracking, Custom SLAs, Retests
","tags":[]},{"location":"tags/#reporting","title":"Reporting","text":" - Custom Security Report Templates
- Custom Variables
- Table of Contents Numbering
- Using Markdown in Reports
- How To Generate a Vulnerability Report in Faction
","tags":[]},{"location":"tags/#retests","title":"Retests","text":" - Remediation Tracking, Custom SLAs, Retests
","tags":[]},{"location":"tags/#self-hosted","title":"Self Hosted","text":" - Self Hosted FACTION Setup
","tags":[]},{"location":"tags/#setup","title":"Setup","text":" - Managed FACTION Setup
- Self Hosted FACTION Setup
","tags":[]},{"location":"tags/#variables","title":"Variables","text":" - Custom Security Report Templates
","tags":[]},{"location":"tags/#vulnerability","title":"Vulnerability","text":" - Faction Severity Rating and CVSS Scoring
- Importing Your Vulnerability Templates Via the API
","tags":[]},{"location":"tags/#api_1","title":"api","text":" - How to Use BurpSuite with Faction
","tags":[]},{"location":"tags/#burpsuite","title":"burpsuite","text":" - How to Use BurpSuite with Faction
","tags":[]},{"location":"tags/#hello-world","title":"hello world","text":"","tags":[]},{"location":"tags/#integrations","title":"integrations","text":" - How to Use BurpSuite with Faction
","tags":[]},{"location":"APIS/App%20Store%20Extension%20API/","title":"App Store Extension API","text":"","tags":["API","App Store"]},{"location":"APIS/App%20Store%20Extension%20API/#introduction","title":"Introduction","text":"Faction has an API similar to what you might find in BurpSuite Extensions. You can create custom modules in jar files and upload them to the Faction AppStore. Once uploaded, Faction will perform your custom processing when certain events are triggered like finalizing and assessment, creating a report, or failing a retest.
You can even extend things like the Application Inventory Search so that it queries an external database to return results before scheduling assessments.
You can download an example\u00a0Extension here.
Below is a list of the current Hooks:
","tags":["API","App Store"]},{"location":"APIS/App%20Store%20Extension%20API/#faction-extension-apis","title":"Faction Extension APIs","text":"","tags":["API","App Store"]},{"location":"APIS/App%20Store%20Extension%20API/#application-inventory-extension","title":"Application Inventory Extension","text":"public class MyPlugin extends BaseExtension implements com.faction.extender.ApplicationInventory{\n\n @Override\n public InventoryResult[] search(String arg0, String arg1) {\n\n return null;\n }\n}\n
- Triggers on Assessment Scheduling and will then query external sources instead of the local database. - Can search based on Application ID or Application name. It will return an InventoryResult Object (explained later)","tags":["API","App Store"]},{"location":"APIS/App%20Store%20Extension%20API/#assessment-manager-extension","title":"Assessment Manager Extension","text":"public class MyPlugin extends BaseExtension implements com.faction.extender.AssessmentManager{\n\n @Override\n public AssessmentManagerResult assessmentChange(Assessment arg0, List<Vulnerability> arg1, Operation arg2) {\n\n return null;\n }\n\n}\n
Typical use case scenario: When an assessor finalizes an assessment this module can send all the vulnerabilities to another tracking system like JIRA and return the tracking numbers to Faction. - Triggers on Assessment Create, Update, Delete, Finalized, Peer Review Created, Peer Review Complete, Peer Review Accepted
- Accepts the Triggered Assessment and List of vulnerabilities associated with the assessment.
- Returns AssessmentManagerResult, that is the updated Assessment and updated List of vulnerabilities
- If the return object is null Faction will not update locally
","tags":["API","App Store"]},{"location":"APIS/App%20Store%20Extension%20API/#update-reports","title":"Update Reports","text":"public class VulnerabilityBarChart extends BaseExtension implements com.faction.extender.ReportManager {\n\n @Override\n public String reportCreate(Assessment asmt, List<Vulnerability> vulns, String reportText) {\n\n return reportText;\n\n}\n
This method triggers every time a report is created or regenerated. It can be used to for you to add custom variables to reports and update those variables with HTML. An example of this can be found here which demonstrates how to add bar charts to vulnerability reports. - Triggers on report create or regenerate
- Can update Text in reports
- Output can be HTML or raw text
- If returns null then nothing will be changed by this extension
","tags":["API","App Store"]},{"location":"APIS/App%20Store%20Extension%20API/#vulnerability-manager-extension","title":"Vulnerability\u00a0Manager Extension","text":"public class MyPlugin extends BaseExtension extends BaseExtension implements com.faction.extender.VulnerabilityManager{\n\n @Override\n public Vulnerability vulnChange(Assessment arg0, Vulnerability arg1, Operation arg2) {\n // TODO Auto-generated method stub\n return null;\n }\n}\n
Typical use case scenario: When an assessor creates or updates a vulnerability the module can send\u00a0the\u00a0vulnerability to another tracking system like JIRA and return the tracking\u00a0number to Faction. - Triggers on Assessment Create, Update, Delete
- Accepts the Triggered Assessment and vulnerability that is being processed.
- Returns\u00a0the updated vulnerability
- If the return object is null then Faction will not update locally
","tags":["API","App Store"]},{"location":"APIS/App%20Store%20Extension%20API/#verificationretest-manager-extension","title":"Verification(Retest) Manager Extension","text":"public class MyPlugin extends BaseExtension extends BaseExtension implements com.faction.extender.VerificationManager{\n\n @Override\n public void verificationChange(User arg0, Vulnerability arg1, String arg2, Date arg3, Date arg4, Operation arg5) {\n\n }\n}\n
- Triggers on\u00a0Pass, Fail, Cancel, Assigned
- Accepts the Triggered\u00a0Assigned User, Vulnerability Assigned, Start and end dates for the verification.
- Returns\u00a0the updated vulnerability
","tags":["API","App Store"]},{"location":"APIS/App%20Store%20Extension%20API/#additional-resources","title":"Additional Resources","text":" - Building a JIRA Extension
","tags":["API","App Store"]},{"location":"APIS/JIRA%20App%20Integration%20Example/","title":"JIRA App Integration Example","text":"Faction can extend its functionality on the server side. If you are familiar with writing BurpSuite extensions then this process should be somewhat familiar to you. If you are not it\u2019s OK. We will walk through the specifics below.
In this example, we will create a JIRA plugin that will create issues for each vulnerability when the assessment is finalized.
The source code for this example can be\u00a0downloaded here.
","tags":["API","App Store"]},{"location":"APIS/JIRA%20App%20Integration%20Example/#extension-requirements","title":"Extension Requirements","text":" - Create a new Eclipse Maven Java Project.
- Modify your\u00a0pom.xml\u00a0file to enable the Faction Extender API and ensure your manifest includes Title, Version, Author, and URL as shown below.
<project xmlns=\"http://maven.apache.org/POM/4.0.0\"\n xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\n xsi:schemaLocation=\"http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd\">\n <modelVersion>4.0.0</modelVersion>\n\n <groupId>faction-jira-extension</groupId>\n <artifactId>faction-jira-extension</artifactId>\n <version>1.0</version>\n <name>Faction Jira Extension</name>\n <dependencies>\n <dependency>\n <groupId>com.factionsecurity</groupId>\n <artifactId>faction-extender</artifactId>\n <version>2.5</version>\n </dependency>\n </dependencies>\n <build>\n <plugins>\n <plugin>\n <artifactId>maven-assembly-plugin</artifactId>\n <configuration>\n <descriptorRefs>\n <descriptorRef>jar-with-dependencies</descriptorRef>\n </descriptorRefs>\n <archive>\n <manifestEntries>\n <Title>${project.name}</Title>\n <Version>${project.version}</Version>\n <Author>Josh Summitt</Author>\n <URL>https://www.factionsecurity.com</URL>\n </manifestEntries>\n </archive>\n </configuration>\n </plugin>\n </plugins>\n </build>\n</project>\n
- Create the following folders and files. They can be empty for now. We will fill this out in the next section below. The maven-assembly-plugin will ensure your manifest is set up correctly for Faction to be able to import your extension with the proper information.
","tags":["API","App Store"]},{"location":"APIS/JIRA%20App%20Integration%20Example/#extension-file-and-folder-requirements","title":"Extension File and Folder Requirements","text":"We need to update the extension resources from Step 3 above. Below is a description of the files.
resources/META-INF/resouces/config.json : This file is a JSON key-value pair of options you want to be configurable by the end user. These options become input boxes in the Faction App Store UI. resources/META-INF/resources/description.md : This is the extension description and help files that will be displayed when the extension is loaded in the Faction App Store UIresources/META-INF/resources/logo.png: This is a PNG log that will be displayed as the Apps icon in the Faction App Store UIresources/META-INF/services/*: This file is required for Faction to be able to load your extension.
","tags":["API","App Store"]},{"location":"APIS/JIRA%20App%20Integration%20Example/#configjson","title":"config.json","text":"These are the key value pairs that will display in the Faction App Store UI and allow users to make changes that affect the behavior of the extensions. For a Jira plugin you would want the API, the Jira Host and the Jira Username configured. That would look like the following
{\n \"Jira Host\" : {\n \"type\": \"text\",\n \"value\": \"https://yourhost.com\"\n },\n \"Jira API Key\" : {\n \"type\": \"password\",\n \"value\": \"your api key\"\n },\n \"Jira Email\": {\n \"type\" : \"text\",\n \"value\": \"your@email.com\"\n }\n}\n
Any values you set in your extension will be the \"Default\" values that will display to the end user. They can be blank if you do not what to set a predefined value.
The type attribute can only be text or password. password attributes are not displayed in the UI when the user enters the data and do not get returned to the UI once saved.
","tags":["API","App Store"]},{"location":"APIS/JIRA%20App%20Integration%20Example/#descriptionmd","title":"description.md","text":"This is where you describe your extension to end users and support most markdown elements. You should use this to fully describe what the extension does, why the user should install it, and how the end user should configure it to work correctly.
","tags":["API","App Store"]},{"location":"APIS/JIRA%20App%20Integration%20Example/#logopng","title":"logo.png","text":"This will be the logo in a PNG format that will display as an icon for your project.
","tags":["API","App Store"]},{"location":"APIS/JIRA%20App%20Integration%20Example/#services","title":"services","text":"The resources/META-INF/services/ files have a specific naming convention so that Faction can load your classes. The file must be named one of the following:
com.faction.extender.AssessmentManagercom.faction.extender.ApplicationInventorycom.faction.extender.ReportManagercom.faction.extender.VerificationManagercom.faction.extender.VulnerabilityManager
The content of each file is the name of your class that instantiates this functionality. In this example, we are only triggering the AssessmentManager therefore the file name would be com.faction.extender.AssessmentManager and the contents of the file would be org.faction.JiraPlugin
","tags":["API","App Store"]},{"location":"APIS/JIRA%20App%20Integration%20Example/#create-the-jira-plugin-class","title":"Create The Jira Plugin Class","text":"Now that the basic set up is complete we can create our Jira Class that actually does something!
Create a Class named\u00a0JiraPlugin\u00a0in\u00a0src/main/java. This class will implement\u00a0\u00a0com.fuse.extender.AssessmentManager\u00a0as shown below. This code will trigger whenever a change happens to an assessment. You can use the\u00a0Operation\u00a0enum to control what happens as different events change the assessment.
package org.faction;\n\npublic class JiraPlugin extends BaseExtension implements com.faction.extender.AssessmentManager{\n @Override\n public AssessmentManagerResult assessmentChange(Assessment assessment, List<Vulnerability> vulnerabilities, Operation arg2) {\n AssessmentManagerResult result = new AssessmentManagerResult();\n return result\n }\n}\n
Note that above it returns\u00a0AssessmentManagerResult.\u00a0This object will update Faction\u2019s database if the values change when this function returns. If you Return\u00a0null\u00a0it will NOT update Faction and only just send/process information.
","tags":["API","App Store"]},{"location":"APIS/JIRA%20App%20Integration%20Example/#send-this-issues-to-jira-on-assessment-finalized","title":"Send this Issues to Jira on Assessment Finalized","text":"Now we have a basic functional block of code we need to make it perform the action of sending all vulnerabilities to Jira only when the assessment is finalized. To do this we create an if statement that checks the Operation enum equals Finalized and then sends the issues with our custom function sendVulnerabilityToJira(). We then get the tracking ID from Jira and update Faction so the tracking ID's are in sync.
import com.fuse.elements.Assessment;\nimport com.fuse.elements.Vulnerability;\n\npublic class JiraPlugin extends BaseExtension implements com.faction.extender.AssessmentManager{\n\n @Override\n public AssessmentManagerResult assessmentChange(Assessment assessment, List<Vulnerability> vulns, Operation opcode) {\n String project =\"KAN\"; //Default Jira Project Name.\n\n if(opcode == Operation.Finalize) {\n //Integration into vulnerability management system\n for(Vulnerability vuln : vulns) {\n //this can update vulns and send the updated values back into Faction\n String issueId = sendVulnerbilityToJira(vuln, project);\n if(issueId != null) {\n vuln.setTracking(issueId); //Update Faction's Tracking ID\n }\n }\n }\n AssessmentManagerResult result = new AssessmentManagerResult();\n result.setAssessment(assessment);\n result.setVulnerabilities(vulns);\n return result; //Send back the updated results\n }\n}\n
You can see the full implementation here
","tags":["API","App Store"]},{"location":"APIS/JIRA%20App%20Integration%20Example/#install-it-in-your-faction","title":"Install It In Your Faction","text":"Build the jar file by running:
mvn clean compile assembly:single\n
This will create a jar file named\u00a0something like JiraPlugin-0.0.1-SNAPSHOT-jar-with-dependencies.jar\u00a0in your ./target folder.\u00a0
Upload it to Admin->App Store->Install Extension. It should display like this:
If all looks good, click install.
It will be installed initially as disabled. You can configure it before you enable it by clicking on the extension in the list:
Once you configure the settings you can enable it.
Now when an assessment is finalized it will add All the findings to JIRA as shown in the following screenshot:
","tags":["API","App Store"]},{"location":"APIS/REST%20API/","title":"REST API","text":"The Rest API enables you to integrate FACTION into your unique environment. With the API you can:
- Add vulnerabilities from other tools
- Upload your custom vulnerability templates
- Schedule Assessments and Retests
- Track remediation
- Manage Users
- and much more.
The easiest way to access the REST API for your faction instance is to click on your profile in the top right corner. Here you will find a link to the Swagger API docs and access to your API Key
If you select \"Click here for API docs\" it will redirect you to the Swagger docs for your Faction Instance. You can use this page to make requests to the API directly in the browser.
","tags":["API"]},{"location":"blog/2024/03/25/faction-app-store/","title":"Faction App Store","text":"\u2728 We are excited to release the first iteration of the Faction App Store! \u2728
The App Store is where developers can build custom integrations with Faction. These can be anything from sending vulnerabilities to external bug trackers to adding custom graphics to your automated pentest reports!
We want to make this process really easy and took inspiration from Burp Suite on the design. If you have ever made an extension for Burp then you should be able to get up and running pretty quickly.
","tags":["App Store"]},{"location":"blog/2024/03/25/faction-app-store/#what-can-be-extended","title":"What Can Be Extended?","text":"With this initial release, you can extend Faction by:
- Including your own application inventory database to the application search features and populate results in Faction like the Application ID, Distribution Lists, and Application Name.
- Triggers when an assessment state changes (created, updated, or finalized). You can use this to send emails to a distribution list that an assessment has been scheduled for certain dates. When the assessment is finalized you can choose to send only the vulnerabilities of a certain criticality to an external tracking system as well as send to different tracking systems depending on the type of assessment.
- Triggers when a vulnerability state is changed. When a tracked vulnerability is retested and pass/fail, you can create a custom workflow and alert key stakeholders that the issue succeeded or failed.
- Update reports when they are generated. You can use this to add custom variables to your reporting templates and replace the contents with data from an external system or add custom charts and graphics to give your reports a more polished look.
The full documentation on the API can be found here
","tags":["App Store"]},{"location":"blog/2024/03/25/faction-app-store/#custom-settings","title":"Custom Settings","text":"Extensions are built so that you can add your own configuration options that can be stored in the Faction Database. Things like a user-editable hostname or API key can be configured in your extension. Based on how you set up your configuration you can make data like passwords and API keys hidden in the UI and encrypted at rest.
","tags":["App Store"]},{"location":"blog/2024/03/25/faction-app-store/#extension-chain","title":"Extension Chain","text":"Extensions can be chained in any order. Once you add apps and enable them in Faction, the UI allows you to drag the extension to anywhere in the list. This allows you to create one extension that processes data and returns a result that can be processed by the next extension.
Before Order Change After Order Change You can use this to create one extension that returns a JIRA Tracking number for all vulnerabilities in the finalized assessment, they take those numbers and process them into another system and on and on down the chain.
","tags":["App Store"]},{"location":"blog/2024/03/25/faction-app-store/#example-extensions","title":"Example Extensions","text":"You can review the source code for our initial apps here. This list will grow over time but currently, there are 2 (JIRA Integration, Vulnerability Bar Charts).
","tags":["App Store"]},{"location":"blog/2024/03/25/faction-app-store/#submit-your-own","title":"Submit Your Own","text":"We can't think of everything! We encourage developers to submit their own extensions and we will add them to our list of Approved Extensions. Send an email to develop [ at ] factionsecurity [dot] com with a link to your GitHub and a brief explanation of what it does.
","tags":["App Store"]},{"location":"blog/2024/03/25/faction-app-store/#conclusion","title":"Conclusion","text":"We hope you enjoy the new App Store and other new features that are part of this 1.2 Release. Faction is open-source and free to use. Please leave us feedback in either our GitHub Discussion Boards or by submitting Issues.
If you want to help support the project and ensure its longevity then consider being a sponsor... It's good karma! \u2764\ufe0f
Sponsor Options
- GitHub Sponsor
- Patreon
- Open Collective
","tags":["App Store"]},{"location":"blog/2024/03/16/faction-boilerplates/","title":"Faction Boilerplates","text":"If you have been doing penetration testing for any length of time you probably have a personal database of vulnerability descriptions, recommendations as well as other text snippets you will inject into various places of your reports. What if, Instead of keeping these in separate files on various computers, they were all included in your reporting software?!@! \ud83e\udd2f
Faction IS your database for global boilerplate, default vulnerability templates, personal flare, and just about anything else you can imagine (well...sorta \ud83e\udd14). Let's walk through how this is done.
","tags":["Core Features","Boilerplate","Customizing"]},{"location":"blog/2024/03/16/faction-boilerplates/#vulnerability-templates","title":"Vulnerability Templates","text":"Let's start with the obvious.... Faction includes over 75 default vulnerability templates when you start. These vulnerability templates include both descriptions and recommendations and are fully customizable by you. You can start with our templates or upload your own as described here.
When writing your report, type the name of the vulnerability and it will auto-populate in the UI as shown below:
Once selected your report will automatically include the severity of the finding, the description, and the recommendation! \ud83d\udca5 Something that would have taken you 30 min to an hour is complete in just a few seconds.
These are fully editable in the Default Vulnerabilities section. You can add new ones, update the pre-packaged ones, or delete them all and upload all your own with the Faction API.
","tags":["Core Features","Boilerplate","Customizing"]},{"location":"blog/2024/03/16/faction-boilerplates/#assessment-templates","title":"Assessment Templates","text":"Faction has the option of creating global and personal boilerplates that you can easily add to your reports. Global templates are shared with everyone while personal templates are only available to you.
","tags":["Core Features","Boilerplate","Customizing"]},{"location":"blog/2024/03/16/faction-boilerplates/#global-assessment-templates","title":"Global Assessment Templates","text":"In Faction, Navigate to Templates -> Assessment Templates. Here you have the option to create text that will be available to all assessors in the platform. This is useful for creating things like Different High-Level Summaries for different report types or adding common risk summaries.
Notice you can include most faction variables in your templates and they will be auto-populated in the generated report.
As the security assessor, you can easily add these to different sections of your report. Below is a screen-share of using Global Templates in your reports.
","tags":["Core Features","Boilerplate","Customizing"]},{"location":"blog/2024/03/16/faction-boilerplates/#user-assessment-templates","title":"User Assessment Templates","text":"User Assessment Templates work the same as the Global Assessment Templates but are specific to your user account. This can allow you to add your own flare to a report that you might not want to share with the rest of the team.
To add a User Template just start typing into any of Faction's text editors and then click the Save button in the Template section. Note that User Templates have a different icon beside them in the Template List.
Below is a walk though of how you would add User templates to save and later recall user-defined boilerplate text.
","tags":["Core Features","Boilerplate","Customizing"]},{"location":"blog/2024/03/15/hello-world/","title":"Hello World","text":"Hey! Just starting the FACTION blog. Stay tuned here for new updates, tips, and tricks on getting the most out of FACTION. \ud83c\udf89
FACTION 1.2 will be released this month (March'24) with loads of new features. The most notable features are the inclusion of the Faction App Store which will make it simple for developers to write extensions and integrations.
","tags":["hello world"]},{"location":"blog/2024/10/22/how-to-generate-a-vulnerability-report-in-faction/","title":"How To Generate a Vulnerability Report in Faction","text":"","tags":["Reporting"]},{"location":"blog/2024/10/22/how-to-generate-a-vulnerability-report-in-faction/#below-is-video-showing-how-to-write-a-vulnerability-report-in-under-3-minutes-using-faction","title":"Below is video showing how to write a vulnerability report in under 3 minutes using Faction.","text":"","tags":["Reporting"]},{"location":"blog/archive/2024/","title":"2024","text":""},{"location":"tags/","title":"Tags","text":"","tags":[]},{"location":"tags/#api","title":"API","text":" - Faction App Store Extensions
- Importing Your Vulnerability Templates Via the API
- Using the Faction Burp Suite Extension
- App Store Extension API
- JIRA App Integration Example
- REST API
","tags":[]},{"location":"tags/#app-store","title":"App Store","text":" - Faction App Store Extensions
- App Store Extension API
- JIRA App Integration Example
- Faction App Store
","tags":[]},{"location":"tags/#authentication","title":"Authentication","text":" - Integrate Faction into OIDC Solutions
","tags":[]},{"location":"tags/#boilerplate","title":"Boilerplate","text":"","tags":[]},{"location":"tags/#burp-suite","title":"Burp Suite","text":" - Using Markdown in Reports
- Using the Faction Burp Suite Extension
","tags":[]},{"location":"tags/#cvss","title":"CVSS","text":" - Faction Severity Rating and CVSS Scoring
","tags":[]},{"location":"tags/#cloud-hosted","title":"Cloud Hosted","text":"","tags":[]},{"location":"tags/#core-features","title":"Core Features","text":" - Faction Severity Rating and CVSS Scoring
- Importing Your Vulnerability Templates Via the API
- Integrate Faction into OIDC Solutions
- Remediation Tracking, Custom SLAs, Retests
- Using Markdown in Reports
- Faction Boilerplates
","tags":[]},{"location":"tags/#customize","title":"Customize","text":" - Custom Security Report Templates
- Custom Variables
","tags":[]},{"location":"tags/#customizing","title":"Customizing","text":"","tags":[]},{"location":"tags/#enterprise","title":"Enterprise","text":" - Table of Contents Numbering
","tags":[]},{"location":"tags/#managed","title":"Managed","text":" - Table of Contents Numbering
","tags":[]},{"location":"tags/#markdown","title":"Markdown","text":" - Using Markdown in Reports
","tags":[]},{"location":"tags/#paid-feature","title":"Paid Feature","text":" - Table of Contents Numbering
","tags":[]},{"location":"tags/#penetration-testing","title":"Penetration Testing","text":" - Using the Faction Burp Suite Extension
","tags":[]},{"location":"tags/#remediation","title":"Remediation","text":" - Remediation Tracking, Custom SLAs, Retests
","tags":[]},{"location":"tags/#reporting","title":"Reporting","text":" - Custom Security Report Templates
- Custom Variables
- Table of Contents Numbering
- Using Markdown in Reports
- How To Generate a Vulnerability Report in Faction
","tags":[]},{"location":"tags/#retests","title":"Retests","text":" - Remediation Tracking, Custom SLAs, Retests
","tags":[]},{"location":"tags/#self-hosted","title":"Self Hosted","text":" - Self Hosted FACTION Setup
","tags":[]},{"location":"tags/#setup","title":"Setup","text":" - Managed FACTION Setup
- Self Hosted FACTION Setup
","tags":[]},{"location":"tags/#variables","title":"Variables","text":" - Custom Security Report Templates
","tags":[]},{"location":"tags/#vulnerability","title":"Vulnerability","text":" - Faction Severity Rating and CVSS Scoring
- Importing Your Vulnerability Templates Via the API
","tags":[]},{"location":"tags/#api_1","title":"api","text":" - How to Use BurpSuite with Faction
","tags":[]},{"location":"tags/#burpsuite","title":"burpsuite","text":" - How to Use BurpSuite with Faction
","tags":[]},{"location":"tags/#hello-world","title":"hello world","text":"","tags":[]},{"location":"tags/#integrations","title":"integrations","text":" - How to Use BurpSuite with Faction
","tags":[]}]}
\ No newline at end of file
diff --git a/site/sitemap.xml b/site/sitemap.xml
index acb424a..36bd069 100644
--- a/site/sitemap.xml
+++ b/site/sitemap.xml
@@ -2,132 +2,132 @@
https://docs.factionsecurity.com/
- 2024-10-31
+ 2024-11-13
daily
https://docs.factionsecurity.com/Custom%20Security%20Report%20Templates/
- 2024-10-31
+ 2024-11-13
daily
https://docs.factionsecurity.com/Custom%20Variables/
- 2024-10-31
+ 2024-11-13
daily
https://docs.factionsecurity.com/Faction%20App%20Store%20Extensions/
- 2024-10-31
+ 2024-11-13
daily
https://docs.factionsecurity.com/Faction%20Severity%20Rating%20and%20CVSS%20Scoring/
- 2024-10-31
+ 2024-11-13
daily
https://docs.factionsecurity.com/How%20to%20Use%20BurpSuite%20with%20Faction/
- 2024-10-31
+ 2024-11-13
daily
https://docs.factionsecurity.com/Importing%20Your%20Vulnerability%20Templates%20Via%20the%20API/
- 2024-10-31
+ 2024-11-13
daily
https://docs.factionsecurity.com/Integrate%20Faction%20into%20OIDC%20Solutions/
- 2024-10-31
+ 2024-11-13
daily
https://docs.factionsecurity.com/Managed%20FACTION%20Setup/
- 2024-10-31
+ 2024-11-13
daily
https://docs.factionsecurity.com/Remediation%20Tracking%2C%20Custom%20SLAs%2C%20Retests/
- 2024-10-31
+ 2024-11-13
daily
https://docs.factionsecurity.com/Self-Hosted%20FACTION%20Setup/
- 2024-10-31
+ 2024-11-13
daily
https://docs.factionsecurity.com/Table%20of%20Contents%20Numbering/
- 2024-10-31
+ 2024-11-13
daily
https://docs.factionsecurity.com/Using%20Markdown%20in%20Reports/
- 2024-10-31
+ 2024-11-13
daily
https://docs.factionsecurity.com/Using%20the%20Faction%20Burp%20Suite%20Extension/
- 2024-10-31
+ 2024-11-13
daily
https://docs.factionsecurity.com/tags/
- 2024-10-31
+ 2024-11-13
daily
https://docs.factionsecurity.com/APIS/
- 2024-10-31
+ 2024-11-13
daily
https://docs.factionsecurity.com/APIS/App%20Store%20Extension%20API/
- 2024-10-31
+ 2024-11-13
daily
https://docs.factionsecurity.com/APIS/JIRA%20App%20Integration%20Example/
- 2024-10-31
+ 2024-11-13
daily
https://docs.factionsecurity.com/APIS/REST%20API/
- 2024-10-31
+ 2024-11-13
daily
https://docs.factionsecurity.com/blog/
- 2024-10-31
+ 2024-11-13
daily
https://docs.factionsecurity.com/blog/2024/03/25/faction-app-store/
- 2024-10-31
+ 2024-11-13
daily
https://docs.factionsecurity.com/blog/2024/03/16/faction-boilerplates/
- 2024-10-31
+ 2024-11-13
daily
https://docs.factionsecurity.com/blog/2024/03/15/hello-world/
- 2024-10-31
+ 2024-11-13
daily
https://docs.factionsecurity.com/blog/2024/10/22/how-to-generate-a-vulnerability-report-in-faction/
- 2024-10-31
+ 2024-11-13
daily
https://docs.factionsecurity.com/blog/archive/2024/
- 2024-10-31
+ 2024-11-13
daily
https://docs.factionsecurity.com/tags/
- 2024-10-31
+ 2024-11-13
daily
\ No newline at end of file
diff --git a/site/sitemap.xml.gz b/site/sitemap.xml.gz
index 30036ea..dd49dd2 100644
Binary files a/site/sitemap.xml.gz and b/site/sitemap.xml.gz differ