[Feature Request] Enhanced Categorization in Template Section

[PunkerGhoul]

Hi, I believe that enhancing the template organization in the reporting section could significantly improve the user experience. Specifically, I'd like to propose the addition of subcategories within the existing templates, aiming to provide a more organized approach to documenting findings.

As an example, let's take the SQLi category. Currently, all SQL injection findings fall under this umbrella, which is great for a high-level overview. However, for a more granular understanding and streamlined reporting, it would be beneficial to break down SQLi into subcategories such as "SQLi - Time-Based" and "SQLi - Error Based". Each of these subcategories entails distinct scoring criteria, references, and remediation steps. Consequently, segregating these differences into subcategories adds greater utility to the templates.

In example, using XSS and SQLi:

Templates
├── SQL Injection
│   ├── SQL Injection
│   ├── SQL Injection - Time Based
│   └── SQL Injection - Error Based
└── XSS
    ├── XSS
    ├── XSS - Stored
    └── XSS - Reflected

This proposed adjustment would not only facilitate a more systematic approach to documenting findings but also allow for a more nuanced analysis of the security landscape. It could prove especially useful for users dealing with diverse types of vulnerabilities.

Additionally, it should be taken into account that the user can add, delete, and modify categories and templates. Furthermore, it should also be possible to filter these categories in a checkbox list that adapts to the user. In other words, if the user is primarily focused on web application pentesting, mobile applications, etc., they should be able to choose which categories suit them best and even determine which templates they need and which ones they do not.

Thank you for your attention. I have found Sysreptor to be a valuable tool, and I am willing to assist in some manner. I am open to accepting suggestions and corrections regarding the organization of categories and templates, especially concerning the overall finding and its subcategories.

[aronmolnar]

Thank you for your suggestion.

Just to make sure we're talking about the same thing:

Are you really referring to Finding Templates?

Or do you want do group findings in reports?

[PunkerGhoul]

My suggestion refers to the "Finding Templates" section.

[aronmolnar]

Thanks for the feedback.

Can you elaborate what usability improvements do you expect from this feature? It might make facilitate a more systematic approach to group finding templates, but I haven't understood how this improves usability.

You can already tag your finding templates (e.g. sqli or xss for your examples; or any other custom tag).

[PunkerGhoul]

The whole idea of grouping findings templates is to set up preset fields like score, description, recommendations, references, etc., in a more specific way. This helps cut down the time it takes to set things up by starting from basic templates. For example, it's not the same using an XSS template compared to an XSS - Stored template – CVSS changes, description changes, recommendations change, and so on.

For example:

Templates
├── SQL Injection
│    ├── SQL Injection (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P)
│    ├── SQL Injection - Time Based (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:H/RL:O/RC:C/CR:H/IR:H/AR:H)
│    └── SQL Injection - Error Based (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:H/RL:O/RC:C/CR:H/IR:H/AR:H)
└── XSS
     ├── XSS (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N/E:H/RL:O/RC:C/CR:H/IR:H/AR:H
     ├── XSS - Stored (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C/CR:H/IR:H/AR:H)
     └── XSS - Reflected (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N/RL:O/RC:C/CR:H/IR:H/AR:H

Basically, I'm hoping this improvement will cut down the time it takes to adjust both common and specific findings. With the use of categories and tags, the goal is to make it easy to filter what's needed from the database. This should reduce the amount of data pulled from the database and make the user experience better, both in terms of how things look and how they perform.

[aronmolnar]

I haven't understood how this approach cuts down time.

Concerns I have about this:

• There are not many vulnerabilities that can be grouped this way (XSS, SQLi, maybe SSL issues; but any thing else? CSRF? Smuggling? NTLM?)
• We already have one level of inheritance of field values (for template translations); more inheritances (especially cross-template) will make it more difficult to understand
• Implementation is technically complex

Would the possibility to duplicate finding templates in combination with tagging them solve your issue?
You could duplicate the Stored XSS and work from there to get Reflected XSS done. And tag both with "XSS"?

(Duplicating is currently only possible by exporting and re-importing, but it would make sense to have this possibility.)

[PunkerGhoul]

For example, if a Pentester finds 2 vulnerabilities in a web application, a "SQL Injection - Time-Based" and a "SQL Injection - Error Based", from the templates section he can find it directly in the "SQL Injection" category, or since you mentioned "There are not many vulnerabilities that can be grouped this way", it can be generalized to a category such as "Injections".

However, my proposal is directly to the creation of categories for the organization of finding templates, on the other hand, the fact that I have emphasized how it could be organized was regarding its possible usability.

Returning then to your concern that "there are not many vulnerabilities that can be grouped in this way", if you take into account for example the category "Injections", in this would enter vulnerabilities such as, XSS, CSV injection, XML injection, SQL injection, NoSQL injection, Server-side template injection, Server-side XSS, Client-side template injection, SMTP header injection, etc. In that way there is no need of sub-categories like Templates -> SQL Injection -> Blind Injection -> Time-Based, could be structured as Templates -> Injections -> Time-Based SQL Injection or Templates -> Injections -> SQL Injection - Time-Based

This is why duplicating the template findings in combination with their tags would not solve my problem, however, I also agree that duplicating the templates in this way would be very useful without re-importing.

A possible reference for the idea I have would be the organization in CWE VIEW: Software Development.

---

Regarding what I mentioned about reducing the time of the data obtained and improving the user experience through the use of tag filters, the idea is that in the finding templates section you can specify what data is required according to your tags.

For example, from a checklist specify what type of finding templates you want to use using the tags, taking into account that the data present in the "finding templates" section are all shown for each member of the team, for example, a teamwork strategy is to divide the environments and then rotate them, if a pentester is going to focus on the mobile environment and another focuses on the web environment, then the findings for each can be filtered easily.

It is also worth noting that a good team tries to cover all possible findings in the templates to maximize efficiency, hence my thought that it does not have the same impact on performance to load all the templates that only load the necessary templates.

If I could make myself better understood, there would be a way to reduce the complexity of implementing such an improvement? mainly from the categorization in the findings template section.