Data Analysis tools
- Tools findings by severity and targets
- Vulnerability severity cluster
- Severity timeline
- Service vulnerability timeline
- Target severity pie charts
- OS severity pie charts
- Severity by tool boxplot
- Total vulnerability correlation with price by each OS
- Vulnerability by type chart, ease of resolution and OS
- Vulnerability by year tree
You can also download the charts as PNG or SVG format to include them in your custom reports.
Vuln templates CRUD
Write your vulns once, and use them forever.
Keeping in mind that managing hosts is a very important task to pentesters and managers alike we decided to update the hosts manager. As of this version you can examine, create and edit hosts from the same full view. Since it is no longer a modal dialog, the whole browser window is used, allowing to have all of the host details, along with its services in plain sight. No more scrolling, no more three clicks to get the host info!
Plugins Core Improvements
Faraday’s Plugin System is a core piece of the platform and that is why we constantly work on adding new tools and improving the ones we already support. In this iteration we improved the system itself so that plugins can access the error console and communicate with the user in a simplified manner.
On the maintenance side, we fixed a bug in the Nessus plugin which locked the vuln edition after processing and added support for SQLmap‘s -r argument that allows adding an HTTP request file instead of manually loading the URL and headers. We also modified a few other plugins (Core Impact, Netsparker, Nikto, Propecia, Qualysguard, SQLmap, Telnet and Wapiti) to improve the content of the vulnerabilities that are added to the platform, creating better Executive Reports.
It’s not uncommon for our users to switch between versions (for example, when upgrading from Community to Pro) and some issues arose in that process. Keeping that use case in mind, we improved how the Faraday Client verifies its version against the Server to avoid further issues in the future.
Also, we did some improvements in GTK’s link to the Web UI and corrected a bug that prevented the Web UI from saving changes to workspaces created using the GTK Client.
Some of our Pro and Corp users had troubles starting the Server with no internet connection. We changed its behavior when bootstrapping without an active internet access, allowing users to run it even with limited connectivity.
Regarding the Executive Report, we fixed a minor bug that generated inconsistent reports when grouping regular vulns with web vulns.
With the new additions to the Web UI, the left navigation bar was overloaded so we removed the administrative links (Workspaces, Users and Licenses) and added them to a new admin menu on the top right, along with a link to the Help page and an about dialog.
A special config for our Corp Customers
Because of a refactor in the auth system made in the last Corporate Version Release we need to ask the users to setup CouchDB correctly to avoid constantly losing the session.
To avoid headaches, follow this step-by-step guide:
- Turn off Faraday Server (./faraday-server.pyc –stop)
- Turn off CouchDB (systemctl stop couchdb)
- Modify the file “local.ini” usually located in the path /etc/couch/local.ini
- Add the following lines to the [couch_httpd_auth] part of that file
allow_persistent_cookies = true timeout = 9999999
- Initialize CouchDB and Faraday Server again and you are all set
Changes and fixes
- Added a Data Analysis component to the Web UI
Pro & Corp changes
- Fixed a bug in the GTK interface when trying to configure an non-existent URL
- Always redirect to login page when user is not logged in
- Prevent users with role client to login using GTK
- Disable host and vuln edit buttons when logged in as client
- Fixed the server, which was refusing some valid licenses
- Improved grouping in Executive Reports
- Redirect to home page when a logged user visits login page
Community, Pro & Corp changes
- Fixed bug when editing workspaces created in GTK
- Improved host search in the WEB UI
- Extended the config to support different searching engines in the WEB UI
- Check that client and server versions match when connecting
- Adds the ‘v’ and ‘version’ argument for both the server and the client
- Fixed “refresh” button in the Web UI
- Fix API on /ws/<workspace> with duration object None
- Added a CRUD for Credentials to the Web UI
- Bug fixes on the Burp Online Plugin
- Added a script to connect with Reposify
- Fixed Hostname import in Nessus Plugin
- Make plugin methods log() and devlog() work again
- Fixed bug in SQLMap plugin that made the client freeze
- Improved SQLMap plugin to support more options and to show errors in GTK log console
- Fixed bug when creating/updating Credentials
- Improve plugins usage of vulnweb URL fields
- Fixed order of Report Plugins in the GTK import list