How to conveniently export Burp findings to Dradis tables

Reporting for security testing projects can be a cumbersome and mind numbing task especially if you still stick to Word templates and have to dig for vulnerability descriptions in old reports. For those who want to make their lives easier and deliver high quality reports in the shortest possible time, Dradis is a good option. It is a Rails based vulnerability tracking and reporting engine with many neat features such as importing options for Burp, Nessus, Nmap and many other security tool results.

For those who are already familiar with Dradis, there have been lots of changes especially since version 1.9. One of the enhancements is that the report engine is smart enough to translate Dradis tables into Word tables using a custom style format. So for example a two columns Dradis table when exported to Word would look something like this:

1

Now if you do a lot of web app stuff and use Burp then it can be quite cumbersome to create these tables, especially if you have a lot of findings. Fortunately Burp is fairly easy to extend. As a template I used the code from the latest Heartbleed Burp extension. It already had a basic Tab class which I had to just modify a bit. As for the functionality, Burp’s issue detail seems to vary a lot from issue to issue. Therefore issue extraction is not very generic. I implemented the table generation so far for issues that include a parameter in the issue detail like SQL Injection or Cross Site Scripting. Having said that, extraction of other issue types is very straight forward. When you load the extension into Burp you will notice a new tab called Dradis Vuln Tables. New subtabs will be created once you “Generate Dradis Vuln Table” from an issue or an issue group.

2

3

Once the table is in Dradis and it is exported into the Word template it will look something like my Word export in the first figure of this post.

The Burp extension is available at GitHub.