Bending MagicTree (Burp import)

In between projects, we at Astyran have an internal project running to streamline reporting of our vulnerability assessments. One of the tools we use is Gremwell’s MagicTree

Earlier I blogged about our XSLT style-sheet to import vulnerability data of the Arachni scanner. This style sheet created views on the data grouped per vulnerability type. However all other import sheets seem to prefer to group vulnerabilities per URL.

Personally I prefer to group vulnerabilities per type:

  • it enables the designer/architect to really see the full picture at once, design a real solution, and assess the possible impact on development.
  • it prevents developers to fix the issues per page, what leads to incomplete or plain wrong solutions and the endless “penetrate and patch” cycle.
  • it gives a less daunting report to business management (“only 1 high rated issue on a total of 10)” as compared to “we have found 300 high rated issues on a total of 1100). Managers like to see that things in their business critical application can be fixed, not that the situation appears hopeless.
  • it makes the development team happy: “only 1 item to fix”, we are not complete losers and did a reasonable good job;
  • it makes the poor soul that imports the data into the change request management program also happy: only 10 items to import, classify, prioritize and follow-up as compared to 1.100 items – of which many will need to be closed as ‘duplicates’.
  • it wastes less disk-space.

Unfortunately, that means that we have to change all XSLT transformation sheets to import the data the way we want.

Here the code to import Burp scanner data according to our wishes. Just as with our Arachni solution, it creates a (non-standard) “scaninfo” section that keeps information about the scans that were imported, as well as the (standard) “testdata” tree, but now ordered per finding and not per URL.

1: xmlversion="1.0"encoding="UTF-8"?>

2: <xsl:stylesheetversion="1.0"xmlns:xsl="http://www.w3.org/1999/XSL/Transform">

3:  

4: <xsl:variablename="myreportsignature">

5: <xsl:text>Burpxsl:text>

6: <xsl:value-ofselect="translate(/issues/@burpVersion,'
+-:','')"
/>

7: <xsl:value-ofselect="translate(/issues/@exportTime,'
+-:','')"
/>

8: xsl:variable>

9:  

10: <xsl:templatename="burp-finding">

11: <xsl:paramname="issue"/>

12: <findingclass="MtTextObject"status="new">

13: <xsl:attributename="title">

14: <xsl:value-ofselect="$issue/name"/>

15: xsl:attribute>

16: <xsl:attributename="mergeID">

17: <xsl:value-ofselect="$issue/name"/>

18: xsl:attribute>

19: <burptype><xsl:value-ofselect="$issue/type"/>burptype>

20: <source>

21: <xsl:text>Burp xsl:text>

22: <xsl:value-ofselect="/issues/@exportTime"/>

23: source>

24: <xsl:call-templatename="burp-severity">

25: <xsl:with-paramname="severity"select="$issue/severity"/>

26: xsl:call-template>

27: <xsl:value-ofselect="$issue/issueBackground"/>

28: <solutiontitle="Solution"class="MtTextObject">

29: <xsl:value-ofselect="$issue/remediationBackground"/>

30: solution>

31: <affects>

32: <xsl:attributename="mergeID">

33: <xsl:value-ofselect="concat($issue/host, $issue/path)"/>

34: xsl:attribute>

35: <xsl:value-ofselect="concat($issue/host, $issue/path)"/>

36: <outputtitle="Details"class="MtTextObject">

37: <xsl:value-ofselect="$issue/issueDetail"/>

38: output>

39: <xsl:iftest="string-length(normalize-space(substring-after(substring-before($issue/location,'parameter'),'[')))>0">

40: <parameter>

41: <xsl:value-ofselect="normalize-space(substring-after(substring-before($issue/location,'parameter'),'['))"/>

42: parameter>

43: xsl:if>

44: <xsl:for-eachselect="requestresponse">

45: <requestresponse><xsl:numbervalue="position()"format="1"/>

46: <requestclass="MtTextObject"title="Request">

47: <xsl:value-ofselect="request"/>

48: request>

49: <responseclass="MtTextObject"title="Response">

50: <xsl:value-ofselect="response"/>

51: response>

52: requestresponse>

53: xsl:for-each>

54: affects>

55: finding>

56: xsl:template>

57:  

58: <xsl:templatename="burp-severity">

59: <xsl:paramname="severity"/>

60: <source-severity>

61: <xsl:choose>

62: <xsl:whentest="$severity='High'">

63: high<numeric>3numeric>

64: xsl:when>

65: <xsl:whentest="$severity='Medium'">

66: medium<numeric>3numeric>

67: xsl:when>

68: <xsl:whentest="$severity='Low'">

69: low<numeric>1numeric>

70: xsl:when>

71: <xsl:whentest="$severity='Information'">

72: info<numeric>0numeric>

73: xsl:when>

74: <xsl:otherwise>

75: unknown<numeric>-1numeric>

76: xsl:otherwise>

77: xsl:choose>

78: source-severity>

79: xsl:template>

80:  

81: <xsl:templatename="get-port">

82: <xsl:paramname="host"/>

83: <xsl:variablename="proto"select="substring-before($host, ':')"/>

84: <xsl:variablename="host-port"select="substring-after($host, '://')"/>

85: <xsl:choose>

86: <xsl:whentest="string-length(substring-after($host-port,':'))>0">

87:

88: <xsl:value-ofselect="substring-after($host-port,':')"/>

89: xsl:when>

90: <xsl:otherwise>

91: <xsl:choose>

92: <xsl:whentest="$proto='https'">

93: 443

94: xsl:when>

95: <xsl:otherwise>

96: 80

97: xsl:otherwise>

98: xsl:choose>

99: xsl:otherwise>

100: xsl:choose>

101: xsl:template>

102:  

103: <xsl:templatematch="/">

104: <magictreeclass="MtBranchObject"xmlns:mt="http://www.gremwell.com/magictree">

105: <scaninfoclass="MtBranchObject">

106: <scanstatus="new"class="MtTextObject">

107: <xsl:attributename="title">

108: <xsl:text>Burp xsl:text>

109: <xsl:value-ofselect="/issues/@exportTime"/>

110: xsl:attribute>

111:

116: <xsl:text>Burp xsl:text>

117: <xsl:value-ofselect="/issues/@exportTime"/>

118: <version>

119: <xsl:value-ofselect="/issues/@burpVersion"/>

120: version>

121: scan>

122: scaninfo>

123:

124: <testdataclass="MtBranchObject">

125: <xsl:for-eachselect="issues/issue">

126: <host><xsl:value-ofselect="host/@ip"/>

127: <ipproto>tcp

128: <port>

129: <xsl:call-templatename="get-port">

130: <xsl:with-paramname="host"select="host"/>

131: xsl:call-template>

132: <xsl:choose>

133: <xsl:whentest="starts-with(host,'https')">

134: <tunnel>ssl

135: <service>http

136: <xsl:call-templatename="burp-finding">

137: <xsl:with-paramname="issue"select="."/>

138: xsl:call-template>

139: service>

140: tunnel>

141: xsl:when>

142: <xsl:otherwise>

143: <service>http

144: <xsl:call-templatename="burp-finding">

145: <xsl:with-paramname="issue"select="."/>

146: xsl:call-template>

147: service>

148: xsl:otherwise>

149: xsl:choose>

150: port>

151: ipproto>

152: host>

153: xsl:for-each>

154: testdata>

155: magictree>

156: xsl:template>

157: xsl:stylesheet>

And here a screenshot of the result.

burp<em>magictree</em>import

Have fun and have a great week-end!

Herman Stevens

Just some guy on the internet. Loves technology, diving, travelling, photography and Belgian Trappist beers.