report-ng – Web application security assessment reporting tool

The idea behind is to speed up the preparation stage of penetration testing and automated scan reports as well as make it more uniform.

Developed with Python 2.7 on Windows. Code does not contain tests, but application itself has proven its value in production use for over two years now.

Download

Demo

Basics

Microsoft Office Word is being used to prepare report templates. HP WebInspect and BurpSuite Pro scan exports might be used as input data for the report as well. XML and Yaml or Json are used interchangeably as input formats. Report in Openxml format is the final product of this application.

Error traceback is on. If you will work with templating and wont stick to the rules presented below, you will very likely encounter it.

GUI Interface

Main application window contains four fields that act as an input (drag & drop is supported):

• Template – Word report template
• Content – additional data that should be automatically propagated to the report
• Scan – HP WebInspect / Burp Suite Pro scan
• Knowledge base – knowledge base that could be used to reinforce final report customization

Double click on given text area will popup the content on larger area.

CLI Interface

Command-line support has been added in order to allow bulk generation of report-files. Application currently supports one set of switches:

-t template-file [-c content-file] [-k kb-file] [-s scan-file]

-r report-file

Example use:

python report-ng.py -t examples/example-2-scan-report-template.xml -c examples/example-2-content.yaml -k examples/example-2-kb.yaml -s examples/example-2-scan-export-Burp.xml -r examples/\!.xml

Tutorial