PentestPortal release - 30 December 2022 (Year-End)

Much work has been done to fulfill some major wishes of our partners and their customers. In this release, the following has been delivered and released to production.

Features - Partners

• #150 (Add new users by Partners):This one will make it easy for partners to add their colleagues as well and assign them a role within their own partner context (currently, at this level we support two roles: Functional Manager and Account Manager). So, as Cyber Cloud we do not have to process user requests any more.

• #493 (Report settings for Penetration Tests and Basic Security Scans): it is now possible to use different settings for a penetration test report and a basic security scan report. E.g. another cover page, font types, etc.

Features - Customers

• #230 - Customers do have several 'customer level' settings. We have made it easier for you to find these :)

Features - Penetration Testers

• #259 (WYSIWYG shortcodes) - This will save you a lót of time! The next shortcodes are fully operational now:

  • !! To reference another risk within the assessment

  • {{ To mention customer- or partner names

  • $ To reference to a tool/website (the list is dynamic and you can add new ones yourselves)

• #391 (Auto-focus): does not need explanation, it saves you on an average day enough time to grab a cup of coffee

• #432 (CVSS Calculator) - a Christmas present of our developers! Thank you.

• #464 (New Quality Checks) - we have added two new quality checks:

  • Used pentester IPs

  • Used test accounts/credentials (only applicable to webapp/mobile app targets).

• #491 (Support DTAP for IPv4/IPv6 targets): now it is possible to assign the DTAP-classification to IPv4/IPv6 targets as well.

• #508 (Import Additional DNS hostnames): when importing scan files, additional DNS hostnames are imported now as well.

• #512 (Package Name for Mobile Apps): a new property to Mobile Apps was added to document the package name of the tested app.

Features - General

• #454 (Export users and roles) - For instance admins, it is now possible to export a CSV file containing all users and their roles in order to perform an access review for information security purposes / audits.

Fixes

• #417 (Filtering and sorting Port Table): the filtering and sorting of the port scan table did not work anymore. We have found the issue and fixed it.

• #460 (Adding multiple findings at once): when adding multiple findings to an assessment at once, only the first one was added. This has been fixed now.

• #483 (Reproduction step images): it was not possible to use the download button of the reproduction step images.

• #509 (Hostname target property): the hostname target property was not available in the port scan table at assessment level.

• #510 (Additional logging): we have enabled additional logging on report generation.

• #511 (OWASP not visible with Mobile Apps): the OWASP category field was not visible in findings related to Mobile Apps. This has been fixed now.

Basic Security Scan

• #484 (Support > 25 subdomains) - several partners asked whether it is possible to scan ALL subdomains, also in case there are more than 25 sub domains. We have integrated a new API endpoint now that calculates dynamically the total number of sub domains and the required cyber credits. Also, it is possible to detect additional domains in the same tenant, to find out even more sub domains. Happy scanning!

• #490 (SPF error / fail) - in some cases the table with SPF sources was empty due to an error in the configuration of the SPF record of the scanned domain. We have changed the way of parsing the record, so the table is filled now - but in case the SPF record is not valid, the error is now shown as well.