Support
Integrations

Configuring the User Interface for Custom Send To Actions in Invicti Standard

This document is for:
Invicti Standard

Invicti Standard has an ability to create issues in common issue tracking systems. Invicti also enables users to create custom Send To Actions.

As an example, the article will implement a basic Send To Action that sends a found vulnerability in an email message. There are three steps to this process:

  1. Step 1: The Skeletal Implementation of the Interface
  2. Step 2: Creating the Interface
  3. Step 3: The Code to Send the Email

This topic explains how to create and configure a Send To Action in Invicti Standard.

Step 1: The Skeletal Implementation of the Interface

Send To Actions use the default extensibility mechanism provided with Invicti Standard and can be developed in either C# or VB.NET. You may use any other .NET language if you can compile the code to an assembly. In this example, we use C#.

To create a Send To Action you need to implement a simple interface called ISendToAction. Create an extensions.cs file in your Documents\Invicti\Scripts folder and paste this code into it. If you already have an extensions.cs file, you may append this new class, the basic skeletal implementation of the interface:

using System;
using System.Drawing;
using DevExpress.Utils.Svg;
using MSL.Core.Entities.Vulnerability;
using MSL.Core.Process.SendTo;

public class MailSendToAction : ISendToAction
{
        public string DisplayName
        {
                get { return "Mail"; }
        }

        public Bitmap SmallIcon
        {
                get { return null; }
        }

        public Bitmap LargeIcon
        {
                get { return null; }
        }

        public SvgImage SvgImage
        {
                get { return null; }
        }


        public SettingsObjectBase CreateSettingsObject()
        {
                throw new NotImplementedException();
        }

        public string Execute(IVulnerabilityView vulnerability, SettingsObjectBase settings)
        {
                throw new NotImplementedException();
        }
}

This table is an explanation of all the elements in the interface:

UI Element

Description

DisplayName

This is a property where you should return a string that denotes the name of your action.

SmallIcon/LargeIcon

These properties should return an icon representing your action in sizes 16*16/32*32 respectively. You may return null from these properties.

CreateSettingsObject

This method should return an instance of SettingsObjectBase class (or a derived one) where the action settings are listed as properties.

Execute

This is the method where the action will be performed. In this case, we format the vulnerability instance and send it as an email with the specified settings.

Step 2: Creating the Settings Interface

Next, create the Settings class by extending the SettingsObjectBase class. Paste the following code after the code in Step 1, before the last closing brace:

public class Settings : SettingsObjectBase
{
        private const int DefaultPort = 25;

        private const SmtpDeliveryMethod DefaultDeliveryMethod = SmtpDeliveryMethod.Network;

        private const string DefaultBodyTemplate = "Mail.cshtml";

        public Settings()
        {
                Port = DefaultPort;
                DeliveryMethod = DefaultDeliveryMethod;
                BodyTemplate = DefaultBodyTemplate;
        }

        [Category("Mandatory")]
        [Description("The server name or IP address to send mail from.")]
        public string Host { get; set; }

        [Category("Mandatory")]
        [Description("The port number to be used.")]
        [DefaultValue(DefaultPort)]
        public int Port { get; set; }

        [Category("Mandatory")]
        [Description("The name of the user to be used for authentication.")]
        public string Username { get; set; }

        [Category("Mandatory")]
        [Description("The password of the user to be used for authentication.")]
        [PasswordPropertyText(true)]
        public string Password { get; set; }

        [Category("Mandatory")]
        [DisplayName("From Address")]
        [Description("The address that mail will be send from.")]
        public string FromAddress { get; set; }

        [Category("Mandatory")]
        [DisplayName("To Address")]
        [Description("The address that mail will be send to.")]
        public string ToAddress { get; set; }

        [Category("Optional")]
        [DisplayName("Enable SSL")]
        [Description("Specify whether SSL will be used.")]
        [DefaultValue(false)]
        public bool EnableSsl { get; set; }

        [Category("Optional")]
        [DisplayName("Delivery Method")]
        [Description("Specify how outgoing email messages will be handled.")]
        [DefaultValue(DefaultDeliveryMethod)]
        public SmtpDeliveryMethod DeliveryMethod { get; set; }

        [Category("Vulnerability")]
        [DisplayName("Body Template")]
        [Description("The template file to be used while rendering mail contents.")]
        [DefaultValue(DefaultBodyTemplate)]
        public string BodyTemplate { get; set; }
}

You will also need to add these three new directives:

using System.ComponentModel;
using System.Net;
using System.Net.Mail;

Now that we have a settings class, we can return an instance of it from our CreateSettingsObject() method as explained below:

public SettingsObjectBase CreateSettingsObject()
{
        return new Settings();
}

The Settings class does not have any action and does not execute anything. It only outlines the required configuration details as .NET properties. This class will be rendered in the Invicti Standard Settings UI, as illustrated, and must be configured by the user.

This table lists and explains the properties along with several attributes.

Property

Attributes

Category

This property specifies which category it belongs to. You are free to create your own.

Description

This is the help text that will be shown in the UI when this property is selected.

DisplayName

By default, the name of the property is shown in the UI. You can override it using this attribute.

PasswordPropertyText

This attribute indicates that the property contains sensitive data and should be masked in the user interface.

DefaultValue

This specifies the default value of the property. Ensure that you initialize this value on the constructor of your Settings class. With this attribute in place, users can right click and reset this setting to its default value.

Step 3: The Code to Send the Email

The final piece of code is the actual implementation that sends the vulnerability details in an email. Update your Execute() method with the following code:

public string Execute(IVulnerabilityView vulnerability, SettingsObjectBase settings)
{
        var settingsTyped = (Settings)settings;

        var smtp = new SmtpClient
        {
                Host = settingsTyped.Host,
                Port = settingsTyped.Port,
                EnableSsl = settingsTyped.EnableSsl,
                DeliveryMethod = settingsTyped.DeliveryMethod,
                Credentials = new System.Net.NetworkCredential(settingsTyped.Username, settingsTyped.Password),
        };

        string contents;

        try
        {
                contents = vulnerability.RenderSendToTemplate(settingsTyped.BodyTemplate);
        }
        catch (Exception e)
        {
                throw new Exception(string.Format("An error occurred while rendering template '{0}', make sure it exists.", settingsTyped.BodyTemplate), e);
        }

        using (smtp)
        using (var message = new MailMessage(settingsTyped.FromAddress, settingsTyped.ToAddress))
        {
                message.Subject = string.Format(settingsTyped.TitleFormat, vulnerability.Title);
                message.Body = contents;
                smtp.Send(message);
        }

        return "Vulnerability sent as mail successfully!";
}

This is simple .NET code that configures a SmtpClient instance and sends an email message with the settings provided. One point to note is that as the Body of the email message, we are rendering the vulnerability details with a template. For this example we are using a template called Mail.cshtml as the default template.

For such an example to work, you must create a file called Mail.cshtml in your Documents\Invicti\Resources\Send To Templates folder with the following code:

@using MSL.Core;
@using MSL.Core.Entities.Vulnerability;
@using MSL.Common.Text.Encoding;
@{
        // Short access to some object
        var vuln = Model.Vulnerability;
        var absoluteUri = Model.Vulnerability.Response.ResponseUri.AbsoluteUri;
        var attackParameter = Model.Vulnerability.Response.UriManager.AttackParameter;
}URL: @Raw(Decode.Url(absoluteUri))
Certainty: @vuln.Certainty%
Confirmed: @vuln.IsConfirmed
@if(!string.IsNullOrEmpty(attackParameter.Value))
{
<text>
Parameter Name: @attackParameter.Name
Parameter Type: @attackParameter.Type
Attack Pattern: @Decode.Url(attackParameter.Value)
</text>
}
@foreach (var customFieldPair in vuln.CustomFields)
{
 @customFieldPair.Key<text> :</text> if (customFieldPair.Value.HasMultipleValues)
 {
        foreach (var value in customFieldPair.Value.Values)
        {
<text>@value</text>
        }
 }
 else
 {
        @customFieldPair.Value.Value
 }
}

You can modify this template or create other templates based on it. You can also select the template to use in the Settings pane of your Send To Action. Here is a sample email that is sent using this template.

SendToMailSample.png

Testing the Send To Action

By default, you cannot test the Send To Action while you are configuring it in the Settings UI. To enable this, you need to implement ISendToActionTestable rather than ISendToAction.

Since this interface has an extra method called Test(), it should be implemented too. By using this method, you simply need to test whether the provided settings are valid and return a SendToActionTestResult with success or failure information.

Conclusion

This is how you implement a basic Send To Action. Even though it requires some adapting and error checking, you can use this code to send the details of the vulnerabilities discovered by Invicti web application security scanner as emails. You can also download the full source code of this example from here:

Example.zip

For information on how to configure auto Send To Actions, see Configuring Auto Send To Actions in Invicti Standard.