- home
- documentation
- overview
Dradis Overview
introduction
Dradis is a tool to help in the process of penetration testing. Penetration testing is about information:
- Information discovery
- Exploit useful information
- Report the findings
But penetration testing is also about sharing the information you and your teammates gather. Not sharing the information available in an effective way will result in exploitation oportunities lost and the overlapping of efforts.
Before you go reading, it may be interesting to have a look at the demo section where you can find some introductory flash videos to Dradis. There is also a set of slides with a brief Dradis overview.
scenario: where are we?
Traditional pentesting teams face different types of challenges regarding information sharing. Different tools provide output in different formats, different testers capture evidence in different ways, different companies report differently, etc.
If you do not use a tool to share the information, every tester will use their own notes file to keep track of their findings. Each will store this file locally, or on a shared resource, but the information will not arrive inmediately to the rest of the team.
If you want to know what are the latest findings of your mate, you will need to look for the notes file. You also can try talking, but talking is not that effective when you need to know a speciffic cookie value or a sql query for an injection attack.
It seems reasonable that some effort must be put to increase the quality and efficiency of this process.
system design: goals and benefits
Four main goals have driven and will drive the development of Dradis, the system should:
- effectively share the information. Information should be available to all the clients without extra effort.
- be easy to use, easy to be adopted. Otherwise it would present little benefit over other systems.
- be flexible. It needs a powerful and simple extensions interface. In order for it to grow, users should be able to extend it with their own modules.
- be small and portable. You should be able to use it while on site (no outside connectivity). It should be OS independent (no two testers use the same OS).
The main benefits derived from the use of Dradis are:
- information is organized
- it saves time, both while testing and while reporting
- the knowledge is effectively shared
- it is also good for one-man testing, it helps structuring what has been covered so far and what else needs to be covered.
architecture
Both the client and the server are developed using ruby. The server uses the Ruby on Rails (RoR) framework, which is database independent MVC framework that provides both a web and a web service interface.
The client communicates with the server using REST web services over SSL, as a result, nothing prevents the development of new clients using different languages.
Two flavours of client interface have been developed, a console interface (ruby dradis.rb) for the hardcore testers and a GUI interface (ruby dradis.rb -g) that uses the wxRuby library.
All components of Dradis are platform independent.` The system has been developed using Debian GNU/Linux but has been tested and is known to work at least in Ubuntu/Kubuntu, Gentoo, Mac OS X and Windows.
note for debian stable users: the latest version of the wxWidgets package available for etch is 2.6. The wxRuby gem requires at least 2.8. You can still use the web and console interfaces.
