Creating a new Send To action in Netsparker Desktop

Category: Product Docs & FAQS - Last Updated: Tue, 10 Jan 2017 - by Selçuk Mıynat

This tutorial will walk you through the basics of creating a “Send To” action in Netsparker Desktop. Send To actions can be used to configure the scanner to automatically send an email when a particular vulnerability or vulnerabilities are detected. In this example we are going to implement a simple Send To action that sends a selected vulnerability in an email message.

Step 1: The Skeletal Implementation of the Interface

Send To actions use the default extensibility mechanism provided with Netsparker Desktop and can be developed in either C# or VB.NET. You may actually use any other .NET language if you can compile the code to an assembly. In this example we are going to use C# as our language.

To create a Send To action you need to first implement a simple interface called ISendToAction.

First create an extensions.cs file in your Documents\Netsparker\Scripts directory and paste the below code to it. If you already have an extensions.cs file, you may append this new class, the basic skeletal implementation of the interface:

using System;
using System.Drawing;
using MSL.Core.Entities.Vulnerability;
using MSL.Core.Process.SendTo;

public class MailSendToAction : ISendToAction
{
	public string DisplayName
	{
		get { return "Mail"; }
	}

	public Bitmap SmallIcon
	{
		get { return null; }
	}

	public Bitmap LargeIcon
	{
		get { return null; }
	}

	public SettingsObjectBase CreateSettingsObject()
	{
		throw new NotImplementedException();
	}

	public string Execute(IVulnerabilityView vulnerability, SettingsObjectBase settings)
	{
		throw new NotImplementedException();
	}
}

Below is an explanation of all the members in the interface:

DisplayName: A property where you should return a string that denotes the name of your action.

SmallIcon/LargeIcon: These properties should return an icon representing your action in sizes 16*16/32*32 respectively. You may return null from these properties.

CreateSettingsObject: This method should return an instance of SettingsObjectBase class (or a derived one) where the action settings are listed as properties.

Execute: This is the method where the action will be performed, in our case we are going to format the provided vulnerability instance here and send it as an email with the specified settings.

Step 2: Creating the Settings Interface

Now we should create our settings class by extending the SettingsObjectBase class. Paste the following code over the existing code before the last closing brace:

public class Settings : SettingsObjectBase
{
	private const int DefaultPort = 25;

	private const SmtpDeliveryMethod DefaultDeliveryMethod = SmtpDeliveryMethod.Network;

	private const string DefaultBodyTemplate = "Mail.cshtml";

	public Settings()
	{
		Port = DefaultPort;
		DeliveryMethod = DefaultDeliveryMethod;
		BodyTemplate = DefaultBodyTemplate;
	}

	[Category("Mandatory")]
	[Description("The server name or IP address to send mail from.")]
	public string Host { get; set; }

	[Category("Mandatory")]
	[Description("The port number to be used.")]
	[DefaultValue(DefaultPort)]
	public int Port { get; set; }

	[Category("Mandatory")]
	[Description("The name of the user to be used for authentication.")]
	public string Username { get; set; }

	[Category("Mandatory")]
	[Description("The password of the user to be used for authentication.")]
	[PasswordPropertyText(true)]
	public string Password { get; set; }

	[Category("Mandatory")]
	[DisplayName("From Address")]
	[Description("The address that mail will be send from.")]
	public string FromAddress { get; set; }

	[Category("Mandatory")]
	[DisplayName("To Address")]
	[Description("The address that mail will be send to.")]
	public string ToAddress { get; set; }

	[Category("Optional")]
	[DisplayName("Enable SSL")]
	[Description("Specify whether SSL will be used.")]
	[DefaultValue(false)]
	public bool EnableSsl { get; set; }

	[Category("Optional")]
	[DisplayName("Delivery Method")]
	[Description("Specify how outgoing email messages will be handled.")]
	[DefaultValue(DefaultDeliveryMethod)]
	public SmtpDeliveryMethod DeliveryMethod { get; set; }

	[Category("Vulnerability")]
	[DisplayName("Body Template")]
	[Description("The template file to be used while rendering mail contents.")]
	[DefaultValue(DefaultBodyTemplate)]
	public string BodyTemplate { get; set; }
}

You will also need to add these two new directives:

using System.ComponentModel;
using System.Net.Mail;

Now that we have a settings class, we can return an instance of it from our CreateSettingsObject() method as explained below:

public SettingsObjectBase CreateSettingsObject()
{
	return new Settings();
}

This Settings class does not have any action and does not execute anything. It only outlines the required configuration details as .NET properties. This class will be rendered in the Netsparker Desktop settings user interface, as shown in the below screenshot, and has to be configured by the user.

The properties are also decorated with a few attributes, these are:

Category: Specifies which category does this property belongs to. You are free to create your own.

Description: The description/help text that will be shown on the user interface when this property is selected.

DisplayName: By default, the name of the property will be shown on the user interface but you can override it by using this attribute.

PasswordPropertyText: This attribute denotes that the property contains sensitive data and should be masked on the user interface.

DefaultValue: Specifies the default value of this property. You also need to initialize this value on the constructor of your settings class. With this attribute in place, users can right click and reset this setting to its default value.

Step 3: The Code to Send the Email

The last piece of code that we need to write is the actual implementation that sends the vulnerability details in an email. Update your Execute() method with the following code:

public string Execute(IVulnerabilityView vulnerability, SettingsObjectBase settings)
{
	var settingsTyped = (Settings)settings;

	var smtp = new SmtpClient
	{
		Host = settingsTyped.Host,
		Port = settingsTyped.Port,
		EnableSsl = settingsTyped.EnableSsl,
		DeliveryMethod = settingsTyped.DeliveryMethod,
		Credentials = new System.Net.NetworkCredential(settingsTyped.Username, settingsTyped.Password),
	};

	string contents;

	try
	{
		contents = vulnerability.RenderSendToTemplate(settingsTyped.BodyTemplate);
	}
	catch (Exception e)
	{
		throw new Exception(string.Format("An error occurred while rendering template '{0}', make sure it exists.", settingsTyped.BodyTemplate), e);
	}

	using (smtp)
	using (var message = new MailMessage(settingsTyped.FromAddress, settingsTyped.ToAddress))
	{
		message.Subject = string.Format(settingsTyped.TitleFormat, vulnerability.Title);
		message.Body = contents;
		smtp.Send(message);
	}

	return "Vulnerability sent as mail successfully!";
}

This is trivial .NET code that configures a SmtpClient instance and sends an email message with the settings provided. One thing to note is that as the Body of the email message, we are rendering the vulnerability detail;s with a template. For this tutorial we are using a template called Mail.cshtml as the default template.

Therefore for such example to work you need to create a file called Mail.cshtml under your Documents\Netsparker\Resources\Send To Templates folder with the following code:

@using MSL.Core;
@using MSL.Core.Entities.Vulnerability;
@using MSL.Common.Text.Encoding;
@{
	// Short access to some object
	var vuln = Model.Vulnerability;
	var absoluteUri = Model.Vulnerability.Response.ResponseUri.AbsoluteUri;
	var attackParameter = Model.Vulnerability.Response.UriManager.AttackParameter;
}URL: @Raw(Decode.Url(absoluteUri))
Certainty: @vuln.Certainty%
Confirmed: @vuln.IsConfirmed
@if(!string.IsNullOrEmpty(attackParameter.Value))
{
<text>
Parameter Name: @attackParameter.Name
Parameter Type: @attackParameter.Type
Attack Pattern: @Decode.Url(attackParameter.Value)
</text>
}

@foreach (var customFieldPair in vuln.CustomFields)
{
  @customFieldPair.Key<text> :</text> if (customFieldPair.Value.HasMultipleValues)
  {
	foreach (var value in customFieldPair.Value.Values)
	{
<text>@value</text>
	}
  }
  else
  {
	@customFieldPair.Value.Value
  }
}

You can modify this template or create other templates based on this. You may also select the template to use on the settings pane of your send to action. Here is a sample email that is sent using this template:

Testing the Send To Action

As you may have noticed this Send To action doesn’t support testing while configuring it through the settings user interface. If you want your Send To action to be testable you need to implement ISendToActionTestable rather than ISendToAction.

And since this interface has an extra method called Test(), it should be implemented too. By using  this method, you simply need to test whether the provided settings are valid and return a SendToActionTestResult either with a success or fail information.

Conclusion

And that’s it! You have just implemented a basic Send To action. Even though it requires a little bit more polishing and error checking, you may use this code to send the details of the vulnerabilities discovered by Netsparker web application security scanner as emails. You can also download the full source code of this example from here.


example.zip


Netsparker

Dead accurate, fast & easy-to-use Web Application Security Scanner

DOWNLOAD DEMO TRY ONLINE SCAN