Users can upload vulnerabilities found during a pentesting assessment. Vulnerabilities and related Assets can be added manually by users or imported in bulk using CSV/XLSX file.
Templates are available on the application or below:
CSV template: pentest_campaign_template.csv
XLSX template: pentest_campaign_template.xlsx
Find in the table below the description of fields and allowed values. Feel free to reach our Support Team at [email protected]
Value | Format | Blank allowed | Examples | Comments |
Ref | string | Yes | PROJ_001 | Free text |
Category | string | Yes | INJ | Free text |
Title | string | No | Unauthenticated SQL Injection | Free text |
Asset | string | No | patrowl.io share.patrowl.io | Free text |
Asset Type | Allowed values: | No | domain | Enumeration |
Asset Exposure | Allowed values: | No | external | Enumeration |
Severity | Allowed values: | Yes (default value: | info | Enumeration |
Authentication | string | Yes | Unauthenticated | Free text |
CVSS Vector | string (format: CVSS Vector) | Yes | CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:L | Free text |
CVSS Score | float (0-10.0) | Yes | 7.5 | Note: the CVSS score is not recalculated from the CVSS Vector |
Description | string | No | Unauthenticated SQL injection on formular XXX... | Free text |
Business Impact Description | string | Yes | Ransom on data, publication, stealing | Free text |
SOC IOC | string | Yes | SQL comment in form XXX | Content of this cell will be copied in the remediation description |
Has Public exploit | Allowed values: | No | True | Enumeration |
Remediation | string | Yes | Upgrade component xx to version X.Z | Remediation steps and alternatives suggested by the security expert |
Remediation priority | Allowed values: | Yes |
| Enumeration |
Remediation effort | Allowed values: | Yes (default value: | low | Enumeration |
Owner | string | Yes | Free text. If the email refers to an existing Patrowl user, the account is mapped on the vulnerability | |
Due date | Date format (DD/MM/YYYY) | Yes | 27/05/2024 | Date |
Retest date | Date format (DD/MM/YYYY) | Yes | 22/05/2024 | Date |
Retest result | string | Yes | fixed | Not supported yet |
Company | string | Yes | Pentest Corp. | Content will be added to the description of current campaign |
Caveats
Assets with type "URL": When an URL is imported, Patrowl parse the text and extract the network location which means the domain, subdomain, fqdn or related IP address.
IPv6 addresses are not supported yet.
Errors Handling
Imported files are verified before being processed by Patrowl. If an error occurred, the list of errors are displayed to the user and no data are stored.
Common mistakes includes the date format, bad value selection and missing mandatory fields.
Attachements