Faction: Open-source pentesting report generation and collaboration framework
Faction is an open-source solution that enables pentesting report generation and assessment collaboration.
Josh Summitt, the creator of Faction, has always disliked the process of writing reports, preferring to focus on uncovering bugs. A key frustration for him was the redundant step of using a separate note-taking app for storing screenshots and findings before compiling the final report.
He envisioned an integrated solution where the report generation tool would serve as the note-taking platform, incorporating all the standard templates typically used in reports. He hopes Faction will help others save time, reduce stress, and improve their information security workflow.
“I built Faction to be extendable in ways like you would extend BurpSuite. It’s designed to be flexible and extended to fit seamlessly in any environment. It is easy for internal teams to build and support their small modules versus a large code base. In addition, I hope the project will get a growing list of prebuilt modules developed by the community to expand capabilities without requiring internal development,” Summitt told Help Net Security.
With Faction, you can:
- Streamline penetration testing and security assessment reporting through automation.
- Facilitate peer review and monitor modifications in reports.
- Design docx templates for various assessments and follow-up retests.
- Collaborate in real-time with assessors using the web application and extensions for Burp Suite.
- Utilize adaptable vulnerability templates featuring 75 pre-filled options.
- Oversee assessment teams and monitor organizational progress.
- Monitor the remediation of vulnerabilities with tailored SLA warnings and notifications.
- Leverage a comprehensive Rest API for seamless integration with other tools.
- LDAP, OAuth 2.0 and SMTP Integration.
- Extendable with Custom Plugins similar to Burp Extender.
- Custom Report Variables.
The developer is currently working on enhancing the extendability of Faction by introducing a full app store, reminiscent of those found in platforms like Slack and Burp. This expansion will allow for the inclusion of additional features such as custom UI elements.
“Faction has had a strong focus on penetration testing from an application security mindset. I want to expand that to be more Red and Blue Team inclusive. Not that it won’t work for these teams out of the box but it could be more flexible,” Summitt added.
Faction is available for free on GitHub.
More open-source tools to consider:
- Latio Application Security Tester: Use AI to scan your code
- CVEMap: Open-source tool to query, browse and search CVEs
- Adalanche: Open-source Active Directory ACL visualizer, explorer
- AuthLogParser: Open-source tool for analyzing Linux authentication logs
- DriveFS Sleuth: Open-source tool for investigating Google Drive File Stream’s disk forensic artifacts
- Subdominator: Open-source tool for detecting subdomain takeovers
- EMBA: Open-source security analyzer for embedded devices