Skip to content
This repository has been archived by the owner on May 3, 2020. It is now read-only.

Serpico Meta Language In Depth

gbena edited this page Sep 10, 2019 · 15 revisions

Meta language In-Depth

Here is the list of characters used:

Ω - A simple substitution variable.

ΩFULL_COMPANY_NAMEΩ

renders as:
Acme Corporation

§ - A User Defined Variable. These can be added by the user through UI. A user defined variable is very useful for adding your own variables to a report. Please note that the name you chose for your user defined variable needs to be lower cased.

§my_executive_summary§

renders as:
Whatever the user has placed in the UI.

¬ - for each

¬finding¬
STUFF
∆

Renders as a for loop for every finding and prints 'STUFF' in each loop. 

π - Substituition variable inside of for loops. Do not use Ω inside of a for loop.

¬report/findings_list/findings¬
πtitleπ
∆

Renders the finding title for every finding in the findings_list of the report.

NOTE: You can use multiple if statements with for:

¬report/findings_list/findings:::DREAD_TOTAL<50:::DREAD_TOTAL>30¬
πtitleπ
∆

# This is read as:
for each finding
if dread_total is less than 50
if dread_total is greater than 30

print title

close for loop and both if's

æ - for each loop for table rows only

::: - is used for if statements within the row

æreport/findings_list/findings:::DREAD_TOTAL>35æ

Renders a new table row every finding with a DREAD total greater than 35.

- Substituition variable inside of a for loop inside of a table. Only used in a table.

æreport/findings_list/findings:::DREAD_TOTAL>35æ ∞title∞

Renders a new table row with the title for every finding with a DREAD total greater than 35.

NOTE: You can create multiple lines inside of a table element with the for loop. For example to list the affected_hosts for a finding inside of a table:

æreport/findings_list/findings:::DREAD_TOTAL>35æ

title affected hosts
∞title∞ ¬affected_hosts/paragraph¬π.π∆

- if conditional

† DREAD_SCORE > 1 †
HELLO WORLD
¥

Renders a HELLO WORLD if the DREAD_SCORE is > 1

µ - Initiates choose/when structure

ƒ - The when value in a choose/when

å - Ends the choose/when not in a for-each

- Ends the choose/when inside of a for-each

¬overview/paragraph¬ 
µCONDITIONALµ π.π
ƒcodeƒ π.π
ƒitalicsƒ π.π
÷ π.π ≠

This will take each paragraph from the overview section of the finding. 
If the paragraph is labelled as code then the paragraph will be formatted as code. 
The "." above means the paragraph variable from the 'overview/paragraph' for loop. 

- End for each

¥ - End if statement

String Comparison

- String Comparison Operator. Detail here: https://github.com/SerpicoProject/Serpico/wiki/Parsing-by-Assessment-Type-or-Performing-a-String-Comparison-in-a-Report

Inserting Screenshots

- Inserts uploaded screenshot. If you uploaded an attachment named "logo.png", you can write ツlogo.pngツ in your report, and the screenshot will be inserted.

UDV Formatting

Formatting can also be applied to a UDV. For example, say my UDV is called appendix:

¬report/udv¬
¬appendix/paragraph¬ 
µCONDITIONALµ π.π
ƒcodeƒ π.π
ƒitalicsƒ π.π
÷ π.π ≠
∆

XSLT code block symbol

The ⁂ character can be used to add XSLT code blocks. This is especially useful to do things that would require to create new nodes, change the state of the current node, create complex conditions or XSLT functions, etc.

There are two ways of using this symbol, the ⁂ symbol will insert the code block in the paragraph where it was written. This is useful when you want to add inline code block. An example of this would be when you want to concatenate multiple items into a single sentence.

During this engagement, the testers discovered ⁂
<xsl:for-each select="report/findings_list/findings/title">
  <xsl:choose>
    <xsl:when test="position() &lt; last()">
      <xsl:value-of select="concat(., ', ')"/>
    </xsl:when>
    <xsl:otherwise>
      <xsl:value-of select="concat('and ',.)"/>
    </xsl:otherwise>
</xsl:for-each>
⁂. Many of the vulnerabilities were […]

The other way of using the triple star symbol is followed by an exclamation mark ⁂!. This will remove the paragraph element surrounding the XSLT code block. This is done to bypass Word's behavior of putting everything in paragraph nodes automatically. This is useful to modify the state of an element or to insert new elements like table of contents.

For example, if you put the following code into a cell, you can change the background color of this individual cell according to the value it contains :

Do note that this should be considered an advanced feature of the template language and should not be used to replace the other symbols. Using this requires a more advanced comprehension of the XML generated by word if you do not want to crash your template.

Finding Components

The following are the components of a finding that are accessible. For example in:

¬report/findings_list/findings¬
πtitleπ
∆

Attribute List:

title
damage
reproducability
exploitability
affected_users
discoverability
effort
type
dread_total
cvss_total
overview
poc
remediation
notes
assessment_type
references
risk
affected_hosts
presentation_points

For CVSSv2, CVSSv3:
c2_vs - CVSSv2 vector string
c3_vs - CVSSv3 vector string

Example Sets

Here are some example markup for pulling information into your reports.

For CVSS Ratings:

¬report/findings_list/findings:::cvss_total>=9¬

This will create a repeating table of findings that have a cvss_total over 9 (Critical) Rating.

¬report/findings_list/findings:::cvss_total>=7:::cvss_total<9¬

This will create a repeating table of findigns that have a cvss_total from 7 to 9 (High) Rating.

To filter what type of findings you want displayed, here is a more advanced listing of findings:

¬report/findings_list/findings:::cvss_total>0:::cvss_total<4:::translate(type,$up,$low)!=translate('Administrative',$up,$low):::translate(type,$up,$low)!=translate('Technical',$up,$low):::translate(type,$up,$low)!=translate('Physical',$up,$low)¬

This would list all the CVSS findings that are from 0 to 4 (Low) and filter out findings that are listed under the category of Administrative, Technical, or Physical.

Reporting Components

The following are the components of a report that are accessible. For example, ΩFULL_COMPANY_NAMEΩ.

consultant_name
consultant_company
consultant_phone
consultant_email
contact_name
contact_phone
contact_email
contact_city
contact_address
contact_zip
full_company_name
short_company_name
company_website
assessment_end_date
assessment_start_date

Variables in Headers/Footers of a document

The following meta characters are supported in the header or footer of a document:

Ω
§