Dradis 2.8 released!

  • Cleaner three-column layout
  • Smarter Ajax polling and auto-updating
  • New version of the Nmap upload plugin
  • New version of the Nessus upload plugin
  • ./verify.sh now checks that libxml2 is installed
  • Bugs fixed: #17, #31, #37, #43, #48


New in Dradis 2.8: three-column layout

In Dradis 2.8 we will have a brand new three-column layout.

We have already discussed that the current Dradis interface can get cluttered at times (Tidy up your note list). In Dradis 2.8 we are introducing a cleaner layout with less text in the note list and more space for the note's content. Here are some screenshots:


New in Dradis 2.8: smart refresh

One of the best features that we have been working on for the next release of Dradis will be an improved Ajax refresh feature.

We have prepared a small screencast to show it. Two different browsers are shown side by side. Notes and nodes added in one browser are replicated in the other.

Dradis 2.8 smart Ajax refresh por etdsoft

It is already in our GitHub repository so you are free to git pull and give it a shot. We will be very interested in hearing what you have to say.


Dradis Framework Guides

We have a new documentation site:

Checkout the guides we have so far or contribute a new guide. Get involved!


Dradis 2.7.2 released!

This bug-fixing release which includes:

  • Several closed issues: #5, #9, #13, #14, #15, #16, #19, #20.
  • Improved startup scripts
  • Update Rails to 3.0.9

And all the goodness introduced in 2.7.1:
  • A cleaner, leaner note editor
  • Improved command line API with Thor (thor -T to view all commands)
  • New Configuration Manager to handle all plugin config settings
  • New Upload Manager that runs uploads in the background and updates the interface through Ajax
  • New plugins:
  • Updated plugins:
    • Nessus plugin supports .nessus v2
    • Vuln::DB import updated to support the latest release
  • Bugs fixed: #3, #4, #6, #7, #8, #10, #2888332, #2973256


Announcing Dradis Professional Edition

Note: this is a cross-post and can be found in the Security Roots blog too.

Today I am pleased to announce Dradis Framework Professional Edition. Back in 2007 when I started the Dradis Framework project I could have not anticipated the success that it would had. Four years, 3,000 commits, 19,000 downloads and 19 releases later we are still making a difference for hundreds of security professionals (and aficionados) out there.

Dradis was announced in the 1st edition of MWRICON after many hours of late-night coding. Today we have three full committers, a small number of trusted partial committers and dozens of contributors. Dradis 2.0 was a big thing, and when Dradis was featured in the Offensive Security's Metasploit Unleashed it was even bigger and Russ McRee's coverage for the toolsmith column of ISSA's magazine and our own chapter in Grey Hat Hacking and being included in BackTrack since BT4 and the talks at DC4420 and DEFCON 17 and so many other articles and references.

It was encouraging that some people believed in the project from the beginning. I am grateful that my current employer (NGS Secure which was still called NGSSoftware when I joined) and my previous one (MWR InfoSecurity) let me carry on working on Dradis as my side project and even gave me time to continue improving the tool.

We have gone a long way... it was only matter of time that organizations whose consultants were already using Dradis approached me to get some help to further tailor Dradis to their needs. Some times this consisted on helping them with small tweaks they were making to the code, others it consisted in developing for them full-blown custom plugins to interconnect Dradis to their other systems or to produce reports in their particular format. That is why I started Security Roots Ltd in 2010.

Dradis was started by a security consultant, with the security consultant's needs and goals in mind (share information with the other teammates, portable, platform-independent, etc.). These are a subset of the needs and goals of the organization to which these consultants belong. The Technical Director of a security company understands the benefits of consultants using Dradis, but he needs more. He wants all his teams to work with Dradis in a standardized way. He wants everyone in the team to be able to use the latest version of Dradis without having to bother about upgrading and dependencies. He wants to be able to see how the different teams are doing, quickly check each team's findings, maybe even extract some metrics or generate interim reports for clients with the critical issues already captured by the teams.

Enter Dradis Framework Professional Edition, a virtual appliance that leverages the advanced features of Dradis and extends it to enable multiple teams to work concurrently:

  • It provides a centralized information repository:
    • Information is always available: during the project and afterwards.
    • Quickly inspect the project history or review the projects for a given user.
    • Ideal for teams that work across multiple time zones.
  • Hassle-free deployment: power up the virtual appliance and you and your team can start working and sharing information.
  • The virtual appliance is easy to update and backup.
  • Bundled with Vuln::DB, import issues to your Dradis projects from the central issue database.

I am thrilled about the prospect of making consultants' lives ever easier, helping organizations to work more effectively and to make sure their clients receive the best value for money. Let the consultants focus on what they are good at and what they enjoy most: breaking things while we minimize the hassle associated with the back-end tasks required to coordinate their efforts.

This is a great opportunity to make a difference. Let's make the most of it.

Lead developer


Include screenshots stored in Dradis in your Word report

Every week, a Dradis user somewhere is thinking: "Damn, it would be nice if I could get my screenshots in the Word report". The problem has been discussed in the forum and the mailing list before, it is quite simple actually, we need a way to get our screenshots (stored in Dradis as attachments) into the final report.

Up until now I though that any solution to the problem would go through several layers of Word and WordML magic, packing and base64-encoding of the images, however, last week I realised that a simpler solution may exist. We are going to use a Word macro to do the heavy lifting.

The first thing we need is to upload our screenshot as an attachment in Dradis:

Then we need to include a reference to it in the text of our note. To do this, just double-click on the uploaded attachment and copy the URL assigned to it:

Note that in Textile (the markup language understood by Dradis) images are referenced by their URL between exclamation marks (!!). Make sure that the preview panel renders the image correctly. Otherwise review the URL:

(By the way, the screenshot is of the first entry from Google when searching for "Index of")

So, the last thing we need to do is to assign this note to the WordExport ready category and generate our Word report (export > Word export > Generate report):

And here comes the magic. I have created a Word macro (DradisScreenshot) that parses your document, searches for !! and pulls the corresponding images from your Dradis server.

I'm working on a separate post describing the inner workings of the macro, including for instance why I could use a simpler approach (e.g. ) [hint, bad SSL cert + HTTP authentication]. In the mean time, you can just grab the code from GitHub: etdsoft/dradis-macros and start using it.

The result:

I've also added this as an icon in my "Quick Access Toolbar":

Hope you find this quick tip useful. The code of the macro is sparsely documented but it should do the trick. Remember to assign the temporary directory and if you find any issues, please report them in the issue tracker.


  1. Grab the Word macro from GitHub: etdsoft/dradis-macros
  2. Enjoy


Windows cannot find 'blunder' error on Dradis 2.7.1

Update May/26: An updated installer has been published that fixes the issue described below and is available through the download page.

The Dradis 2.7.1 Windows package (dradis-v2.7.1-setup.exe) that we released yesterday contains a typo in in one of the batch files: server.bat.

If you try to run the file directly or through the Start menu start server icon, you will get an error message:

Windows cannot find 'blundler'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.

In order to fix this open the file in an editor (go to the Start menu icon, right click > Edit) and adjust it to:

@echo off

::If the script doesn't work, uncomment and adjust the following:
set PATH=c:\Ruby187\bin;%PATH%
set RAILS_ENV=production
set BASE=%~dp0
cd %BASE%\server\

start "Dradis Framework Server (Ctrl+C to terminate)" bundle exec rails server webrick

Thanks to Doug Ipperciel for bringing this to our attention.


Upgrading from Dradis 2.7.0 to 2.7.1

This week we are releasing Dradis Framework 2.7.1 which closes several bugs and brings a new note editor.

If you're new to Dradis or upgrading from an older (2.6.x, 2.5.x...) release, go ahead and download the full package from the downloads page.

However, if you already have a working install of Dradis 2.7.0 maybe you don't want to run the Windows installer again, or wait until your distro prepares an updated version of the package (did you know that BackTrack 5 shipped with Dradis 2.7.0?). Here is how to get the latest 2.7.1 code up and running.

Go to your install location:

In Windows:

c:\> cd %APPDATA%\dradis-2.7

In BackTrack:

# cd /pentest/misc/dradis

Backup the old server folder:

# mv server 2.7.0-server

Now you have a decision to make: upgrade to 2.7.1 or clone the Dradis repository so you can upgrade to 2.7.1 but also to any forthcoming releases (recommended)

Upgrading to 2.7.1

Download and uncompress the tarball for Dradis server 2.7.1 from GitHub:


Uncompress in the drads-2.7 folder renaming the extracted directory to just server.

Using git repository for easy upgrading

From the current folder, clone Dradis git repository and point it to the latest release:

# git clone https://github.com/dradis/dradisframework.git server
# cd server
# git checkout -b REL-2.7.1 REL-2.7.1
# cd ..

Reset the environment and run the server

# ./reset.sh
# ./start.sh

If everything goes according to plan, you can now access Dradis on https://localhost:3004/ and in the top-right corner the version number will be 2.7.1.


Dradis 2.7.1 released!

This bug-fixing release features:

  • Several closed issues: #3, #4, #6, #7, #8 and #10.
  • A cleaner, leaner note editor:

And all the goodness introduced in 2.7.0:
  • Improved command line API with Thor (thor -T to view all commands)
  • New Configuration Manager to handle all plugin config settings
  • New Upload Manager that runs uploads in the background and updates the interface through Ajax
  • New plugins:
  • Updated plugins:
    • Nessus plugin supports .nessus v2
    • Vuln::DB import updated to support the latest release
  • Bugs fixed: #2888332, #2973256
  • Update Rails to 3.0.6


Dradis 2.7.0 in BackTrack 5

A couple of weeks ago, BackTrack 5 was released and it shipped with Dradis 2.7 out of the box. You can find your Dradis install in:


Run ./reset.sh to prepare the environment and ./start.sh to start the Dradis server.

Kudos to the BT team.


Tidy up your note list

After a few days of testing, your Notes view can become a bit cluttered. Although we are already discussing how to fix this for future releases in this blog post we will see what can be done about it.

So image that you currently have something like this:

It is difficult to make some sense out of that mess. It would be nice if we could filter the Text shown for each issue and display just the Title field:

We are going to do this using a renderer function for our Text column. Fire up your editor and open


At around line#170, replace the existing renderer line with the following function:

What the new renderer does is look for notes that have a #[Title]# field defined and then extract the value of that title. Feel free to adjust the regular expression / extraction code to suit your needs.

After making the change, you need to delete the JavaScript bundle (autogenerated) and reload your browser:

$ rm ./server/public/javascripts/all.js

That's it, nice an easy. Now we have a much cleaner notes grid.


Running Dradis Framework (2.7) in BackTrack4 R2

Following the series of articles on how to get the Dradis Framework running in different operating system, this time is the turn of BackTrack 4 R2.

Note this is almost a re-post of my Running Dradis Framework in BackTrack 4 R2 but updated to 2.7 (instead of 2.6.1).


Dradis 2.7 released!

  • Improved command line API with Thor (thor -T to view all commands)
  • New Configuration Manager to handle all plugin config settings
  • New Upload Manager that runs uploads in the background and updates the interface through Ajax
  • New plugins:
  • Updated plugins:
    • Nessus plugin supports .nessus v2
    • Vuln::DB import updated to support the latest release
  • Bugs fixed: #2888332, #2973256
  • Update Rails to 3.0.6


Dradis Framework live demo

You can try Dradis before downloading / installing. Check out our live demo at:



Dradis Framework in Grey Hat Hacking 3rd Edition

Grey Hat Hacking 3rd edition has a full chapter on Information Sharing During a Penetration Test featuring the Dradis Framework extensively.

Installation, configuration, upload, export and import plugins, OSVDB configuration are all covered. Some quotes:

The Dradis Server is the best way to collect and provide information sharing during a penetration test.

The real magic of Dradis occurs when multiple users enter data at the same time.

Access may be granted to the client, enabling them to keep abreast of the current status at all times. Later, when the assessment is done, a copy of the framework database may be left with the client as part of the report.


Dradis 2.6.1 released!

  • Update Rails to 3.0.4 and RedCloth to 4.2.5
  • Update the SSL certificate for 2011 (see ./server/conf/ssl/README)
  • Deal with Burp Scanner's opinionated handling of null bytes
  • Improve verify.sh to find Bundler even when not in the PATH
  • Fix the start.sh script to use UNIX forward slash instead of Windows back slash