Faction Extension API

Faction has the ability to extend its functionality on the server side. If you are familiar with writing BurpSuite extensions then this process should be somewhat familiar to you. If you are not it’s OK . We will walk through the specifics below.

  1. Create an Eclipse project. The name does not matter.
  2. Create a Class. In this case we will name it ExtenderStuff.java
  3. In your project right click and select Build Path -> Add External Archives.
  4. Select Extender.jar and open. It should now be part of your Eclipse Project.
  5. Now Copy the Skeleton Code Below:
    public class ExtenderStuff implements com.fuse.extender.AssessmentManager{
         @Override
         public Object[] assessmentChange(Assessment arg0, List arg1, Operation arg2) {
                return new Object [] {arg0, arg1};
         }
    }
    
  6. Note that above it returns Object [] {arg0, arg1}. This will update Faction’s database if the values change when this function returns. If you Return null it will NOT update Faction and only just send/process  information.
  7. Now we have a basic functional block of code we need to make it perform an action like send all vulnerabilities to an external vulnerability tracker and then update Faction with the tracking numbers. Modify the code to look like the following:
    public class ExtenderStuff implements com.fuse.extender.AssessmentManager{
    
    	@Override
    	public Object[] assessmentChange(Assessment arg0, List arg1, Operation arg2) {
    		System.out.println(arg0.getAppId()); // print application id
    		System.out.println(arg0.getName()); // print application Name
    		if(arg2 == Operation.Create) {
    			System.out.println("Assessment Created");
    		}
    		if(arg2 == Operation.Finalize) {
    			//Integration into vulnerability management system
    			for(Vulnerability v : arg1) {
    				//this can update vulns and send the updated values back into Faction
    				v= customFunctionToSendVulns(v);
    			}
    		}
    		return new Object [] {arg0, arg1}; // return updated assessment and vulnerability records. 
                    // Optionally return null to not update Faction after the process completes
    	}
    	
    	private Vulnerability customFunctionToSendVulns(Vulnerability v) {
    		//Pretend this sends to an external service to update the vuln
    		UUID uuid = UUID.randomUUID();
    		v.setTracking(uuid.toString());
    		return v;
    	}
    
    }
    
  8. Now check for compile errors, create some unit tests to make sure it works and then export the jar file.
  9. To run it on Faction there need to be at least two files added to the server. Extender.jar and MyExtension.jar need to be placed the in the /opt/faction/modules/ folder. Restart Faction and the modules will take affect when certain conditions are triggered.
    Notice in this case after an assessment is finalized that all tracking numbers are replaced with GUIDs. This is shown in the Remediation view below after the assessment is finalized.

 

Extensions Options available are:

  • Application Inventory – For integration with an external system that stores your corp application records
  • Assessment Manager – Create, Update, Finale, PeerReview events will trigger this module
  • Verification Manager – For managing retests. Create, Pass, Failed and Canceled Rests will trigger this module.
  • Vulnerability Manager – When vulnerabilities are added or updated to assessments.