Reporting

Report Structure

Executive Summary

Target Audience: C-level executives, management
Length: 1-2 pages

Include:
- Engagement overview (scope, dates, methodology)
- Key findings summary (critical/high count)
- Overall risk assessment (Critical/High/Medium/Low)
- Top 3-5 recommendations
- Business impact statement

Avoid:
- Technical jargon
- Detailed exploitation steps
- Overwhelming statistics

Technical Findings

For each finding:

1. Title
   - Clear, descriptive (e.g., "SQL Injection in Login Form")

2. Severity Rating
   - Critical / High / Medium / Low / Informational
   - Include CVSS score if applicable

3. Affected Asset(s)
   - URL, IP, hostname, application name

4. Description
   - What the vulnerability is
   - Why it matters
   - Technical explanation

5. Evidence/Proof of Concept
   - Screenshots
   - Request/response captures
   - Step-by-step reproduction

6. Impact
   - What an attacker could achieve
   - Business implications

7. Remediation
   - Specific fix recommendations
   - Code examples if applicable
   - Reference documentation

8. References
   - CVE numbers
   - OWASP links
   - Vendor advisories

Finding Template

## [SEVERITY] Finding Title

### Overview
Brief description of the vulnerability.

### Affected Assets
- https://app.target.com/login
- 192.168.1.100:8080

### Technical Details
Detailed explanation of the vulnerability and how it was discovered.

### Proof of Concept

**Request:**
```http
POST /api/login HTTP/1.1
Host: app.target.com
Content-Type: application/json

{"username":"admin' OR '1'='1","password":"test"}

Response:

HTTP/1.1 200 OK
{"status":"authenticated","user":"admin"}

Impact

An attacker could bypass authentication and gain administrative access to the application, potentially leading to:

Data breach of customer information
Unauthorized financial transactions
Complete system compromise

CVSS Score

8.6 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Remediation

Use parameterized queries or prepared statements
Implement input validation
Apply principle of least privilege to database accounts

Secure Code Example:

cursor.execute("SELECT * FROM users WHERE username = %s", (username,))

References


## Severity Ratings

### CVSS 3.1

Base Score Range:

0.0 : None
0.1 - 3.9 : Low
4.0 - 6.9 : Medium
7.0 - 8.9 : High
9.0 - 10.0 : Critical

Calculator: https://www.first.org/cvss/calculator/3.1

Key Metrics:

Attack Vector (AV): Network/Adjacent/Local/Physical
Attack Complexity (AC): Low/High
Privileges Required (PR): None/Low/High
User Interaction (UI): None/Required
Scope (S): Unchanged/Changed
Confidentiality Impact (C): None/Low/High
Integrity Impact (I): None/Low/High
Availability Impact (A): None/Low/High


### Custom Severity Matrix

CRITICAL:

Remote code execution
Authentication bypass (admin)
SQL injection with data exfiltration
Unauthenticated access to sensitive data

HIGH:

Stored XSS affecting admins
SSRF with internal access
Privilege escalation
Sensitive data exposure

MEDIUM:

Reflected XSS
CSRF on sensitive functions
Information disclosure
Missing security headers

LOW:

Verbose error messages
Directory listing
Missing cookie flags
Minor information disclosure

INFORMATIONAL:

Best practice recommendations
Defense in depth suggestions
No direct security impact


## Writing Tips

### Do's

✓ Be clear and concise ✓ Provide actionable recommendations ✓ Include evidence (screenshots, logs) ✓ Explain business impact ✓ Prioritize findings by risk ✓ Use consistent formatting ✓ Proofread for errors ✓ Test all PoC steps before including ✓ Redact sensitive data appropriately ✓ Include positive observations


### Don'ts

✗ Use inflammatory language ✗ Include personal opinions ✗ Provide incomplete findings ✗ Use unexplained jargon ✗ Include raw tool output without context ✗ Make assumptions without evidence ✗ Include out-of-scope findings ✗ Forget to mention failed attacks ✗ Leave credentials in screenshots ✗ Submit without review


## Report Templates

### Markdown Report

```markdown
# Penetration Test Report
## [Client Name]
### [Date Range]

---

# Document Control
| Version | Date | Author | Changes |
|---------|------|--------|---------|
| 1.0 | 2024-01-15 | Tester | Initial draft |
| 1.1 | 2024-01-17 | Reviewer | Final review |

# Confidentiality Statement
This document contains confidential information...

---

# 1. Executive Summary
[Summary content]

# 2. Scope
## 2.1 In Scope
- app.target.com
- api.target.com
- 192.168.1.0/24

## 2.2 Out of Scope
- Production database
- Third-party integrations

# 3. Methodology
[Testing approach, tools used]

# 4. Findings Summary

| # | Finding | Severity | Status |
|---|---------|----------|--------|
| 1 | SQL Injection | Critical | Open |
| 2 | XSS in Search | High | Open |
| 3 | Missing HTTPS | Medium | Open |

# 5. Detailed Findings
[Individual findings using template above]

# 6. Recommendations Summary
[Prioritized remediation roadmap]

# Appendix A: Tool Output
[Raw scan results if needed]

# Appendix B: Glossary
[Technical terms explained]

Report Generation Tools

Automated Tools

# Dradis - Collaboration and reporting
# https://dradisframework.com/
docker run -d -p 3000:3000 dradis/dradis-ce

# Ghostwriter - Report management
# https://github.com/GhostManager/Ghostwriter
docker-compose up

# Pwndoc - Pentest report generator
# https://github.com/pwndoc/pwndoc
docker-compose up

# Serpico - SimplE RePort wrIting and CollaboratiOn
# https://github.com/SerpicoProject/Serpico
docker-compose up

Screenshot Tools

# Flameshot
flameshot gui

# Greenshot (Windows)
# Capture with annotations

# Terminal capture
script -q capture.txt
# Run commands
exit
# Output saved to capture.txt

# asciinema for terminal recording
asciinema rec demo.cast

Deliverables Checklist

□ Executive Summary (PDF)
□ Technical Report (PDF)
□ Raw findings spreadsheet (Excel/CSV)
□ Evidence archive (ZIP, encrypted)
□ Remediation tracker
□ Presentation slides (if required)
□ Debrief meeting scheduled
□ All credentials/access revoked
□ Test data cleaned up

Common Sections

Methodology Description

## Testing Methodology

This assessment followed industry-standard methodologies including:

- **OWASP Testing Guide v4.2** - Web application testing
- **PTES** - Penetration Testing Execution Standard
- **NIST SP 800-115** - Technical Guide to Information Security Testing

### Phases:
1. **Reconnaissance** - OSINT and passive information gathering
2. **Enumeration** - Active scanning and service identification
3. **Vulnerability Analysis** - Manual and automated testing
4. **Exploitation** - Controlled exploitation of identified vulnerabilities
5. **Post-Exploitation** - Impact assessment and lateral movement testing
6. **Reporting** - Documentation and remediation guidance

Risk Rating Explanation

## Risk Rating Methodology

Findings are rated based on:

1. **Likelihood of Exploitation**
   - Skill level required
   - Availability of exploit code
   - Network accessibility

2. **Potential Impact**
   - Confidentiality breach
   - Integrity compromise
   - Availability disruption
   - Business/regulatory impact

3. **Ease of Remediation**
   - Quick fix vs. architectural change
   - Resource requirements
   - Potential for regression

Resources

PreviousSocial Engineering NextHardware Hacking

Last updated 8 days ago

Was this helpful?

hashtagReport Structure

hashtagExecutive Summary

hashtagTechnical Findings

hashtagFinding Template

hashtagImpact

hashtagCVSS Score

hashtagRemediation

hashtagReferences

hashtagReport Generation Tools

hashtagAutomated Tools

hashtagScreenshot Tools

hashtagDeliverables Checklist

hashtagCommon Sections

hashtagMethodology Description

hashtagRisk Rating Explanation

hashtagResources