# Reporting

## Report Structure

### Executive Summary

```
Target Audience: C-level executives, management
Length: 1-2 pages

Include:
- Engagement overview (scope, dates, methodology)
- Key findings summary (critical/high count)
- Overall risk assessment (Critical/High/Medium/Low)
- Top 3-5 recommendations
- Business impact statement

Avoid:
- Technical jargon
- Detailed exploitation steps
- Overwhelming statistics
```

### Technical Findings

```
For each finding:

1. Title
   - Clear, descriptive (e.g., "SQL Injection in Login Form")

2. Severity Rating
   - Critical / High / Medium / Low / Informational
   - Include CVSS score if applicable

3. Affected Asset(s)
   - URL, IP, hostname, application name

4. Description
   - What the vulnerability is
   - Why it matters
   - Technical explanation

5. Evidence/Proof of Concept
   - Screenshots
   - Request/response captures
   - Step-by-step reproduction

6. Impact
   - What an attacker could achieve
   - Business implications

7. Remediation
   - Specific fix recommendations
   - Code examples if applicable
   - Reference documentation

8. References
   - CVE numbers
   - OWASP links
   - Vendor advisories
```

### Finding Template

````markdown
## [SEVERITY] Finding Title

### Overview
Brief description of the vulnerability.

### Affected Assets
- https://app.target.com/login
- 192.168.1.100:8080

### Technical Details
Detailed explanation of the vulnerability and how it was discovered.

### Proof of Concept

**Request:**
```http
POST /api/login HTTP/1.1
Host: app.target.com
Content-Type: application/json

{"username":"admin' OR '1'='1","password":"test"}
````

**Response:**

```http
HTTP/1.1 200 OK
{"status":"authenticated","user":"admin"}
```

### Impact

An attacker could bypass authentication and gain administrative access to the application, potentially leading to:

* Data breach of customer information
* Unauthorized financial transactions
* Complete system compromise

### CVSS Score

**8.6 (High)** - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

### Remediation

1. Use parameterized queries or prepared statements
2. Implement input validation
3. Apply principle of least privilege to database accounts

**Secure Code Example:**

```python
cursor.execute("SELECT * FROM users WHERE username = %s", (username,))
```

### References

* [OWASP SQL Injection](https://owasp.org/www-community/attacks/SQL_Injection)
* [CWE-89](https://cwe.mitre.org/data/definitions/89.html)

```

## Severity Ratings

### CVSS 3.1

```

Base Score Range:

* 0.0 : None
* 0.1 - 3.9 : Low
* 4.0 - 6.9 : Medium
* 7.0 - 8.9 : High
* 9.0 - 10.0 : Critical

Calculator: <https://www.first.org/cvss/calculator/3.1>

Key Metrics:

* Attack Vector (AV): Network/Adjacent/Local/Physical
* Attack Complexity (AC): Low/High
* Privileges Required (PR): None/Low/High
* User Interaction (UI): None/Required
* Scope (S): Unchanged/Changed
* Confidentiality Impact (C): None/Low/High
* Integrity Impact (I): None/Low/High
* Availability Impact (A): None/Low/High

```

### Custom Severity Matrix

```

CRITICAL:

* Remote code execution
* Authentication bypass (admin)
* SQL injection with data exfiltration
* Unauthenticated access to sensitive data

HIGH:

* Stored XSS affecting admins
* SSRF with internal access
* Privilege escalation
* Sensitive data exposure

MEDIUM:

* Reflected XSS
* CSRF on sensitive functions
* Information disclosure
* Missing security headers

LOW:

* Verbose error messages
* Directory listing
* Missing cookie flags
* Minor information disclosure

INFORMATIONAL:

* Best practice recommendations
* Defense in depth suggestions
* No direct security impact

```

## Writing Tips

### Do's

```

✓ Be clear and concise ✓ Provide actionable recommendations ✓ Include evidence (screenshots, logs) ✓ Explain business impact ✓ Prioritize findings by risk ✓ Use consistent formatting ✓ Proofread for errors ✓ Test all PoC steps before including ✓ Redact sensitive data appropriately ✓ Include positive observations

```

### Don'ts

```

✗ Use inflammatory language ✗ Include personal opinions ✗ Provide incomplete findings ✗ Use unexplained jargon ✗ Include raw tool output without context ✗ Make assumptions without evidence ✗ Include out-of-scope findings ✗ Forget to mention failed attacks ✗ Leave credentials in screenshots ✗ Submit without review

````

## Report Templates

### Markdown Report

```markdown
# Penetration Test Report
## [Client Name]
### [Date Range]

---

# Document Control
| Version | Date | Author | Changes |
|---------|------|--------|---------|
| 1.0 | 2024-01-15 | Tester | Initial draft |
| 1.1 | 2024-01-17 | Reviewer | Final review |

# Confidentiality Statement
This document contains confidential information...

---

# 1. Executive Summary
[Summary content]

# 2. Scope
## 2.1 In Scope
- app.target.com
- api.target.com
- 192.168.1.0/24

## 2.2 Out of Scope
- Production database
- Third-party integrations

# 3. Methodology
[Testing approach, tools used]

# 4. Findings Summary

| # | Finding | Severity | Status |
|---|---------|----------|--------|
| 1 | SQL Injection | Critical | Open |
| 2 | XSS in Search | High | Open |
| 3 | Missing HTTPS | Medium | Open |

# 5. Detailed Findings
[Individual findings using template above]

# 6. Recommendations Summary
[Prioritized remediation roadmap]

# Appendix A: Tool Output
[Raw scan results if needed]

# Appendix B: Glossary
[Technical terms explained]
````

## Report Generation Tools

### Automated Tools

```bash
# Dradis - Collaboration and reporting
# https://dradisframework.com/
docker run -d -p 3000:3000 dradis/dradis-ce

# Ghostwriter - Report management
# https://github.com/GhostManager/Ghostwriter
docker-compose up

# Pwndoc - Pentest report generator
# https://github.com/pwndoc/pwndoc
docker-compose up

# Serpico - SimplE RePort wrIting and CollaboratiOn
# https://github.com/SerpicoProject/Serpico
docker-compose up
```

### Screenshot Tools

```bash
# Flameshot
flameshot gui

# Greenshot (Windows)
# Capture with annotations

# Terminal capture
script -q capture.txt
# Run commands
exit
# Output saved to capture.txt

# asciinema for terminal recording
asciinema rec demo.cast
```

## Deliverables Checklist

```
□ Executive Summary (PDF)
□ Technical Report (PDF)
□ Raw findings spreadsheet (Excel/CSV)
□ Evidence archive (ZIP, encrypted)
□ Remediation tracker
□ Presentation slides (if required)
□ Debrief meeting scheduled
□ All credentials/access revoked
□ Test data cleaned up
```

## Common Sections

### Methodology Description

```markdown
## Testing Methodology

This assessment followed industry-standard methodologies including:

- **OWASP Testing Guide v4.2** - Web application testing
- **PTES** - Penetration Testing Execution Standard
- **NIST SP 800-115** - Technical Guide to Information Security Testing

### Phases:
1. **Reconnaissance** - OSINT and passive information gathering
2. **Enumeration** - Active scanning and service identification
3. **Vulnerability Analysis** - Manual and automated testing
4. **Exploitation** - Controlled exploitation of identified vulnerabilities
5. **Post-Exploitation** - Impact assessment and lateral movement testing
6. **Reporting** - Documentation and remediation guidance
```

### Risk Rating Explanation

```markdown
## Risk Rating Methodology

Findings are rated based on:

1. **Likelihood of Exploitation**
   - Skill level required
   - Availability of exploit code
   - Network accessibility

2. **Potential Impact**
   - Confidentiality breach
   - Integrity compromise
   - Availability disruption
   - Business/regulatory impact

3. **Ease of Remediation**
   - Quick fix vs. architectural change
   - Resource requirements
   - Potential for regression
```

## Resources

* [PTES - Penetration Testing Execution Standard](http://www.pentest-standard.org/)
* [OWASP Testing Guide](https://owasp.org/www-project-web-security-testing-guide/)
* [TCM Security Report Template](https://github.com/hmaverickadams/TCM-Security-Sample-Pentest-Report)
* [SANS Penetration Testing Report Template](https://www.sans.org/white-papers/)
* [Offensive Security Report Template](https://www.offensive-security.com/reports/)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.pentest-book.com/others/reporting.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.