While I was preparing for an important exam, based on the feed-backs and reviews from other people I figured that the report is the most part of grading.
However, I should note that whether you are solving an exam or doing a real-world pentest, the most important part of your work and maybe painful is preparing a proper report.
Your brand won’t be just the bugs you have found, I can assure you that a perfect report can increase the quality of your work.
Consider a situation you have found some Critical, High, Medium, Low bugs and some of the bugs can be chained and usable in exploiting other bugs. In your report you should take care that have an eye on both sides.
Try your best to first begin with Critical bugs, and also take care the scenarios and cause & effect side of the bugs. I think it is the most vital thing that many security researchers don’t pay attention to it.
I am kind of a guy who likes simple and classic things. As a result My template was pretty clean and simple something like this:
I think it’s not necessary to explain anything about it just take note which part you should mention. I also included the logo of the company at the top-right of every single page.
If you are a movie buff definitely you have seen the parts something like: “In this episode…”
Table of Contents is the same:
Mention bugs under the Technical Details
I just add some necessary images and notes. not going to explain too much.
Document Control
Executive Summary
Assessment Summary
Then you will come up with Technical Summary.
In this part you should mention your scope very briefly such as hosts and ip addresses and at the end of it should bring a table that what are the vulnerabilities.
Now go ahead with the details of each vulnerability you discovered.
First bring a comprehensive explanation and after that bring the table of Vulnerability Details which includes which targets it affects, Attack Vectors, Impact and some references to the vulnerability.
then attach Proof of Concept and finally Remediation Guidance with some proper references.
!!! Remember those references should be valid not just searching around the web and attach something relative. Some references like OWASP, Portswigger, Inviciti, and etc.
As you are considering the proper flow of writing report I mentioned earilier, the report has an ending as well.
This image is Appendices part of my report which was just Web/API pentesting so based on the type of pentest you have conducted it should be altered.
As a lazy guy, (Just kidding XD) I tried to represent a brief guide on how to write a professional pentest report especially web app pentest report.
It is just some important notes and guidelines which you can definitely change it as you wish.
I would be grateful to tell me about my articles and have your opinion.
LinkedIn: https://www.linkedin.com/in/ahmad-reza-parsi-zadeh/
