djedi/security-cheatsheets
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
security-cheatsheets/infosec/pentest-reporting.md
rpriven 3b2aa97580
Create pentest-reporting.md
2025-04-16 01:32:05 -06:00

175 lines
14 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Penetration Testing Reporting Cheatsheet
## General Report Structure Elements
| Section | Purpose | Key Components | Tips |
|---------|---------|----------------|------|
| **Cover Page** | Formal introduction to report | Client name, test dates, report date, classification | Include security classification (Confidential) |
| **Executive Summary** | High-level overview for leadership | Key findings, risk rating, strategic recommendations | 1-2 pages, non-technical, business impact focus |
| **Scope & Methodology** | Define what was tested and how | Systems tested, approach used, tools employed | Be specific about what was in/out of scope |
| **Findings Overview** | Summarize discovered vulnerabilities | Risk ratings chart, vulnerability count by severity | Use visual aids (charts, graphs) |
| **Detailed Findings** | Technical details of each vulnerability | Title, severity, description, impact, reproduction steps, remediation | Include screenshots, code samples when helpful |
| **Risk Rating Methodology** | Explain how risk was calculated | Scoring system (CVSS), impact vs likelihood matrix | Ensures transparency in severity ratings |
| **Remediation Roadmap** | Prioritized fix recommendations | Short/medium/long-term actions, effort estimates | Help client prioritize fixes |
| **Conclusion** | Wrap-up and final thoughts | Overall security posture assessment, improvement trajectory | Positive but realistic tone |
| **Appendices** | Supporting technical details | Raw scan data, testing evidence, methodological details | Keep detailed logs here, not in main report |
## External Network Penetration Test Report
| Section | Specific Content | Important Elements |
|---------|------------------|-------------------|
| **Scope Definition** | External IP ranges, domains, exposed services | Clear network boundaries, exclusions |
| **Reconnaissance Findings** | Exposed information, digital footprint | OSINT results, information leakage assessment |
| **Network Findings** | Discovered vulnerabilities by host/service | Port scan results, service enumeration |
| **Perimeter Security Assessment** | Firewall, VPN, remote access evaluation | Configuration weaknesses, unnecessary exposure |
| **External Service Vulnerabilities** | Web, email, DNS, etc. vulnerabilities | Version information, misconfigurations |
| **Access Control Testing** | Authentication bypass attempts | Brute force results, credential findings |
| **Exfiltration Testing** | Data leakage test results | DLP effectiveness, unmonitored channels |
| **Social Engineering Results** | Phishing campaign results (if in scope) | Click rates, credential capture statistics |
| **Internet-Facing Application Findings** | Public application vulnerabilities | API security, exposed dev environments |
| **Threat Modeling** | Attack vectors assessment | Most likely attack paths |
## Internal Network Penetration Test Report
| Section | Specific Content | Important Elements |
|---------|------------------|-------------------|
| **Network Architecture Review** | Overview of internal design | Segmentation assessment, trust relationships |
| **Active Directory Assessment** | Domain security findings | Group Policy, privilege management issues |
| **Lateral Movement Findings** | Ability to move between systems | Successful pivoting techniques, trust exploitation |
| **Privilege Escalation Paths** | Routes to elevated access | Local to domain admin paths, misconfigurations |
| **Internal Service Vulnerabilities** | File shares, internal applications, databases | Access control issues, sensitive data exposure |
| **Password Policy Evaluation** | Password strength assessment | Password spray results, policy compliance |
| **Data Access Controls** | Sensitive data protection assessment | Unauthorized access findings, excessive permissions |
| **Endpoint Security Findings** | Workstation/server vulnerabilities | Missing patches, AV evasion success |
| **Network Device Security** | Switch, router, wireless findings | Management interface issues, protocol weaknesses |
| **Post-Exploitation Results** | Actions taken after initial compromise | Data accessed, persistence established |
## Web Application Penetration Test Report
| Section | Specific Content | Important Elements |
|---------|------------------|-------------------|
| **Application Overview** | Description of tested application | Functionality, technologies, architecture |
| **Authentication Mechanisms** | Login security assessment | Brute force, account recovery, session management |
| **Authorization Controls** | Access control evaluation | Vertical/horizontal privilege issues, IDOR |
| **Input Validation Findings** | Injection vulnerabilities | SQL, XSS, CSRF, XXE, command injection |
| **Business Logic Flaws** | Workflow/process vulnerabilities | Logical bypasses, process sequence issues |
| **Sensitive Data Exposure** | Data protection assessment | Encryption issues, exposure in transit/at rest |
| **API Security Findings** | API endpoint vulnerabilities | Authentication, rate limiting, RBAC issues |
| **Client-Side Security** | Browser-based vulnerabilities | DOM XSS, client-side validation bypass |
| **Security Headers & Configuration** | Server/application configuration | Missing headers, dangerous settings |
| **Third-Party Component Analysis** | Vulnerable dependencies | Outdated libraries, known CVEs |
| **OWASP Top 10 Coverage** | Mapping to OWASP categories | Comprehensive coverage confirmation |
## Mobile Application Penetration Test Report
| Section | Specific Content | Important Elements |
|---------|------------------|-------------------|
| **Application Architecture** | App design and components | Client-server interactions, technologies |
| **Reverse Engineering Results** | App code analysis findings | Obfuscation effectiveness, hardcoded secrets |
| **Local Data Storage** | Data storage security | Sensitive data in local storage, encryption issues |
| **Authentication & Session Management** | Login security, session handling | Token security, biometric implementation |
| **Network Communication** | API calls, data transmission | Certificate validation, encryption in transit |
| **Platform-Specific Issues** | iOS/Android security concerns | Permissions, intents/URL schemes, jailbreak detection |
| **Code Quality & Implementation** | Implementation vulnerability | Memory corruption, native code issues |
| **Privacy Concerns** | User data handling | Excessive data collection, tracking |
| **Backend API Security** | Server-side endpoint security | Same issues as web API testing |
| **OWASP MASVS Coverage** | Mobile security verification | Mapping to MASVS requirements |
## Cloud Security Assessment Report
| Section | Specific Content | Important Elements |
|---------|------------------|-------------------|
| **Cloud Architecture Review** | Cloud infrastructure design | Service models (IaaS/PaaS/SaaS), deployment model |
| **Identity & Access Management** | IAM configuration security | Permissions, roles, privilege management |
| **Cloud Configuration Review** | Service configuration assessment | Misconfigurations, insecure defaults |
| **Storage Security** | Cloud storage evaluation | Bucket permissions, data classification issues |
| **Compute Security** | VM/container/serverless security | Patch management, hardening issues |
| **Network Security** | Cloud network controls | VPC design, security groups, NACLs |
| **Logging & Monitoring** | Visibility assessment | Log coverage, alerting configuration |
| **Key Management** | Encryption implementation | Key rotation, access controls |
| **Multi-Tenancy Risks** | Isolation effectiveness | Potential cross-tenant vulnerabilities |
| **Compliance Alignment** | Regulatory requirement gaps | Standards/framework alignment (e.g., CSA CCM) |
| **Provider-Specific Findings** | AWS/Azure/GCP specific issues | Service-specific vulnerabilities |
## AI System Penetration Test Report
| Section | Specific Content | Important Elements |
|---------|------------------|-------------------|
| **AI System Architecture** | System design and components | Model types, training pipeline, deployment |
| **Prompt Injection Findings** | LLM vulnerability assessment | Direct/indirect injection, jailbreaking success |
| **Model Security Testing** | Model-specific vulnerabilities | Adversarial examples, data extraction attempts |
| **Training Pipeline Security** | Development process security | Supply chain, data poisoning vectors |
| **API Security Assessment** | Interface security issues | Rate limiting, authentication, input validation |
| **Output Filtering Evaluation** | Safety mechanism assessment | Filter bypass success, content policy violations |
| **Data Privacy Analysis** | PII/sensitive data handling | Training data leakage, inference attacks |
| **Infrastructure Security** | Deployment environment security | Model hosting, vector database security |
| **MITRE ATLAS Mapping** | Tactic/technique correlation | Mapping findings to ATLAS framework |
| **MLOps Security** | Operational security issues | CI/CD, monitoring, update mechanisms |
| **Prompt Management Security** | System prompt protection | Prompt extraction success, prompt injection |
## IoT/OT Penetration Test Report
| Section | Specific Content | Important Elements |
|---------|------------------|-------------------|
| **Device Inventory** | Tested device details | Firmware versions, communication protocols |
| **Hardware Security** | Physical security findings | Debug ports, physical attack vectors |
| **Firmware Analysis** | Firmware security assessment | Extracted secrets, backdoors, update mechanisms |
| **Communication Protocol Security** | Protocol vulnerability findings | Encryption, authentication, protocol flaws |
| **Communication Interception** | Traffic analysis results | Cleartext data, weak encryption |
| **Device API Security** | Interface security issues | Authentication, authorization flaws |
| **OT Network Segmentation** | Isolation effectiveness | IT/OT boundary controls, zone separation |
| **Human-Machine Interface Security** | HMI vulnerability assessment | Access controls, input validation |
| **Control Systems Security** | ICS/SCADA specific findings | Protocol vulnerabilities, logic controllers |
| **Safety System Assessment** | Safety mechanism evaluation | Safety override possibilities, physical impact |
| **Operational Impact Analysis** | Business/safety implications | Real-world consequences of vulnerabilities |
## Remediation Guidance Best Practices
| Component | Description | Example |
|-----------|-------------|---------|
| **Clear Issue Title** | Descriptive vulnerability name | "Stored XSS in User Profile Comments" |
| **Severity Rating** | Risk level with justification | "High - Allows account takeover via stored payload" |
| **Detailed Description** | Technical explanation | "The application fails to sanitize HTML in user comments..." |
| **Proof of Concept** | Step-by-step reproduction | Numbered steps to reproduce the issue |
| **Evidence/Screenshots** | Visual documentation | Redacted screenshots showing vulnerability |
| **Affected Systems** | Scope of vulnerability | "All user profile pages across the application" |
| **Business Impact** | Real-world consequences | "Attackers could steal user credentials or perform actions as the victim" |
| **Remediation Steps** | Specific fix instructions | Code examples, configuration changes |
| **References** | Supporting information | CWE numbers, OWASP references, vendor docs |
| **Validation Method** | How to confirm the fix | Test cases to verify remediation |
## Reporting Tips by Audience
| Audience | Focus Areas | Format Tips | Language Considerations |
|----------|-------------|------------|------------------------|
| **Executive Leadership** | Business risk, cost implications | Brief summary, visual aids | Non-technical, business terms |
| **IT Management** | Resource planning, implementation strategy | Prioritized roadmap | Semi-technical, project management terms |
| **Security Team** | Technical details, security architecture | Comprehensive findings | Technical, security terminology |
| **Developers** | Implementation guidance, code examples | Specific remediation steps | Programming language-specific guidance |
| **Compliance Team** | Regulatory impact, compliance gaps | Mapping to requirements | Compliance framework terminology |
| **Third-Party Disclosure** | Responsible disclosure format | Minimal necessary details | Clear timeline expectations |
## Risk Rating Frameworks
| Framework | Components | Calculation | Best For |
|-----------|------------|-------------|----------|
| **CVSS v3.1** | Base, Temporal, Environmental | Score 0-10 from metrics | Standardized vulnerability rating |
| **OWASP Risk Rating** | Likelihood × Impact | Produces Low/Medium/High/Critical | Web application vulnerabilities |
| **DREAD** | Damage, Reproducibility, Exploitability, Affected users, Discoverability | Average of 5 factors (0-10) | Application security assessment |
| **Custom Severity Matrix** | Impact × Likelihood | Typically 3×3 or 5×5 matrix | Organizational alignment |
| **Qualitative Rating** | Professional judgment | Low/Medium/High/Critical | When metrics are difficult to apply |
## Report Quality Checklist
| Aspect | Check | Common Pitfalls |
|--------|-------|-----------------|
| **Accuracy** | Verified findings, tested recommendations | False positives, untested remediation advice |
| **Clarity** | Clear, concise language | Excessive jargon, ambiguous descriptions |
| **Completeness** | All required sections, comprehensive coverage | Missing methodology, incomplete findings |
| **Professionalism** | Proper formatting, no typos | Spelling errors, inconsistent formatting |
| **Actionability** | Clear remediation steps | Vague recommendations, missing context |
| **Evidence Quality** | Proper screenshots, redacted sensitive data | Unclear evidence, over-redaction |
| **Business Context** | Practical impact explanation | Missing real-world consequences |
| **Technical Depth** | Appropriate level of detail | Too shallow or overly complex explanations |
| **Executive Value** | Clear risk communication | Missing business context for executives |
| **Scope Alignment** | Findings within agreed scope | Out-of-scope issues without clarification |
Reference in a new issue View git blame Copy permalink