banner
lca

lca

真正的不自由,是在自己的心中设下牢笼。

Write high-quality reports.

Introduction
From personal experience, penetration testing reports can be divided into two categories: simple reports that provide a brief summary of vulnerabilities, which are technical in nature and not suitable for management, and complex and formal reports that can be used for project summaries, acceptance, and official purposes.

I came across an article that discussed how to write high-quality vulnerability reports, specifically for foreign penetration testing reports. I have summarized the content and included other reports in the attachment for reference.

Simple Report

NameDescription
SummaryIntroduction to the vulnerability, providing a brief description of the issue and its scope
ImpactDescription of the vulnerability's impact
Reproduction StepsSteps to reproduce the vulnerability, including screenshots, HTTP requests, POCs, or exploits
RecommendationsSuggestions for fixing the vulnerability
ReferencesGenerally not included

Vulnerability scoring and severity levels typically reflect the level of harm, ranging from informational, low, medium, to high.

Formal Report

This report is based on the securitum-protonmail-security-audit and is more practical. There are many other links in the attachment for those interested.

  1. Summary (Work, Penetration)
  • Testing scope
  • Testing methods (OWASP TOP10, OWASP ASVS)
  • Discovered vulnerabilities

During the testing process, special emphasis was placed on vulnerabilities that could negatively impact the confidentiality, integrity, or availability of processed data.

As part of the testing, a combination of manual testing methods (using the aforementioned methodologies) and various automated tools were used, including Burp Suite Professional, DirBuster, ffuf, nmap, Visual Studio Code, semgrep, grep, and sonarqube.

The vulnerabilities are described in detail in the subsequent sections of the report.


Vulnerability Risk Level:

Vulnerabilities are classified into five levels, reflecting the probability of exploitation and the business risks associated with their exploitation. The following is a brief description of each severity level.

  • Critical
  • High
  • Medium
  • Low
  • Informational

Vulnerability Statistics:

Graphical representation


  1. Version Change History
  • Time
  • Version
  • Description of changes

  1. Vulnerability Reproduction Process Record
  • Vulnerability name
    • Vulnerability description
    • Prerequisites for the attack
    • Technical details (POC)
    • Vulnerability location
    • Recommendations for fixing the vulnerability

Lessons Learned

When writing the report, it is recommended to use the passive voice instead of the first person.

When providing recommendations for fixing vulnerabilities, it is generally better to start with suggestions rather than using a mandatory approach.

One difference between foreign reports and our reports is the placement of the final summary. Foreign reports tend to place it at the beginning, while we prefer to place it at the end. Sometimes, we may also place it at the beginning for summarization purposes.

In terms of vulnerability reproduction, foreign reports are more detailed and include information on informational vulnerabilities. The vulnerability fix recommendations are tailored to the system rather than providing general solutions.

When reproducing the vulnerability scenario, it is recommended to approach it from the perspective of the attacker and the victim, making it easier for others to understand. In comparison, some domestic vulnerability notifications only provide text and links without any accompanying graphics, making it difficult to understand the vulnerability without a solid foundation.

Foreign reports also assign numbers to vulnerabilities, seemingly based on project names, which helps clearly distinguish these vulnerabilities.

Writing a report doesn't require much technical work, but making it understandable and of high quality can be challenging. I have personally experienced situations where a report had to be revised 5-6 times based on client feedback before it was satisfactory. The report itself is procedural, and as long as you have a template, you can modify it for others. Some reports are simply simple reports submitted with the source code. In such cases, a simple report is sufficient.

References: best-practices-for-writing-quality-vulnerability-reports

Additional reference for other penetration testing reports: More Penetration Testing Reports

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.