Comment on page
Reporting
This a guide for drafting an application assessment report
- Objective
- Scope
- Schedule
- Targets
- Limitations
- Findings Summary
- Remediation Summary
- Stick to facts
- Provide an overview of the assessment's timeline, goals, and the results
- Focus on High and Critical Findings
- Avoid Fear, Uncertainty and Doubt (FUD)
- Maximum of 1 page
- Use concise bullet for most important details (optional)
- Include controls that can be identified as a root cause for findings
- Ensure that the audience can actually perform recommendation
- Include description of vulnerability
- Remediation Steps
- Steps to reproduce PoC
- List each affect path and parameter
- Include screenshots, commands and code snippets
- Group findings by severity
- Include a checklist of controls that were tested (Best for reports minimal findings)
Include an appendix for the following situations:
- Documenting Authorization letters
- Findings with a lot of parameters/information
- Listing enumerated usernames or guessed passwords
- Long command/code output
- Data exfiltrated from the application during exploitation
- Including key project information such as scope limitations
Last modified 3mo ago