Links
Comment on page

Reporting

This a guide for drafting an application assessment report

Introduction

  • Objective
  • Scope
  • Schedule
  • Targets
  • Limitations
  • Findings Summary
  • Remediation Summary

Executive Summary

  • Stick to facts
  • Provide an overview of the assessment's timeline, goals, and the results
  • Focus on High and Critical Findings
  • Avoid Fear, Uncertainty and Doubt (FUD)
  • Maximum of 1 page
  • Use concise bullet for most important details (optional)
  • Include controls that can be identified as a root cause for findings
  • Ensure that the audience can actually perform recommendation

Findings

  • Include description of vulnerability
  • Remediation Steps
  • Steps to reproduce PoC
  • List each affect path and parameter
  • Include screenshots, commands and code snippets
  • Group findings by severity
  • Include a checklist of controls that were tested (Best for reports minimal findings)

Appendices

Include an appendix for the following situations:
  • Documenting Authorization letters
  • Findings with a lot of parameters/information
  • Listing enumerated usernames or guessed passwords
  • Long command/code output
  • Data exfiltrated from the application during exploitation
  • Including key project information such as scope limitations