This a guide for drafting an application assessment report
Objective
Scope
Schedule
Targets
Limitations
Findings Summary
Remediation Summary
Stick to facts
Provide an overview of the assessment's timeline, goals, and the results
Focus on High and Critical Findings
Avoid Fear, Uncertainty and Doubt (FUD)
Maximum of 1 page
Use concise bullet for most important details (optional)
Include controls that can be identified as a root cause for findings
Ensure that the audience can actually perform recommendation
Include description of vulnerability
Remediation Steps
Steps to reproduce PoC
List each affect path and parameter
Include screenshots, commands and code snippets
Group findings by severity
Include a checklist of controls that were tested (Best for reports minimal findings)
Include an appendix for the following situations:
Documenting Authorization letters
Findings with a lot of parameters/information
Listing enumerated usernames or guessed passwords
Long command/code output
Data exfiltrated from the application during exploitation
Including key project information such as scope limitations
Last updated 4 months ago