Crafting Penetration Testing Reports: A Step-by-Step Guide

Crafting Penetration Testing Reports: A Step-by-Step Guide

November 14, 2021

Penetration testing is a critical process in cybersecurity, involving the simulation of real-world attacks on a system to identify potential security vulnerabilities. Furthermore, this practice is often performed before deploying a system or as a means of evaluating the effectiveness of existing security measures. Consequently, the results of these tests are compiled into a penetration testing report—a vital document that summarizes the vulnerabilities found during the assessment.

Why a Well-Crafted Penetration Testing Report Matters

A well-crafted penetration testing report is not just a technical document; rather, it’s a bridge between the pentester and the client. Additionally, it serves as a clear communication tool that explains the methods used, the vulnerabilities discovered, and the overall security posture of the system. This report is crucial for helping clients understand their security risks and take informed actions to mitigate them.

Key Components of a Penetration Testing Report

A thorough penetration testing report should include the following sections:

Introduction

  • Purpose: Clearly state the objectives of the test. For instance, what are the key questions the client wants to be answered? Examples include whether an attacker can access sensitive data without authorization or if it’s possible to elevate a user’s privileges to admin level. In addition, this section also reinforces the importance of the assessment.

Tools and Setup

  • Tools Used: List the specific tools and technologies used during the test, such as software applications or testing frameworks.
  • Testing Environment: First, describe the setup, including the accounts you received and also clarify whether you conducted the test as a white, black, or grey box assessment.

Approach

  • Methodology: Outline the steps or phases followed during the penetration test.

i.e.: There are seven stages during a penetration test. These seven stages are:

penetration testing report

Moreover, several standard frameworks and methodologies exist for conducting penetration tests. These include the Open Source Security Testing Methodology Manual (OSSTMM), the Penetration Testing Execution Standard (PTES)the NIST Special Publication 800-115, the Information System Security Assessment Framework (ISSAF), and the OWASP Testing Guide.

Scope and Rules of engagement

  • Scope Definition: A determination of scope is important when you are going to perform a test. For instance, you need to know what are the IP ranges and URLs of the web applications that are in scope. In this paragraph, you describe which segments belong to the “to be tested” scope and which parts are explicitly excluded or any other constraints.

Executive summary

Generally, penetration testing reports begin with a high-level synopsis of the pentester’s discoveries. Additionally, the summary provides a brief outline of the outcomes for organization chiefs and directors, who seek significant points without delving into the technical details of the report.

  • High-Level Findings: Provide a brief, non-technical summary of the key findings, tailored for executives who need to understand the risks without delving into technical details.
  • Security Posture: Highlight the areas where the pentesters successfully breached security controls and the data they accessed. Summarize the company’s current security risks and provide an overview of the most critical findings.
  • Recommendations: Offer prioritized security improvement suggestions, categorizing them into short-term, medium-term, and long-term objectives.

Finding overview example

penetration testing report

 

Number Vulnerability name Severity CVSS score
1 Remote Code Execution Critical 9.9
2 Command Injection Critical 9.0
3 Cross-Site Scripting High 7.5
4 HTTP Header Injection Medium 6.9
5 Programming error message Low 3.9

 

Vulnerability Title:

The title of the vulnerability needs to be a short name that describes the finding, such as Cross-site scripting or Unsupported version detection.

Vulnerability Description:

This segment provides an explanation of the issue and a clarification of the effect it could cause if it were exploited. Generally, this is kept broad and clear to give the client an overall understanding of the issue. Additionally, you can explain how the issue functions, leaving specific details about the client’s situation for other segments of the report.

Vulnerable element:

Identify the specific application, server, or component where the vulnerability was found (e.g., IP address, URL).

Reproduction steps:

Primarily, this part is used for administrators or developers who need to solve the finding and verify if the fix is implemented correctly. Therefore, offer clear, step-by-step instructions on how to reproduce the vulnerability, including screenshots or videos if necessary.

Typically, hackers write exploits as they find vulnerabilities, although others are available on the internet. Thus, the tester should include detailed exploit steps or direct the reader of the report to the public exploit code.

Severity:

Firstly, this section is crucial for informing the client about the impact of the vulnerability if it were successfully exploited. Next, make the explanation of the impact as realistic as possible, instead of describing what could theoretically happen. The most effective approach is to focus on immediate consequences, such as “An attacker may access your user account.”

Risk:

Simply stating that something is dangerous does not necessarily mean everyone understands the risk. Hence, it is very important to explain why it is so risky. For instance, if you discover an unrestricted file upload vulnerability, you should mention that, as a result, the attacker can execute code remotely and elevate privileges within the application to view all the user’s private data, such as medical or banking information..


The OWASP Risk Rating Methodology describes this on a scale of Low to Very High. https://owasp.org/www-community/OWASP_Risk_Rating_Methodology

CVSS Score:

A CVSS Score (Common Vulnerability Scoring System) supports companies in defining the severity of an issue on a scale of 0 to 10 — no risk to critical. Therefore, it is an important component to show why did you assign a specific risk category to a specific finding.

CVSS is composed of three metric groups: Base, Temporal, and Environmental, each consisting of a set of metrics, as shown below:
CVSS penetration testing report

References:

Include links to additional resources, such as vendor advisories or CVE details, to provide further context. This system provides a reference method for publicly known information-security vulnerabilities and exposures. https://cve.mitre.org/

Remediation:

In the wake of strolling through the subtleties of the pentest, the following area will show possible solutions for each finding.

To begin with, provide a short note on the next step to take in the remediation process; subsequently, offer a more detailed explanation tailored to the client’s specific situation.

For example, the start of the recommendation will look like

  • Install the latest software version of a component.
  • Upgrade the current hardware asset
  • Implement secure passwords.

The detailed description is:

  • Version 3.2.1 found on component X. This version is vulnerable for CVE-xx-xx-xx. This is a remote code execution vulnerability. The component has to be updated to version 4.0.1.
  • The current hardware is EOL(End of Life). The hardware needs to be replaced by a supported version. Make sure the new hardware is supported by the vendor and receives frequent updates.
  • Default passwords are being used on these devices. Ensure that all the passwords are replaced with unique combinations of capital and lowercase letters, special characters, and numbers with a minimum length of 12 characters. The password should not contain dictionary words. Privileged accounts are advised to use 25 characters or greater.

Report Conclusion

The conclusion can consist of two parts, recommendations and the risk summary. Firstly, the recommendations, where advise is given about patching, enhancing, or implementing security measures as needed. The purpose is not only to list the problematic areas that need to be addressed, but also to providing solutions for the problems. Moreover, strategic and tactical recommendations to help the client with risk mitigation decision making in terms of resource investments.

Final Note

The penetration testing report is the tool that the pentester uses to communicate his work to the customer. Therefore, it should be easy to understand for different knowledge levels so they are able to take decisions to address the identified risks.

Our penetration testing training covers writing a penetration testing report and other technical subjects in detail. Finally, stay updated by checking our blog and following us on Twitter and LinkedIn.

You May Also Like…