Vulnerability description in penetration testing reports
The core of every penetration testing report is the vulnerability details section. This is the place where security engineers, administrators, and developers will spend the most time. In this article, I will write about typical elements of this section in a penetration testing report.
!This is the fourth out of six articles in the series “Web application Penetration Testing Report”. The previous one explains the details of how the severity of a vulnerability can be assigned based on the Common Vulnerability Scoring System (CVSS).
The vulnerabilities details section contains a list of vulnerabilities discovered during a penetration testing assessment with all technical information usually ordered from most to least severe vulnerability. Every finding (vulnerability or security misconfiguration) has typically the following types of information:
Vulnerability title
The title allows to quickly understand what the vulnerability is about.
Vulnerability identification number
The vulnerability ID allows easily referencing and keeping track of which vulnerabilities were fixed and which ones are still open.
Severity
A severity in the penetration testing report tells you whether the vulnerability is critical, high, medium, low, or informational. In Zigrin Security, we also provide the calculated numeric score value between 0 and 10 and the full CVSS reference. This helps our customers to better understand the factors of the score.
Category
If it is possible to categorize a vulnerability, you will find information about it. This may help to see what types of vulnerabilities occur most often and apply proactive measures in the long run. A known standard for categorizing vulnerabilities is the Common Weakness Enumeration. More information is available here: https://cwe.mitre.org/
Description
In this section, you will see the general explanation of a vulnerability. The information such as the vulnerability cause, steps and requirements for the exploitation, and the impact explanation will appear here. This section is not specific to the vulnerability discovered in your application but rather general information for you to understand its background.
Recommendations
This section explains the steps to fix and sometimes mitigate the security issue.
Recommendations aiming to fix a vulnerability allow to remove it from the exact location where they were found. However, sometimes fixing is very difficult as it may require rebuilding a lot of the application. In such cases, there is an additional mitigation recommendation in the penetration testing report. The goal of it is to provide mechanisms that would limit the impact of a vulnerability or increase the difficulty of exploitation but not remove the vulnerability completely.
This approach is also used to apply quick and partial mitigation, and have more time to implement proper fixes.
CEO, Cybersecurity Expert
Let’s talk about securing your web application
Book a chat with me
Technical details
This section explains the exact place in the application where the vulnerability occurs. You will see what are the steps to reproduce it and how easy or difficult it would be for an adversary to actually exploit it.
This section sometimes contains code snippets allowing you to quickly run and see the vulnerability in action by yourself. You will see screenshots of successful exploitation or evidence of a vulnerability.
In Zigrin Security we believe that showing the actual impact here is very important as it allows to fully understand how dangerous the vulnerability is in the context of your application. We achieve this by writing real exploits for many vulnerabilities we discover. This helps you see the impact in a controlled environment live in your web application.
Reference
The last section of the finding details is the reference list with external resources that may help you find more information about how to implement a fix or understand the vulnerabilities in general.
These are the main sections of every finding in a penetration testing report.
!In the next – 5th article of the series, I will write about 3 things that you will not find in a web application penetration testing report.
Let me know in the comments what other information you would like to see in the finding details section of a penetration testing report.
Is this article helpful to you? Share it with your friends.