Ethical Hacking and Penetration Testing Guide



Yüklə 22,44 Mb.
Pdf görüntüsü
səhifə27/235
tarix07.08.2023
ölçüsü22,44 Mb.
#138846
1   ...   23   24   25   26   27   28   29   30   ...   235
Ethical Hacking and Penetration Testing Guide ( PDFDrive )

Detailed Findings
This is where you address the technical audience, specifically the security manager and the 
developers; also, this is where you are allowed to talk in depth about how the vulnerabilities 
were discovered, the root causes of the vulnerabilities, the associated risks, and the necessary 
recommendations.
Let’s now briefly talk about four essentials that should be included in the “Detailed Findings” 
section.
Description
This is where you talk about the vulnerability itself; a brief explanation should be provided in this 
section.


16
◾ 
Ethical Hacking and Penetration Testing Guide
Explanation
This is the section where you reveal where the vulnerability was found, how it was found, the root 
cause of the vulnerability, the proof of concept, or the evidence of the finding.
Risk
This is where you talk about the risks and the likely impact that the vulnerability carries.
Recommendation
This is where you address the developers on how to fix the vulnerability; you may also include 
general suggestions to avoid that particular class of vulnerability in future.
The following screenshot comes directly from one of our penetration testing reports. Our 
finding was “DOM-based XSS” vulnerability. In the “Description” section we discussed the 
vulnerability. In the “Explanation” section, we talked about where the vulnerability was found 
and what line of the JavaScript code is the root cause of the vulnerability. We then talked about 
general risks and the impact and finally the general remediations to avoid vulnerabilities of a 
similar class.


Introduction to Hacking
◾ 
17
Reports
Now that you know the basics and structure of how a penetration testing report is written, I would 
urge you to spend some time reviewing the following penetration testing sample reports.

http://www.offensive-security.com/penetration-testing-sample-report.pdf

http://www.niiconsulting.com/services/security-assessment/NII_Sample_PT_Report.pdf

http://pentestreports.com/
Conclusion
In this chapter, we talked about basic terminologies that you will encounter on a daily basis as a 
penetration tester. We discussed about the types of penetration tests and the different penetration 
testing methodologies. We then talked about what makes a good penetration testing report. We 
also looked at how a penetration test report should be laid out in order to provide the target audi-
ence the necessary information.




Yüklə 22,44 Mb.

Dostları ilə paylaş:
1   ...   23   24   25   26   27   28   29   30   ...   235




Verilənlər bazası müəlliflik hüququ ilə müdafiə olunur ©azkurs.org 2024
rəhbərliyinə müraciət

gir | qeydiyyatdan keç
    Ana səhifə


yükləyin