Penetration Testing with Kali Linux OffSec


səhifə54/132
tarix21.12.2023
ölçüsü
#187693
1   ...   50   51   52   53   54   55   56   57   ...   132
PEN-200

Listing 28 - Pertinent Details 
Next, we’ll prepare the long-form Executive Summary. This is a written summary of the testing 
that provides a high-level overview of each step of the engagement and establishes severity, 
context, and a “worst-case scenario” for the key findings from the testing. It’s important not to 
undersell or oversell the vulnerabilities. We want the client’s mental model of their security 
posture to be accurate. For example, if we’ve found an SQL injection that enables credit card 
details to be stolen, then that represents a very different severity than if we’ve found an 
authentication bypass on a system hosting public data. We would certainly emphasize the former 
in the Executive Summary, but we may not highlight the latter in this section. 
We should make note of any trends that were observed in the testing to provide strategic advice. 
The executive doesn’t need to be given the full technical details in this section, and technical staff 
will be able to find them as each vulnerability will be expanded upon in later sections of the report. 
What we can do, however, is to describe the trends we’ve identified and validate our concerns 
with summaries of one or two of the more important related findings. 
To highlight trends, we want to group findings with similar vulnerabilities. Many vulnerabilities of 
the same type generally show a failure in that particular area. For example, if we find stored and 
reflected XSS, along with SQL injection and file upload vulnerabilities, then user input is clearly not 
being properly sanitized across the board. This must be fixed at a systemic level. This section is 
an appropriate place to inform the client of a systemic failure, and we can recommend the 
necessary process changes as the remediation. In this example, we may encourage the client to 
provide proper security training for their developers. 
It is useful to mention things that the client has done well. This is especially true because while 
management may be paying for the engagement, our working relationship is often with the 
technical security teams. We want to make sure that they are not personally looked down upon. 
Even those penetration tests that find severe vulnerabilities will likely also identify one or two 
areas that were hardened. Including those areas will soften the impact on people, and make the 
client more accepting of the report as a whole. 
The Executive Summary can generally be broken down as follows: 
First we include a few sentences describing the engagement: 
- "The Client hired OffSec to conduct a penetration test of 
their kali.org web application in October of 2025. The test was conducted 
from a remote IP between the hours of 9 AM and 5 PM, with no users 
provided by the Client." 
Listing 29 - Describing the Engagement 
Next, we add several sentences that talk about some effective hardening we observed: 
- "The application had many forms of hardening in place. First, OffSec was unable to 
upload malicious files due to the strong filtering 


Penetration Testing with Kali Linux
PWK - Copyright © 2023 OffSec Services Limited. All rights reserved. 
105 
in place. OffSec was also unable to brute force user accounts 
because of the robust lockout policy in place. Finally, the strong 
password policy made trivial password attacks unlikely to succeed. 
This points to a commendable culture of user account protections." 
Listing 30 - Identifying the positives 
Notice the language here. We do not say something like “It was 
impossible
to upload malicious 
files”, because we cannot make absolute claims without absolute evidence. We were given a 
limited time and resource budget to perform our engagement and we ourselves are fallible. We 
must be careful to make sure our language does not preclude the possibility that 
we
were simply 
unable to find a flaw that does actually exist and remains undetected. 
Next, we introduce a discussion of the vulnerabilities discovered: 
- "However, there were still areas of concern within the application. 
OffSec was able to inject arbitrary JavaScript into the browser of 
an unwitting victim that would then be run in the context of that 
victim. In conjuction with the username enumeration on the login 
field, there seems to be a trend of unsanitized user input compounded 
by verbose error messages being returned to the user. This can lead 
to some impactful issues, such as password or session stealing. It is 
recommended that all input and error messages that are returned to the 
user be sanitized and made generic to prevent this class of issue from 
cropping up." 

Yüklə

Dostları ilə paylaş:
1   ...   50   51   52   53   54   55   56   57   ...   132




Verilənlər bazası müəlliflik hüququ ilə müdafiə olunur ©azkurs.org 2024
rəhbərliyinə müraciət

gir | qeydiyyatdan keç
    Ana səhifə


yükləyin