A Security Testing Report
You are required to write a penetration test report. This report (2000 words) focuses on the technical aspects of web application vulnerabilities. In this pen-test report, you will need to demonstrate at least 3 vulnerabilities in the OWASP top 10 list (2017 version). You may use any vulnerable web applications or web sites included in the ethical hacking environment that we set up in course 3, that is, the OWASP broken web application box.
This report should include the following sections:
1.
Executive summary. Executive summaries should cover what led up to the issue being addressed, the problematic situation, and proposed solution with expected results. Executive reports do not require technical details and should target leadership rather than technical staff.(You may find hints on writing good executive summaries from http://unilearning.uow.edu.au/report/4bi1.html.)
2.
Methodology. This section includes an overview of how you deliver services. Highlights should include your process for each phase of an engagement, tools used, and how you handle identified threats.
3.
Detailed Testing Procedures. This section covers technical details. The target audience is typically the technical staff, and the goal is to provide as much information as possible around identified issues of concern. Typically, subjects to include are targets discovery, mapping, vulnerability assessment, architecture analysis, exploiting, and reporting.
4.
Vulnerabilities. Vulnerabilities found should include a clear description about the source of the weakness, impact to business operations and likelihood of being exploited. If time and resources permit, each instance of vulnerability should be manually verified together with the results obtained from the scanners. Some details that could be included for identified vulnerabilities include 1) Vulnerability name, 2) Vulnerability description, 3) Technical details.
Reference list.