pentest-report
SKILL.md
Penetration Testing Report Skill
When generating a penetration testing report, follow OWASP standards and methodology. This skill produces a professional-grade report suitable for compliance reviews, stakeholder communication, and remediation planning.
1. Scope & Methodology Discovery
Determine Scope
# Application type
cat package.json pyproject.toml Cargo.toml go.mod pom.xml composer.json Gemfile 2>/dev/null | head -30
# Detect web framework (determines attack surface)
cat package.json 2>/dev/null | grep -E "express|fastify|next|nuxt|nest|koa|hapi|django|flask|fastapi|rails|laravel|spring|gin|fiber|echo"
# Detect API type
grep -rn "app.get\|app.post\|@app.route\|@GetMapping\|router\." --include="*.ts" --include="*.js" --include="*.py" --include="*.java" src/ app/ 2>/dev/null | head -20
# Detect authentication mechanism
grep -rn "jwt\|passport\|oauth\|session\|cookie\|bearer\|auth" --include="*.ts" --include="*.js" --include="*.py" --include="*.java" src/ app/ 2>/dev/null | head -20
# Detect database
grep -rn "postgres\|mysql\|mongo\|redis\|sqlite\|prisma\|sequelize\|typeorm\|mongoose\|sqlalchemy\|knex\|drizzle" --include="*.ts" --include="*.js" --include="*.py" --include="*.java" src/ app/ 2>/dev/null | head -10
# Detect frontend
cat package.json 2>/dev/null | grep -E "react|vue|angular|svelte|next|nuxt"
# Map API endpoints (attack surface)
grep -rn "router\.\(get\|post\|put\|delete\|patch\)\|app\.\(get\|post\|put\|delete\|patch\)\|@app\.route\|@GetMapping\|@PostMapping\|@PutMapping\|@DeleteMapping" --include="*.ts" --include="*.js" --include="*.py" --include="*.java" src/ app/ 2>/dev/null
# Count total endpoints
grep -rn "router\.\(get\|post\|put\|delete\|patch\)\|app\.\(get\|post\|put\|delete\|patch\)" --include="*.ts" --include="*.js" --include="*.py" src/ app/ 2>/dev/null | wc -l
# Infrastructure
ls Dockerfile docker-compose.yml docker-compose.yaml k8s/ terraform/ nginx.conf 2>/dev/null
Testing Methodology
This report follows:
- OWASP Web Security Testing Guide (WSTG) v4.2 — structured testing methodology
- OWASP Top 10 (2021) — most critical web application security risks
- OWASP Application Security Verification Standard (ASVS) v4.0 — detailed security requirements
- CVSS v3.1 — Common Vulnerability Scoring System for severity rating
2. OWASP Top 10 (2021) Assessment
Test each category systematically:
A01:2021 — Broken Access Control
WSTG Tests:
- WSTG-ATHZ-01: Testing Directory Traversal/File Include
- WSTG-ATHZ-02: Testing for Bypassing Authorization Schema
- WSTG-ATHZ-03: Testing for Privilege Escalation
- WSTG-ATHZ-04: Testing for Insecure Direct Object References (IDOR)
# Check for missing authorization middleware
grep -rn "router\.\(get\|post\|put\|delete\|patch\)" --include="*.ts" --include="*.js" src/api/ src/routes/ 2>/dev/null | grep -v "auth\|middleware\|protect\|guard\|verify"
# Check for IDOR vulnerabilities — direct ID usage without ownership check
grep -rn "req\.params\.id\|req\.params\.userId\|request\.args\.get.*id" --include="*.ts" --include="*.js" --include="*.py" src/ 2>/dev/null
# Check for path traversal
grep -rn "req\.params\|req\.query\|request\.args" --include="*.ts" --include="*.js" --include="*.py" src/ 2>/dev/null | grep -i "file\|path\|dir\|upload\|download"
# Check for missing role-based access control
grep -rn "role\|permission\|isAdmin\|hasRole\|authorize\|can(" --include="*.ts" --include="*.js" --include="*.py" src/ 2>/dev/null
# Check for CORS misconfiguration
grep -rn "Access-Control-Allow-Origin\|cors(" --include="*.ts" --include="*.js" --include="*.py" src/ 2>/dev/null
# Check for missing CSRF protection
grep -rn "csrf\|csrfToken\|_token\|antiforgery" --include="*.ts" --include="*.js" --include="*.py" --include="*.html" src/ 2>/dev/null
What to flag:
- Endpoints accessible without authentication
- Missing ownership verification on resource access (IDOR)
- Horizontal privilege escalation (user A accessing user B's data)
- Vertical privilege escalation (regular user accessing admin functions)
- CORS with wildcard origin on authenticated endpoints
- Missing CSRF tokens on state-changing operations
- Directory traversal in file operations
- Missing rate limiting on sensitive endpoints
A02:2021 — Cryptographic Failures
WSTG Tests:
- WSTG-CRYP-01: Testing for Weak Transport Layer Security
- WSTG-CRYP-02: Testing for Padding Oracle
- WSTG-CRYP-03: Testing for Sensitive Information via Unencrypted Channels
- WSTG-CRYP-04: Testing for Weak Encryption
# Check for weak hashing algorithms
grep -rn "md5\|sha1\|SHA1\|MD5" --include="*.ts" --include="*.js" --include="*.py" --include="*.java" src/ 2>/dev/null | grep -v "node_modules\|test\|spec"
# Check for weak encryption
grep -rn "DES\|RC4\|ECB\|Blowfish" --include="*.ts" --include="*.js" --include="*.py" --include="*.java" src/ 2>/dev/null
# Check for hardcoded encryption keys
grep -rn "encryption_key\|ENCRYPTION_KEY\|secret_key\|SECRET_KEY\|private_key" --include="*.ts" --include="*.js" --include="*.py" src/ 2>/dev/null | grep -v "process\.env\|os\.environ\|config\.\|\.env"
# Check for insecure random
grep -rn "Math\.random\|random\.random\|rand()\|srand" --include="*.ts" --include="*.js" --include="*.py" --include="*.php" src/ 2>/dev/null
# Check password hashing
grep -rn "bcrypt\|argon2\|scrypt\|pbkdf2" --include="*.ts" --include="*.js" --include="*.py" src/ 2>/dev/null
# Check for sensitive data in plain text
grep -rn "password.*=\|creditCard\|ssn\|social_security\|credit_card" --include="*.ts" --include="*.js" --include="*.py" src/ 2>/dev/null | grep -v "test\|spec\|mock\|hash\|bcrypt"
# Check TLS configuration
grep -rn "http://\|ssl.*false\|verify.*false\|rejectUnauthorized.*false\|VERIFY_NONE" --include="*.ts" --include="*.js" --include="*.py" --include="*.java" src/ 2>/dev/null
What to flag:
- Passwords stored with MD5/SHA1 instead of bcrypt/argon2
- Sensitive data transmitted over HTTP
- Hardcoded encryption keys or secrets
- Weak TLS configuration
- Math.random() for security-sensitive values
- Sensitive data stored unencrypted at rest
- Missing HSTS headers
A03:2021 — Injection
WSTG Tests:
- WSTG-INPV-05: Testing for SQL Injection
- WSTG-INPV-06: Testing for LDAP Injection
- WSTG-INPV-07: Testing for XML Injection
- WSTG-INPV-12: Testing for Command Injection
- WSTG-INPV-11: Testing for Code Injection
# SQL Injection — string concatenation in queries
grep -rn "SELECT.*\+\|INSERT.*\+\|UPDATE.*\+\|DELETE.*\+\|WHERE.*\+\|\`SELECT\|\`INSERT\|\`UPDATE\|\`DELETE" --include="*.ts" --include="*.js" --include="*.py" --include="*.java" --include="*.php" src/ 2>/dev/null | grep -v "test\|spec\|mock"
# SQL Injection — template literals in queries
grep -rn "query.*\${\|execute.*\${" --include="*.ts" --include="*.js" src/ 2>/dev/null
# NoSQL Injection
grep -rn "find(\|findOne(\|updateOne(\|deleteOne(" --include="*.ts" --include="*.js" src/ 2>/dev/null | grep "req\.\|request\."
# Command Injection
grep -rn "exec(\|execSync\|spawn(\|system(\|popen\|subprocess\.\(call\|run\|Popen\)" --include="*.ts" --include="*.js" --include="*.py" src/ 2>/dev/null
# XSS — innerHTML and dangerouslySetInnerHTML
grep -rn "innerHTML\|dangerouslySetInnerHTML\|v-html\|\.html(\|{!!.*!!}" --include="*.ts" --include="*.tsx" --include="*.js" --include="*.jsx" --include="*.vue" --include="*.php" src/ 2>/dev/null
# Template Injection
grep -rn "render_template_string\|Template(\|Jinja2\|eval(" --include="*.py" --include="*.js" --include="*.ts" src/ 2>/dev/null
# LDAP Injection
grep -rn "ldap\.\|LDAP\.\|search_s\|search_ext" --include="*.py" --include="*.java" src/ 2>/dev/null
# XPath Injection
grep -rn "xpath\|XPath\|selectNodes\|evaluate(" --include="*.ts" --include="*.js" --include="*.java" src/ 2>/dev/null
What to flag:
- String concatenation or template literals in SQL queries
- User input passed directly to MongoDB queries
- User input in exec/spawn/system calls
- Unsanitized HTML rendering (innerHTML, dangerouslySetInnerHTML, v-html)
- Template injection via user-controlled template strings
- Missing parameterized queries
A04:2021 — Insecure Design
# Check for missing rate limiting
grep -rn "rate.limit\|rateLimit\|throttle\|slowDown" --include="*.ts" --include="*.js" --include="*.py" src/ 2>/dev/null
# Check for missing input validation library
cat package.json 2>/dev/null | grep -E "zod|joi|yup|class-validator|express-validator"
cat requirements.txt pyproject.toml 2>/dev/null | grep -E "pydantic|marshmallow|cerberus|voluptuous"
# Check for missing error boundaries / global error handling
grep -rn "errorHandler\|ErrorBoundary\|unhandledRejection\|uncaughtException" --include="*.ts" --include="*.js" --include="*.tsx" src/ 2>/dev/null
# Check for business logic flaws
grep -rn "TODO.*secur\|FIXME.*auth\|HACK.*valid\|XXX.*check" --include="*.ts" --include="*.js" --include="*.py" src/ 2>/dev/null
What to flag:
- Missing rate limiting on authentication endpoints
- Missing input validation framework
- No global error handler
- Missing account lockout mechanism
- No bot detection on public forms
- Missing business rule enforcement server-side
- Trusting client-side validation only
A05:2021 — Security Misconfiguration
# Debug mode in production configs
grep -rn "DEBUG.*=.*True\|debug.*:.*true\|NODE_ENV.*development" --include="*.py" --include="*.ts" --include="*.js" --include="*.yaml" --include="*.yml" --include="*.json" src/ config/ 2>/dev/null | grep -v "test\|spec\|dev"
# Default credentials
grep -rn "admin.*admin\|password.*password\|root.*root\|default.*password\|changeme" --include="*.ts" --include="*.js" --include="*.py" --include="*.yaml" --include="*.yml" --include="*.json" . 2>/dev/null | grep -v "node_modules\|test\|spec\|\.md"
# Exposed stack traces / error details
grep -rn "stack.*trace\|traceback\|stackTrace\|\.stack\b" --include="*.ts" --include="*.js" --include="*.py" src/ 2>/dev/null | grep -i "res\.\|response\.\|send\|json"
# Security headers check
grep -rn "helmet\|SecurityMiddleware\|Content-Security-Policy\|X-Frame-Options\|X-Content-Type-Options\|Strict-Transport-Security" --include="*.ts" --include="*.js" --include="*.py" --include="*.conf" src/ config/ 2>/dev/null
# Permissive CORS
grep -rn "origin.*\*\|Access-Control-Allow-Origin.*\*\|cors({.*origin.*true" --include="*.ts" --include="*.js" --include="*.py" src/ 2>/dev/null
# Exposed internal paths/ports
grep -rn "localhost\|127\.0\.0\.1\|0\.0\.0\.0" --include="*.ts" --include="*.js" --include="*.py" --include="*.yaml" --include="*.yml" src/ config/ 2>/dev/null | grep -v "test\|spec\|\.md"
# Dockerfile security
cat Dockerfile 2>/dev/null | grep -E "^USER|^FROM|COPY.*\.env|--no-cache"
# .env committed
git ls-files | grep -i "\.env$\|\.env\." | grep -v "\.example\|\.sample\|\.template"
# Exposed API docs in production
grep -rn "swagger\|openapi\|api-docs\|graphql.*playground\|graphiql" --include="*.ts" --include="*.js" --include="*.py" --include="*.yaml" src/ config/ 2>/dev/null
What to flag:
- Debug mode enabled in production configuration
- Default credentials present
- Stack traces returned in API responses
- Missing security headers (CSP, HSTS, X-Frame-Options)
- Wildcard CORS on authenticated endpoints
- .env files committed to Git
- Container running as root
- Swagger/GraphQL playground exposed in production
- Unnecessary services/ports exposed
A06:2021 — Vulnerable and Outdated Components
# Node.js vulnerability audit
npm audit --json 2>/dev/null | head -100
# Python vulnerability audit
pip audit --format json 2>/dev/null | head -100
safety check --json 2>/dev/null | head -100
# Check for outdated packages
npm outdated 2>/dev/null | head -30
pip list --outdated 2>/dev/null | head -30
# Check Node.js version EOL status
node --version 2>/dev/null
# Check for known vulnerable package versions
cat package-lock.json 2>/dev/null | grep -E "jsonwebtoken|lodash|axios|express" | head -20
# Check for unmaintained packages (rough heuristic)
cat package.json 2>/dev/null | grep -E '"dependencies"' -A 100 | grep -E '":' | head -30
What to flag:
- Dependencies with known CVEs (critical and high)
- Packages with no updates in 2+ years
- Runtime/language version past end-of-life
- Missing lockfile (package-lock.json, yarn.lock)
- Unpinned dependency versions
A07:2021 — Identification and Authentication Failures
# Password policy
grep -rn "password.*length\|password.*min\|minLength.*password\|PASSWORD_MIN" --include="*.ts" --include="*.js" --include="*.py" src/ 2>/dev/null
# Session management
grep -rn "session\|cookie.*httpOnly\|cookie.*secure\|cookie.*sameSite\|maxAge\|expires" --include="*.ts" --include="*.js" --include="*.py" src/ 2>/dev/null
# JWT configuration
grep -rn "jwt\.\|jsonwebtoken\|JWT_SECRET\|JWT_EXPIR\|expiresIn\|algorithm.*HS\|algorithm.*RS" --include="*.ts" --include="*.js" --include="*.py" src/ 2>/dev/null
# Brute force protection
grep -rn "lockout\|max.*attempt\|failed.*login\|login.*attempt\|account.*lock" --include="*.ts" --include="*.js" --include="*.py" src/ 2>/dev/null
# Password reset flow
grep -rn "reset.*password\|forgot.*password\|password.*reset\|reset.*token" --include="*.ts" --include="*.js" --include="*.py" src/ 2>/dev/null
# Multi-factor authentication
grep -rn "mfa\|2fa\|two.factor\|totp\|authenticator" --include="*.ts" --include="*.js" --include="*.py" src/ 2>/dev/null
# Token storage
grep -rn "localStorage\.\(set\|get\)Item.*token\|sessionStorage.*token" --include="*.ts" --include="*.tsx" --include="*.js" --include="*.jsx" src/ 2>/dev/null
What to flag:
- No minimum password length or complexity requirements
- Missing brute force protection on login
- Tokens stored in localStorage (should use httpOnly cookies)
- JWT with no expiration or very long expiration
- JWT using weak algorithm (HS256 with short secret)
- Missing session invalidation on logout
- Password reset tokens that don't expire
- Same error message for "user not found" and "wrong password" (information leakage)
- Missing MFA option for sensitive operations
A08:2021 — Software and Data Integrity Failures
# Check for insecure deserialization
grep -rn "JSON\.parse\|pickle\.load\|yaml\.load\|unserialize\|ObjectInputStream\|eval(" --include="*.ts" --include="*.js" --include="*.py" --include="*.php" --include="*.java" src/ 2>/dev/null
# Check for CI/CD security
cat .github/workflows/*.yml .gitlab-ci.yml 2>/dev/null | grep -E "secrets\.|pull_request_target|npm install|pip install" | head -20
# Check for subresource integrity
grep -rn "<script.*src=\|<link.*href=" --include="*.html" --include="*.tsx" --include="*.jsx" src/ public/ 2>/dev/null | grep -v "integrity="
# Check for webhook signature verification
grep -rn "webhook\|signature\|hmac\|verify.*signature" --include="*.ts" --include="*.js" --include="*.py" src/ 2>/dev/null
What to flag:
- Unsafe deserialization of user input (pickle, yaml.load without SafeLoader, eval)
- CI/CD pipelines running untrusted code
- CDN scripts without subresource integrity (SRI) hashes
- Webhook endpoints not verifying signatures
- Missing code signing or integrity checks on updates
A09:2021 — Security Logging and Monitoring Failures
# Check for logging framework
grep -rn "winston\|pino\|bunyan\|morgan\|log4j\|logback\|logging\.\|logger\." --include="*.ts" --include="*.js" --include="*.py" --include="*.java" src/ 2>/dev/null | head -10
# Check for security event logging
grep -rn "login.*log\|auth.*log\|failed.*log\|unauthorized.*log\|forbidden.*log" --include="*.ts" --include="*.js" --include="*.py" src/ 2>/dev/null
# Check for sensitive data in logs
grep -rn "log.*password\|log.*token\|log.*secret\|log.*credit\|log.*ssn\|console\.log.*req\.body" --include="*.ts" --include="*.js" --include="*.py" src/ 2>/dev/null
# Check for error monitoring
cat package.json 2>/dev/null | grep -E "sentry|datadog|newrelic|bugsnag|rollbar"
# Check for audit trail
grep -rn "audit\|trail\|history\|changelog\|activity.*log" --include="*.ts" --include="*.js" --include="*.py" src/ 2>/dev/null
What to flag:
- No structured logging framework in use
- Authentication events not logged (login, logout, failed attempts)
- Sensitive data appearing in logs (passwords, tokens, PII)
- No error monitoring service configured
- Missing audit trail for sensitive operations (admin actions, data changes)
- Log files accessible without authentication
- No alerting on security events
A10:2021 — Server-Side Request Forgery (SSRF)
# Check for SSRF-prone code
grep -rn "fetch(\|axios\.\|request(\|http\.get\|urllib\|requests\.get\|HttpClient" --include="*.ts" --include="*.js" --include="*.py" --include="*.java" src/ 2>/dev/null | grep -i "req\.\|params\|body\|query\|input\|user"
# Check for URL validation
grep -rn "url.*valid\|isURL\|parseURL\|new URL" --include="*.ts" --include="*.js" --include="*.py" src/ 2>/dev/null
# Check for internal network access prevention
grep -rn "127\.0\.0\.1\|localhost\|169\.254\|10\.\|172\.16\|192\.168\|0\.0\.0\.0\|::1" --include="*.ts" --include="*.js" --include="*.py" src/ 2>/dev/null | grep -i "block\|deny\|reject\|filter\|whitelist\|allowlist"
What to flag:
- User-controlled URLs passed to fetch/axios/requests
- No URL validation or allowlist for outgoing requests
- No blocking of internal/private IP ranges
- Ability to specify protocols (file://, gopher://, dict://)
3. OWASP ASVS Compliance Check
Map findings to ASVS verification levels:
Level 1 — Minimum (All Applications)
| ASVS ID | Requirement | Status |
|---|---|---|
| V1.2.1 | Verify use of unique or special low-privilege OS account for all components | ⬜ |
| V2.1.1 | Verify user set passwords are at least 12 characters | ⬜ |
| V2.1.2 | Verify passwords of at least 64 characters are permitted | ⬜ |
| V2.1.7 | Verify passwords submitted during registration are checked against breached password set | ⬜ |
| V3.2.1 | Verify the application generates new session tokens on user authentication | ⬜ |
| V3.4.1 | Verify cookie-based session tokens have Secure attribute | ⬜ |
| V3.4.2 | Verify cookie-based session tokens have HttpOnly attribute | ⬜ |
| V3.4.3 | Verify cookie-based session tokens use SameSite attribute | ⬜ |
| V4.1.1 | Verify the application enforces access control rules on a trusted service layer | ⬜ |
| V4.1.2 | Verify all user/data attributes cannot be manipulated by end users | ⬜ |
| V5.1.1 | Verify the application has defenses against HTTP parameter pollution | ⬜ |
| V5.2.1 | Verify all untrusted HTML input is properly sanitized using safe HTML library | ⬜ |
| V5.3.1 | Verify output encoding relevant for the interpreter and context used | ⬜ |
| V5.3.4 | Verify data selection or database queries use parameterized queries | ⬜ |
| V8.3.1 | Verify sensitive data is sent using TLS | ⬜ |
| V8.3.4 | Verify all sensitive data is created with associated mechanisms for removal | ⬜ |
| V9.1.1 | Verify TLS is used for all client connectivity | ⬜ |
| V14.2.1 | Verify all components are up to date | ⬜ |
Level 2 — Standard (Applications Handling Sensitive Data)
| ASVS ID | Requirement | Status |
|---|---|---|
| V1.11.1 | Verify definition and documentation of all application components | ⬜ |
| V2.2.1 | Verify anti-automation controls protect against breached credential testing | ⬜ |
| V2.5.1 | Verify password change requires the current password | ⬜ |
| V2.8.1 | Verify time-based OTPs have a defined lifetime | ⬜ |
| V3.3.1 | Verify logout and expiration invalidates stateful session tokens | ⬜ |
| V3.5.1 | Verify the application allows users to revoke OAuth tokens | ⬜ |
| V4.2.1 | Verify sensitive data and APIs are protected against IDOR attacks | ⬜ |
| V5.2.4 | Verify the application avoids use of eval() or dynamic code execution | ⬜ |
| V5.5.1 | Verify serialized objects use integrity checks or encryption | ⬜ |
| V7.1.1 | Verify the application does not log credentials or payment details | ⬜ |
| V7.1.2 | Verify the application does not log other sensitive data | ⬜ |
| V8.1.1 | Verify the application protects sensitive data from being cached in server components | ⬜ |
| V9.1.2 | Verify TLS configuration uses current recommended cipher suites | ⬜ |
| V11.1.1 | Verify the application will only process business logic flows in sequential order | ⬜ |
| V13.1.1 | Verify all input is validated (API and web) | ⬜ |
| V14.4.1 | Verify every HTTP response contains a Content-Type header | ⬜ |
Level 3 — Advanced (Critical Applications: Healthcare, Finance, Military)
| ASVS ID | Requirement | Status |
|---|---|---|
| V1.5.1 | Verify input and output requirements are documented | ⬜ |
| V1.14.1 | Verify segregation of components of differing trust levels | ⬜ |
| V6.2.1 | Verify all cryptographic modules fail securely | ⬜ |
| V6.2.5 | Verify known insecure block modes, padding modes, or ciphers are not used | ⬜ |
| V8.2.1 | Verify the application sets sufficient anti-caching headers | ⬜ |
| V9.2.1 | Verify connections to and from the server use trusted TLS certificates | ⬜ |
| V10.3.1 | Verify the application source code and third-party libraries are free of backdoors | ⬜ |
| V14.5.1 | Verify the application server only accepts defined HTTP methods | ⬜ |
Mark each as: ✅ Pass | ❌ Fail | ⚠️ Partial | ⬜ Not Tested
4. CVSS v3.1 Scoring
Score each finding using CVSS v3.1:
Score Components
| Metric | Values |
|---|---|
| Attack Vector (AV) | Network (N) / Adjacent (A) / Local (L) / Physical (P) |
| Attack Complexity (AC) | Low (L) / High (H) |
| Privileges Required (PR) | None (N) / Low (L) / High (H) |
| User Interaction (UI) | None (N) / Required (R) |
| Scope (S) | Unchanged (U) / Changed (C) |
| Confidentiality (C) | None (N) / Low (L) / High (H) |
| Integrity (I) | None (N) / Low (L) / High (H) |
| Availability (A) | None (N) / Low (L) / High (H) |
Severity Ratings
| CVSS Score | Rating | Color |
|---|---|---|
| 0.0 | None | ⬜ |
| 0.1 - 3.9 | Low | 🟢 |
| 4.0 - 6.9 | Medium | 🟡 |
| 7.0 - 8.9 | High | 🟠 |
| 9.0 - 10.0 | Critical | 🔴 |
Common CVSS Vectors for Web Vulnerabilities
SQL Injection (unauthenticated):
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H → 9.8 Critical
Stored XSS:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N → 5.4 Medium
IDOR (authenticated user):
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N → 6.5 Medium
Missing Rate Limiting on Login:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N → 7.5 High
Exposed Secrets in Source:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H → 9.8 Critical
Weak Password Storage (MD5):
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N → 7.4 High
Missing CSRF:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N → 6.5 Medium
Missing Security Headers:
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N → 4.2 Medium
Debug Mode in Production:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N → 5.3 Medium
Vulnerable Dependency (RCE):
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H → 9.8 Critical
5. Report Format
Generate the full report in this structure:
# Penetration Testing Report
## Executive Summary
**Application:** [Application Name]
**Version:** [Version/Commit]
**Assessment Date:** [Date]
**Assessor:** [Name/Team]
**Methodology:** OWASP WSTG v4.2, OWASP Top 10 (2021), OWASP ASVS v4.0
**Scope:** [What was tested — application, API, infrastructure]
**Classification:** [Confidential / Internal / Public]
### Overall Risk Rating
| Rating | [CRITICAL / HIGH / MEDIUM / LOW] |
|--------|----------------------------------|
| Total Findings | X |
| Critical | X |
| High | X |
| Medium | X |
| Low | X |
| Informational | X |
### Risk Distribution
🔴 Critical: ████░░░░░░ X findings
🟠 High: ██████░░░░ X findings
🟡 Medium: ████████░░ X findings
🟢 Low: ██░░░░░░░░ X findings
⬜ Info: █░░░░░░░░░ X findings
### Key Findings Summary
| # | Finding | OWASP Category | CVSS | Severity | Status |
|---|---------|---------------|------|----------|--------|
| 1 | [Title] | A01 - Broken Access Control | 9.1 | 🔴 Critical | Open |
| 2 | [Title] | A03 - Injection | 8.6 | 🟠 High | Open |
| 3 | [Title] | A02 - Cryptographic Failures | 7.4 | 🟠 High | Open |
| ... | ... | ... | ... | ... | ... |
---
## Scope and Methodology
### In Scope
- [Application URL / repository]
- [API endpoints]
- [Authentication flows]
- [Business logic]
### Out of Scope
- [Infrastructure / hosting]
- [Third-party services]
- [Physical security]
- [Social engineering]
### Testing Approach
- Static Application Security Testing (SAST) — source code review
- Dependency vulnerability scanning
- Configuration review
- OWASP Top 10 coverage
- OWASP ASVS Level [1/2/3] verification
### Tools Used
- Manual code review
- grep-based pattern scanning
- npm audit / pip audit
- [Any additional tools]
---
## Detailed Findings
### Finding 1: [Title]
| Attribute | Value |
|-----------|-------|
| **ID** | PT-001 |
| **Severity** | 🔴 Critical |
| **CVSS Score** | 9.8 |
| **CVSS Vector** | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| **OWASP Top 10** | A03:2021 — Injection |
| **OWASP WSTG** | WSTG-INPV-05 |
| **OWASP ASVS** | V5.3.4 |
| **CWE** | CWE-89: SQL Injection |
| **Location** | `src/api/routes/users.ts:45` |
| **Status** | Open |
**Description:**
[Detailed description of the vulnerability, how it was discovered,
and what it allows an attacker to do]
**Evidence:**
// Vulnerable code
const user = await db.query(SELECT * FROM users WHERE id = '${req.params.id}');
**Impact:**
[What an attacker could achieve — data breach, account takeover, RCE, etc.]
**Proof of Concept:**
Example attack request
curl "https://app.example.com/api/users/1' OR '1'='1"
**Remediation:**
// Fixed code const user = await db.query('SELECT * FROM users WHERE id = $1', [req.params.id]);
**Remediation Priority:** Immediate
**Estimated Effort:** [time to fix]
---
[Repeat for each finding...]
---
## OWASP Top 10 Coverage Matrix
| Category | Tested | Findings | Highest Severity |
|----------|--------|----------|-----------------|
| A01 — Broken Access Control | ✅ | X | [severity] |
| A02 — Cryptographic Failures | ✅ | X | [severity] |
| A03 — Injection | ✅ | X | [severity] |
| A04 — Insecure Design | ✅ | X | [severity] |
| A05 — Security Misconfiguration | ✅ | X | [severity] |
| A06 — Vulnerable Components | ✅ | X | [severity] |
| A07 — Auth Failures | ✅ | X | [severity] |
| A08 — Data Integrity Failures | ✅ | X | [severity] |
| A09 — Logging & Monitoring | ✅ | X | [severity] |
| A10 — SSRF | ✅ | X | [severity] |
## ASVS Compliance Summary
| Level | Requirements | Passed | Failed | Not Tested | Compliance |
|-------|-------------|--------|--------|-----------|------------|
| L1 | X | X | X | X | X% |
| L2 | X | X | X | X | X% |
| L3 | X | X | X | X | X% |
## Remediation Roadmap
### Immediate (0-48 hours)
| # | Finding | Severity | Effort | Owner |
|---|---------|----------|--------|-------|
| 1 | [Critical finding] | 🔴 Critical | 2h | |
| 2 | [Critical finding] | 🔴 Critical | 4h | |
### Short-Term (1-2 weeks)
| # | Finding | Severity | Effort | Owner |
|---|---------|----------|--------|-------|
| 3 | [High finding] | 🟠 High | 1d | |
| 4 | [High finding] | 🟠 High | 2d | |
### Medium-Term (1 month)
| # | Finding | Severity | Effort | Owner |
|---|---------|----------|--------|-------|
| 5 | [Medium finding] | 🟡 Medium | 2d | |
| 6 | [Medium finding] | 🟡 Medium | 3d | |
### Long-Term (1-3 months)
| # | Finding | Severity | Effort | Owner |
|---|---------|----------|--------|-------|
| 7 | [Low finding] | 🟢 Low | 1d | |
| 8 | [Architectural change] | 🟡 Medium | 1w | |
## Positive Findings
List security controls that ARE properly implemented:
- [Example: Passwords are hashed with bcrypt with cost factor 12]
- [Example: All API endpoints require authentication]
- [Example: HTTPS is enforced with HSTS]
- [Example: SQL queries use parameterized statements]
- [Example: Dependency lockfile is committed]
## Recommendations
### Quick Wins
1. [Action that takes <1 hour and fixes a critical issue]
2. [Action that takes <1 hour and fixes a critical issue]
### Process Improvements
1. [Add dependency scanning to CI/CD pipeline]
2. [Implement security code review checklist]
3. [Set up automated SAST scanning]
4. [Schedule quarterly penetration testing]
### Architecture Improvements
1. [Implement WAF for additional protection layer]
2. [Add centralized logging and alerting]
3. [Implement secrets management solution]
---
## Appendix
### A. Testing Checklist (WSTG)
[Full list of WSTG test cases with pass/fail/N/A status]
### B. Dependency Vulnerability Report
[Full output of npm audit / pip audit]
### C. ASVS Detailed Results
[Full ASVS checklist with individual requirement status]
### D. Glossary
| Term | Definition |
|------|-----------|
| CVSS | Common Vulnerability Scoring System |
| CWE | Common Weakness Enumeration |
| OWASP | Open Worldwide Application Security Project |
| ASVS | Application Security Verification Standard |
| WSTG | Web Security Testing Guide |
| SSRF | Server-Side Request Forgery |
| IDOR | Insecure Direct Object Reference |
| XSS | Cross-Site Scripting |
| CSRF | Cross-Site Request Forgery |
| SQLi | SQL Injection |
---
**Report prepared following OWASP standards.**
**This report is confidential and intended for authorized recipients only.**
Adaptation Rules
- Detect the ASVS level — Level 1 for basic apps, Level 2 for apps handling sensitive data, Level 3 for critical systems (healthcare, finance)
- Focus on the stack — only run checks relevant to the detected technology
- Use real file paths — reference exact lines where vulnerabilities are found
- Provide working fixes — not just descriptions, but actual corrected code
- Include positive findings — audits should acknowledge what's done well
- Prioritize by exploitability — a remotely exploitable unauthenticated vulnerability is more urgent than a local authenticated one
- Be specific — "SQL injection in user search endpoint at line 45" not "the app may have SQL injection"
- Include CVSS vectors — allow teams to validate and adjust severity ratings
- Generate remediation tickets — each finding should be actionable as a ticket
- Flag false positives — if a pattern looks vulnerable but has mitigations, note it
Summary
End every penetration testing report with:
- Overall risk rating — Critical / High / Medium / Low
- Finding count — total and by severity
- Top 3 most critical findings — immediate action items
- OWASP Top 10 coverage — which categories had findings
- ASVS compliance percentage — for the targeted level
- Remediation timeline — immediate, short-term, medium-term, long-term
- Retest recommendation — when to schedule the next assessment
Weekly Installs
3
Repository
aakash-dhar/cla…e-skillsFirst Seen
7 days ago
Security Audits
Installed on
opencode3
antigravity3
claude-code3
github-copilot3
codex3
amp3