Writing the Pentest Report - Learning Pentesting for Android Devices (2014)

Learning Pentesting for Android Devices (2014)

Chapter 9. Writing the Pentest Report

In this chapter, we will learn the final and the most important aspect of penetration testing, writing the reports. This will be a short chapter guiding you to write down the methodologies and your findings in a report. The better you as a penetration tester are able to explain and document your findings, the better will be the penetration testing report. It is the least interesting part of the penetration test for most of the penetration testers, but it is also one of the most vital ones, as it serves as a "to the point material", which is easily understandable by other technical and management people.

Basics of a penetration testing report

A penetration testing report is a documentation of the summary of all the findings during a penetration testing process, including but not limited to the methodologies used, scope of the work, assumptions, severity of the vulnerabilities, and so on. The penetration testing report solely serves as the complete document for the penetration test, which could be used for elimination of the discovered vulnerabilities and for further reference as well.

Writing the pentest report

In order to understand how to write the penetration testing report, it is better to have a clear understanding of some of the various important components of the penetration testing report.

Some of the most important components involve:

· Executive summary

· Summary of vulnerabilities

· Scope of the work

· Tools used

· Testing methodologies followed

· Recommendations

· Conclusion

· Appendix

Apart from these, there should also be sufficient detail about the penetration testing, the organization conducting the penetration test, and the client, along with the Non Disclosure Agreement. Let us go into each of the above components one by one and take a quick look at it.

Executive summary

Executive summary is a quick walkthrough of the entire outcome of the penetration test. The executive summary need not be much technical, it is just to see the entire summary of the penetration test in as short as possible. This executive summary is the one that is looked at first by the management and senior officials.

An example of this would be as follows:

The Penetration Test of the XYZ Application has a significant amount of open input validation flaws, which could lead the attacker to gain access to the sensitive data.

You should also explain how severe is this vulnerability for the business of the organization.

Vulnerabilities

As the topic heading suggests, this should include the summary of all the vulnerabilities discovered in the application, along with the relevant details. You could include the CVE number, if assigned to the vulnerability you've found in the application. You should also include technical details of the application leading to the vulnerability. Another great way of representing the vulnerabilities is by classifying the vulnerability in categories: low, medium, and high, and then representing them on a pie chart or any other graphical representation.

Scope of the work

Scope of the work simply means which applications and services were covered in the penetration testing and were assessed. It could go simply with a line as follows:

The scope of the work was limited to XYZ Android and iOS Applications, not including any server-side components.

Tools used

This is an optional category and could be often included within another category where we're discussing the vulnerability findings and the technical details. In this section, we could simply mention the different tools used along with their specific versions.

Testing methodologies followed

This category is one of the most important ones and should be written in a detailed manner. Here, the penetration tester needs to specify the different techniques and the path he followed during the penetration-testing phase. It could start with a simple app reversing, to traffic analysis, to analyzing the libraries and binaries using different tools, and so on.

This category should specify all the processes that need to be followed by some other person in order to fully understand and reproduce the vulnerabilities.

Recommendations

This category should specify the different tasks to be performed in order for the organization to safeguard them and fix the vulnerability loopholes. This might include something similar as recommending to save files with proper permissions, sending network traffic securely with the proper use of SSL, and so on. It should also include the correct way to perform those tasks in consideration to the organization's scenario.

Conclusion

This component should simply summarize the overall results of the penetration testing, and we could simply say that the application was insecure with the overview of the type of vulnerabilities. Remember, we should not get into the details about the different vulnerabilities found, since we have already covered it in the previous sections.

Appendix

The last section of the penetration testing report should be the appendix, or a quick reference using which the reader could go to a particular topic of the penetration test.

Summary

In this chapter, we had a quick walkthrough of the different components of a penetration testing report, which needs to be understood by the penetration tester in order to write the report. This chapter was meant to be a short and quick handy guide during the final stage of the pentesting process, that is. writing of the pentesting reports. Also, you could find a sample penetration testing report on the next page.

I hope the book will serve as a great tool for penetration testers and people wanting to get into Android security. The tools and techniques mentioned in this book will help you as a reader to get started in Android security. Good Luck!

Please check out the sample of a pentest report in the following section: