SECURITY TESTING REPORT

Pentest Example

Sat, 19 Aug 2023 21:04:58 GMT

Pentest Example SECURITY TESTING REPORT

TABLE OF CONTENTS
P3 Executive Summary

P5 Testing Summary
P5 Scope
P5 Project Team

P6 Summary of Vulnerabilities
P6 Critical Priority Vulnerabilities
P6 High Priority Vulnerabilities
P6 Medium Priority Vulnerabilities
P6 Low Priority Vulnerabilities
P6 Info Priority Vulnerabilities

P6 Vulnerability Details

P7 Appendix: Overview Explained

P8 Appendix: Severity Definitions

P9 Appendix: Testcases

P15 Appendix: Asset-to-Vulnerability Mapping

P2 of 15
Pentest Example SECURITY TESTING REPORT

EXECUTIVE SUMMARY
Security Testing Overview
For more information on what this all means, please refer to APPENDIX: OVERVIEW EXPLAINED.

0 0 0 0

80

0 0 80 0

P3 of 15
Pentest Example SECURITY TESTING REPORT

P4 of 15
Pentest Example SECURITY TESTING REPORT

TESTING SUMMARY

START PROGRESS END

Tue Aug 01 2023 0% Fri Sep 01 2023

Total Vulnerabilities For All Assets - 0

Total Critical Vulnerabilities For All Assets - 0
Total High Vulnerabilities For All Assets - 0
Total Medium Vulnerabilities For All Assets - 0
Total Low Vulnerabilities For All Assets - 0
Total Info Vulnerabilities For All Assets - 0

Total Fixed Vulnerabilities For All Assets - 0

Total Retest Vulnerabilities For All Assets - 0
Total Not Fixed Vulnerabilities For All Assets - 0

ASSETS TESTED
1. This is the scope of the pentest

PROJECT TEAM
Edgar Huemac Sanchez Hernandez

P5 of 15
Pentest Example SECURITY TESTING REPORT

VULNERABILITIES

CRITICAL
No CRITICAL vulnerabilities

HIGH
No HIGH vulnerabilities

MEDIUM
No MEDIUM vulnerabilities

LOW
No LOW vulnerabilities

INFO
No INFO vulnerabilities

P6 of 15
Pentest Example SECURITY TESTING REPORT

APPENDIX: OVERVIEW EXPLAINED

P7 of 15
Pentest Example SECURITY TESTING REPORT

APPENDIX: SEVERITY DEFINITIONS

P8 of 15
Pentest Example SECURITY TESTING REPORT

APPENDIX: TESTCASES
COMPLETED
There are no testcases which have yet been tested.

IN PROGRESS
There are no testcases currently in progress.

NOT TESTED
OSSTMM v3 11.9.3.B - Check for default credentials.
- last updated 2023-08-19T21:04:54.474Z by Edgar Huemac Sanchez Hernandez
OSSTMM v3 11.9.3.A - Check for unnecessary or unused services/features available.
- last updated 2023-08-19T21:04:54.475Z by Edgar Huemac Sanchez Hernandez
OSSTMM v3 11.9.3.B - Verify default settings have been changed. Some devices or applications ship with a
default or hidden administrative account. These accounts should be changed, or if possible, disabled or
deleted and replaced with a new administrative account.
- last updated 2023-08-19T21:04:54.475Z by Edgar Huemac Sanchez Hernandez
OSSTMM v3 11.9.3.C - Verify that Administration is done locally or with controls to limit who or what can
access the remote administration interfaces.
- last updated 2023-08-19T21:04:54.475Z by Edgar Huemac Sanchez Hernandez
OSSTMM v3 11.9.1.B - Examine Access Control Lists (ACLs) and business roles configured on networks,
systems, services, and applications within the scope to ensure they meet the intent of the organisation and
reflect a business justification.
- last updated 2023-08-19T21:04:54.476Z by Edgar Huemac Sanchez Hernandez
OSSTMM v3 11.7.2.C - Test the strength and design of the encryption or obfuscation method.
- last updated 2023-08-19T21:04:54.476Z by Edgar Huemac Sanchez Hernandez
OSSTMM v3 11.5.3.D - Verify the logic method of authentication.
- last updated 2023-08-19T21:04:54.476Z by Edgar Huemac Sanchez Hernandez
OSSTMM v3 11.5.2.E - Verify the application version and check to see if its the latest stable version, and also
if it is affected by any publicly-disclosed vulnerabilities.
- last updated 2023-08-19T21:04:54.477Z by Edgar Huemac Sanchez Hernandez
OSSTMM v3 11.5.2.D - Verify system uptime compared to the latest vulnerabilities and patch releases.
- last updated 2023-08-19T21:04:54.477Z by Edgar Huemac Sanchez Hernandez
OSSTMM v3 11.11.2.B - Verify that private information and confidential intellectual property, such as
documents, service contracts, OS/Software keys, etc. are not available to anyone without proper privileges.
- last updated 2023-08-19T21:04:54.477Z by Edgar Huemac Sanchez Hernandez
Static Testing, Log files - Review log files. Check if any sensitive data is leaked. Check for unusual activity in
logs.
- last updated 2023-08-19T21:04:54.478Z by Edgar Huemac Sanchez Hernandez
Static Testing, Configuration Files (Clear-text details) - Check if configuration files of the application disclose
sensitive details.
- last updated 2023-08-19T21:04:54.478Z by Edgar Huemac Sanchez Hernandez
P9 of 15
Pentest Example SECURITY TESTING REPORT

Static Testing, Encryption Method - If the application uses encryption, check how encryption keys are stored
in the application, what kind of encryption is used in the application (i.e. symmetric or asymmetric
encryption).
- last updated 2023-08-19T21:04:54.479Z by Edgar Huemac Sanchez Hernandez
System level testing, Privilege levels of the application - Check for the privilege level of the application on the
client machine. If the application is running with system level privilege, it may be vulnerable to DLL hijacking
which may allow an attacker to elevate their privilege and execute commands as system level user of the
client machine.
- last updated 2023-08-19T21:04:54.479Z by Edgar Huemac Sanchez Hernandez
System level testing, Sensitive data in process memory - Check for clear-text credentials in process memory.
Winhex could be used to check for this. This vulnerability is commonly found in the applications which
transmit credentials and other sensitive data in clear-text format.
- last updated 2023-08-19T21:04:54.480Z by Edgar Huemac Sanchez Hernandez
OWASP ASVS v2.6 - Verify all authentication controls fail securely to ensure attackers cannot log in.
- last updated 2023-08-19T21:04:54.484Z by Edgar Huemac Sanchez Hernandez
OWASP ASVS v2.1 - Verify all pages and resources by default require authentication except those specifically
intended to be public (Principle of complete mediation).
- last updated 2023-08-19T21:04:54.485Z by Edgar Huemac Sanchez Hernandez
OWASP ASVS v2.9 - Verify that the changing password functionality includes the old password, the new
password, and a password confirmation.
- last updated 2023-08-19T21:04:54.485Z by Edgar Huemac Sanchez Hernandez
OWASP ASVS v2.4 - Verify all authentication controls are enforced on the server side.
- last updated 2023-08-19T21:04:54.485Z by Edgar Huemac Sanchez Hernandez
OWASP ASVS v2.2 - Verify that all password fields do not echo the user’s password when it is entered.
- last updated 2023-08-19T21:04:54.486Z by Edgar Huemac Sanchez Hernandez
OWASP ASVS v2.13 - Verify that account passwords make use of a sufficient strength encryption routine and
that it withstands brute force attack against the encryption routine.
- last updated 2023-08-19T21:04:54.486Z by Edgar Huemac Sanchez Hernandez
OWASP ASVS v2.16 - Verify that credentials are transported using a suitable encrypted link and that all
pages/functions that require a user to enter credentials are done so using an encrypted link.
- last updated 2023-08-19T21:04:54.486Z by Edgar Huemac Sanchez Hernandez
OWASP ASVS v2.17 - Verify that the forgotten password function and other recovery paths do not reveal the
current password and that the new password is not sent in clear text to the user.
- last updated 2023-08-19T21:04:54.487Z by Edgar Huemac Sanchez Hernandez
OWASP ASVS v2.19 - Verify there are no default passwords in use for the application framework or any
components used by the application (such as “admin/password”).
- last updated 2023-08-19T21:04:54.487Z by Edgar Huemac Sanchez Hernandez
OWASP ASVS v2.20 - Verify that request throttling is in place to prevent automated attacks against common
authentication attacks such as brute force attacks or denial of service attacks.
- last updated 2023-08-19T21:04:54.487Z by Edgar Huemac Sanchez Hernandez
OWASP ASVS v2.18 - Verify that information enumeration is not possible via login, password reset, or forgot
account functionality.
- last updated 2023-08-19T21:04:54.488Z by Edgar Huemac Sanchez Hernandez
OWASP ASVS v2.22 - Verify that forgotten password and other recovery paths use a soft token, mobile P10 ofpush,
15
Pentest Example SECURITY TESTING REPORT

or an offline recovery mechanism.

- last updated 2023-08-19T21:04:54.488Z by Edgar Huemac Sanchez Hernandez
OWASP ASVS v2.24 - Verify that if knowledge based questions (also known as 'secret questions') are
required, the questions should be strong enough to protect the application.
- last updated 2023-08-19T21:04:54.488Z by Edgar Huemac Sanchez Hernandez
OWASP ASVS v2.27 - Verify that measures are in place to block the use of commonly chosen passwords and
weak passphrases.
- last updated 2023-08-19T21:04:54.489Z by Edgar Huemac Sanchez Hernandez
OWASP ASVS v3.3 - Verify that sessions timeout/expire after a specified period of inactivity
- last updated 2023-08-19T21:04:54.489Z by Edgar Huemac Sanchez Hernandez
OWASP ASVS v3.2 - Verify that sessions are invalidated when the user logs out.
- last updated 2023-08-19T21:04:54.490Z by Edgar Huemac Sanchez Hernandez
OWASP ASVS v2.32 - Verify that administrative interfaces are not accessible to untrusted parties.
- last updated 2023-08-19T21:04:54.490Z by Edgar Huemac Sanchez Hernandez
OWASP ASVS v3.6 - Verify that the session id is never disclosed in URLs, error messages, or logs. This
includes verifying that the application does not support URL rewriting of session cookies.
- last updated 2023-08-19T21:04:54.491Z by Edgar Huemac Sanchez Hernandez
OWASP ASVS v3.7 - Verify that all successful authentication and re-authentication generates a new session
and session id.
- last updated 2023-08-19T21:04:54.491Z by Edgar Huemac Sanchez Hernandez
OWASP ASVS v3.11 - Verify that session ids are sufficiently long, random and unique across the correct
active session base.
- last updated 2023-08-19T21:04:54.491Z by Edgar Huemac Sanchez Hernandez
OWASP ASVS v4.1 - Verify that the principle of least privilege exists - users should only be able to access
functions, data files, URLs, controllers, services, and other resources, for which they possess specific
authorisation. This implies protection against spoofing and elevation of privilege.
- last updated 2023-08-19T21:04:54.491Z by Edgar Huemac Sanchez Hernandez
OWASP ASVS v3.16 - Verify that the application limits the number of active concurrent sessions.
- last updated 2023-08-19T21:04:54.492Z by Edgar Huemac Sanchez Hernandez
OWASP ASVS v3.12 - Verify that session ids stored in cookies have their path set to an appropriately
restrictive value for the application, and authentication session tokens additionally set the “HttpOnly” and
“secure” attributes
- last updated 2023-08-19T21:04:54.492Z by Edgar Huemac Sanchez Hernandez
OWASP ASVS v4.5 - Verify that directory browsing/indexing is disabled unless deliberately desired.
Additionally, applications should not allow discovery or disclosure of file or directory metadata, such as
Thumbs.db, .DS_Store, .git or .svn folders.
- last updated 2023-08-19T21:04:54.492Z by Edgar Huemac Sanchez Hernandez
OWASP ASVS v4.9 - Verify that the same access control rules implied by the presentation layer are enforced
on the server side.
- last updated 2023-08-19T21:04:54.493Z by Edgar Huemac Sanchez Hernandez
OWASP ASVS v4.4 - Verify that access to sensitive records is protected, such that only authorised objects or
data is accessible to each user (for example, protect against users tampering with a parameter to see or alter
another user's account).
- last updated 2023-08-19T21:04:54.493Z by Edgar Huemac Sanchez Hernandez P11 of 15
Pentest Example SECURITY TESTING REPORT

OWASP ASVS v5.10 - Verify that all SQL queries, HQL, OSQL, NOSQL and stored procedures, calling of
stored procedures are protected by the use of prepared statements or query parameterization, and thus not
susceptible to SQL injection.
- last updated 2023-08-19T21:04:54.493Z by Edgar Huemac Sanchez Hernandez
OWASP ASVS v5.11 - Verify that the application is not susceptible to LDAP Injection, or that security controls
prevent LDAP Injection.
- last updated 2023-08-19T21:04:54.494Z by Edgar Huemac Sanchez Hernandez
OWASP ASVS v5.12 - Verify that the application is not susceptible to OS Command Injection, or that security
controls prevent OS Command Injection.
- last updated 2023-08-19T21:04:54.494Z by Edgar Huemac Sanchez Hernandez
OWASP ASVS v5.15 - Ensure that all string variables placed into HTML or other web client code is either
properly contextually encoded manually, or utilise templates that automatically encode contextually to
ensure the application is not susceptible to reflected, stored and DOM Cross-Site Scripting (XSS) attacks.
- last updated 2023-08-19T21:04:54.494Z by Edgar Huemac Sanchez Hernandez
OWASP ASVS v5.13 - Verify that the application is not susceptible to Remote File Inclusion (RFI) or Local File
Inclusion (LFI) when content is used that is a path to a file.
- last updated 2023-08-19T21:04:54.494Z by Edgar Huemac Sanchez Hernandez
OWASP ASVS v5.14 - Verify that the application is not susceptible to common XML attacks, such as XPath
query tampering, XML External Entity attacks, and XML injection attacks.
- last updated 2023-08-19T21:04:54.496Z by Edgar Huemac Sanchez Hernandez
OWASP ASVS v5.19 - Verify that all input data is validated, not only HTML form fields but all sources of input
such as REST calls, query parameters, HTTP headers, cookies, batch files, RSS feeds, etc; using positive
validation (whitelisting), then lesser forms of validation such as greylisting (eliminating known bad strings), or
rejecting bad inputs (blacklisting).
- last updated 2023-08-19T21:04:54.496Z by Edgar Huemac Sanchez Hernandez
OWASP ASVS v5.26 - Verify that authenticated data is cleared from client storage, such as the browser DOM,
after the session is terminated.
- last updated 2023-08-19T21:04:54.496Z by Edgar Huemac Sanchez Hernandez
OWASP ASVS v5.21 - Verify that unstructured data is sanitised to enforce generic safety measures such as
allowed characters and length, and characters potentially harmful in given context should be escaped (e.g.
natural titles with Unicode or apostrophes).
- last updated 2023-08-19T21:04:54.496Z by Edgar Huemac Sanchez Hernandez
OWASP ASVS v9.4 - Verify that the application sets appropriate anti-caching headers as per the risk of the
application, such as the following: Expires: Tue, 03 Jul 2001 06:00:00 GMT; Last-Modified: {now}; GMT Cache-
Control: no-store, no-cache, must-revalidate, max-age=0; Cache-Control: post-check=0, pre-check=0;
Pragma: no-cache.
- last updated 2023-08-19T21:04:54.497Z by Edgar Huemac Sanchez Hernandez
OWASP ASVS v9.1 - Verify that all forms containing sensitive information have disabled client side caching,
including autocomplete features.
- last updated 2023-08-19T21:04:54.497Z by Edgar Huemac Sanchez Hernandez
OWASP ASVS v9.9 - Verify that data stored in client side storage - such as HTML5 local storage, session
storage, IndexedDB, regular cookies or Flash cookies - does not contain sensitive data or PII.
- last updated 2023-08-19T21:04:54.497Z by Edgar Huemac Sanchez Hernandez
OWASP ASVS v9.3 - Verify that all sensitive data is sent to the server in the HTTP message body orP12 headers
of 15
Pentest Example SECURITY TESTING REPORT

(i.e. URL parameters are never used to send sensitive data).

- last updated 2023-08-19T21:04:54.498Z by Edgar Huemac Sanchez Hernandez
OWASP ASVS v10.11 - Verify that HTTP Strict Transport Security headers are included on all requests and for
all subdomains, such as Strict-Transport-Security: max-age=15724800; includeSubdomains.
- last updated 2023-08-19T21:04:54.498Z by Edgar Huemac Sanchez Hernandez
OWASP ASVS v10.15 - Verify that only strong algorithms, ciphers, and protocols are used, through all the
certificate hierarchy, including root and intermediary certificates of your selected certifying authority. This
includes verifying weak ciphers.
- last updated 2023-08-19T21:04:54.498Z by Edgar Huemac Sanchez Hernandez
OWASP ASVS v11.2 - Verify that every HTTP response contains a content type header specifying a safe
character set (e.g., UTF-8, ISO 8859-1).
- last updated 2023-08-19T21:04:54.499Z by Edgar Huemac Sanchez Hernandez
OWASP ASVS v11.1 - Verify that the application accepts only a defined set of required HTTP request
methods, such as GET and POST are accepted, and unused methods (e.g. TRACE, PUT, and DELETE) are
explicitly blocked.
- last updated 2023-08-19T21:04:54.499Z by Edgar Huemac Sanchez Hernandez
OWASP ASVS v10.16 - Verify that the TLS settings are in line with current leading practice, particularly as
common configurations, ciphers, and algorithms become insecure.
- last updated 2023-08-19T21:04:54.500Z by Edgar Huemac Sanchez Hernandez
OWASP ASVS v11.5 - Verify that the HTTP headers or any part of the HTTP response do not expose detailed
version information of system components.
- last updated 2023-08-19T21:04:54.500Z by Edgar Huemac Sanchez Hernandez
OWASP ASVS v11.6 - Verify that all API responses contain X-Content-Type-Options: nosniff and Content-
Disposition: attachment; filetitle = 'api.json' (or other appropriate filetitle for the content type).
- last updated 2023-08-19T21:04:54.501Z by Edgar Huemac Sanchez Hernandez
OWASP ASVS v16.1 - Verify that URL redirects and forwards only allow whitelisted destinations, or show a
warning when redirecting to potentially untrusted content.
- last updated 2023-08-19T21:04:54.501Z by Edgar Huemac Sanchez Hernandez
OWASP ASVS v11.8 - Verify that the X-XSS-Protection: 1; mode=block header is in place.
- last updated 2023-08-19T21:04:54.502Z by Edgar Huemac Sanchez Hernandez
OWASP ASVS v16.2 - Verify that untrusted file data submitted to the application is not used directly with file I/
O commands, particularly to protect against path traversal, local file include, file mime type, and OS
command injection vulnerabilities
- last updated 2023-08-19T21:04:54.503Z by Edgar Huemac Sanchez Hernandez
OWASP ASVS v16.8 - Verify the application code does not execute uploaded data obtained from untrusted
sources.
- last updated 2023-08-19T21:04:54.503Z by Edgar Huemac Sanchez Hernandez
OWASP ASVS v16.5 - Verify that untrusted data is not used within cross-domain resource sharing (CORS) to
protect against arbitrary remote content.
- last updated 2023-08-19T21:04:54.503Z by Edgar Huemac Sanchez Hernandez
OWASP ASVS v16.3 - Verify that files obtained from untrusted sources are validated to be of expected type
and scanned by antivirus scanners to prevent upload of known malicious content.
- last updated 2023-08-19T21:04:54.504Z by Edgar Huemac Sanchez Hernandez
OWASP ASVS v18.2 - Verify that access to administration and management functions within the applicationP13 of 15
Pentest Example SECURITY TESTING REPORT

is limited to administrators.
- last updated 2023-08-19T21:04:54.504Z by Edgar Huemac Sanchez Hernandez
OWASP ASVS v18.6 - Verify the use of session-based authentication and authorisation.
- last updated 2023-08-19T21:04:54.504Z by Edgar Huemac Sanchez Hernandez
OWASP ASVS v18.8 - Verify the application explicitly checks the incoming Content-Type to be the expected
one, such as application/xml or application/json.
- last updated 2023-08-19T21:04:54.504Z by Edgar Huemac Sanchez Hernandez
AF-905-01 - Verify application sets appropriate X-Frame-Options header for all application responses, such
as DENY option.
- last updated 2023-08-19T21:04:54.505Z by Edgar Huemac Sanchez Hernandez
OWASP ASVS v18.7 - Verify that the application is protected from Cross-Site Request Forgery (CSRF).
- last updated 2023-08-19T21:04:54.505Z by Edgar Huemac Sanchez Hernandez
AF-904-01 - Verify application does not utilise third-party scripts from different origins.
- last updated 2023-08-19T21:04:54.505Z by Edgar Huemac Sanchez Hernandez
AF-915-02 - Verify application is not running on an outdated version of web server.
- last updated 2023-08-19T21:04:54.506Z by Edgar Huemac Sanchez Hernandez
AF-924-01 - Verify application does not utilise hardcoded credentials or passwords.
- last updated 2023-08-19T21:04:54.506Z by Edgar Huemac Sanchez Hernandez
AF-927-01 - Verify application does not utilise self-signed certificate.
- last updated 2023-08-19T21:04:54.507Z by Edgar Huemac Sanchez Hernandez
AF-961-01 - Verify application enforces password security policy and/or requirements.
- last updated 2023-08-19T21:04:54.507Z by Edgar Huemac Sanchez Hernandez
AF-941-01 - Verify application does not utilise predictable location for uploaded files.
- last updated 2023-08-19T21:04:54.507Z by Edgar Huemac Sanchez Hernandez
AF-952-01 - Verify application uses transport layer protection/security if transmitting sensitive information,
such as authenticated requests.
- last updated 2023-08-19T21:04:54.509Z by Edgar Huemac Sanchez Hernandez
AF-966-01 - Verify __VIEWSTATE parameter is encrypted.
- last updated 2023-08-19T21:04:54.509Z by Edgar Huemac Sanchez Hernandez

NOT APPLICABLE
There are no testcases which are not applicable.

P14 of 15
Pentest Example SECURITY TESTING REPORT

APPENDIX: ASSET-TO-VULNERABILITY MAPPING

1. This is the scope of the pentest

P15 of 15