Penetration Testing Report Skill

When generating a penetration testing report, follow OWASP standards and methodology. This skill produces a professional-grade report suitable for compliance reviews, stakeholder communication, and remediation planning.

1. Scope & Methodology Discovery

Determine Scope

Application type

cat package.json pyproject.toml Cargo.toml go.mod pom.xml composer.json Gemfile 2>/dev/null | head -30

Detect web framework (determines attack surface)

cat package.json 2>/dev/null | grep -E "express|fastify|next|nuxt|nest|koa|hapi|django|flask|fastapi|rails|laravel|spring|gin|fiber|echo"

Detect API type

grep -rn "app.get|app.post|@app.route|@GetMapping|router." --include=".ts" --include=".js" --include=".py" --include=".java" src/ app/ 2>/dev/null | head -20

Detect authentication mechanism

grep -rn "jwt|passport|oauth|session|cookie|bearer|auth" --include=".ts" --include=".js" --include=".py" --include=".java" src/ app/ 2>/dev/null | head -20

Detect database

grep -rn "postgres|mysql|mongo|redis|sqlite|prisma|sequelize|typeorm|mongoose|sqlalchemy|knex|drizzle" --include=".ts" --include=".js" --include=".py" --include=".java" src/ app/ 2>/dev/null | head -10

Detect frontend

cat package.json 2>/dev/null | grep -E "react|vue|angular|svelte|next|nuxt"

Map API endpoints (attack surface)

grep -rn "router.(get|post|put|delete|patch)|app.(get|post|put|delete|patch)|@app.route|@GetMapping|@PostMapping|@PutMapping|@DeleteMapping" --include=".ts" --include=".js" --include=".py" --include=".java" src/ app/ 2>/dev/null

Count total endpoints

grep -rn "router.(get|post|put|delete|patch)|app.(get|post|put|delete|patch)" --include=".ts" --include=".js" --include="*.py" src/ app/ 2>/dev/null | wc -l

Infrastructure

ls Dockerfile docker-compose.yml docker-compose.yaml k8s/ terraform/ nginx.conf 2>/dev/null

Testing Methodology

This report follows:

• OWASP Web Security Testing Guide (WSTG) v4.2 — structured testing methodology

• OWASP Top 10 (2021) — most critical web application security risks

• OWASP Application Security Verification Standard (ASVS) v4.0 — detailed security requirements

• CVSS v3.1 — Common Vulnerability Scoring System for severity rating

2. OWASP Top 10 (2021) Assessment

Test each category systematically:

A01:2021 — Broken Access Control

WSTG Tests:

• WSTG-ATHZ-01: Testing Directory Traversal/File Include

• WSTG-ATHZ-02: Testing for Bypassing Authorization Schema

• WSTG-ATHZ-03: Testing for Privilege Escalation

• WSTG-ATHZ-04: Testing for Insecure Direct Object References (IDOR)

Check for missing authorization middleware

grep -rn "router.(get|post|put|delete|patch)" --include=".ts" --include=".js" src/api/ src/routes/ 2>/dev/null | grep -v "auth|middleware|protect|guard|verify"

Check for IDOR vulnerabilities — direct ID usage without ownership check

grep -rn "req.params.id|req.params.userId|request.args.get.id" --include=".ts" --include=".js" --include=".py" src/ 2>/dev/null

Check for path traversal

grep -rn "req.params|req.query|request.args" --include=".ts" --include=".js" --include="*.py" src/ 2>/dev/null | grep -i "file|path|dir|upload|download"

Check for missing role-based access control

grep -rn "role|permission|isAdmin|hasRole|authorize|can(" --include=".ts" --include=".js" --include="*.py" src/ 2>/dev/null

Check for CORS misconfiguration

grep -rn "Access-Control-Allow-Origin|cors(" --include=".ts" --include=".js" --include="*.py" src/ 2>/dev/null

Check for missing CSRF protection

grep -rn "csrf|csrfToken|_token|antiforgery" --include=".ts" --include=".js" --include=".py" --include=".html" src/ 2>/dev/null

What to flag:

• Endpoints accessible without authentication

• Missing ownership verification on resource access (IDOR)

• Horizontal privilege escalation (user A accessing user B's data)

• Vertical privilege escalation (regular user accessing admin functions)

• CORS with wildcard origin on authenticated endpoints

• Missing CSRF tokens on state-changing operations

• Directory traversal in file operations

• Missing rate limiting on sensitive endpoints

A02:2021 — Cryptographic Failures

WSTG Tests:

• WSTG-CRYP-01: Testing for Weak Transport Layer Security

• WSTG-CRYP-02: Testing for Padding Oracle

• WSTG-CRYP-03: Testing for Sensitive Information via Unencrypted Channels

• WSTG-CRYP-04: Testing for Weak Encryption

Check for weak hashing algorithms

grep -rn "md5|sha1|SHA1|MD5" --include=".ts" --include=".js" --include=".py" --include=".java" src/ 2>/dev/null | grep -v "node_modules|test|spec"

Check for weak encryption

grep -rn "DES|RC4|ECB|Blowfish" --include=".ts" --include=".js" --include=".py" --include=".java" src/ 2>/dev/null

Check for hardcoded encryption keys

grep -rn "encryption_key|ENCRYPTION_KEY|secret_key|SECRET_KEY|private_key" --include=".ts" --include=".js" --include="*.py" src/ 2>/dev/null | grep -v "process.env|os.environ|config.|.env"

Check for insecure random

grep -rn "Math.random|random.random|rand()|srand" --include=".ts" --include=".js" --include=".py" --include=".php" src/ 2>/dev/null

Check password hashing

grep -rn "bcrypt|argon2|scrypt|pbkdf2" --include=".ts" --include=".js" --include="*.py" src/ 2>/dev/null

Check for sensitive data in plain text

grep -rn "password.=|creditCard|ssn|social_security|credit_card" --include=".ts" --include=".js" --include=".py" src/ 2>/dev/null | grep -v "test|spec|mock|hash|bcrypt"

Check TLS configuration

grep -rn "http://|ssl.false|verify.false|rejectUnauthorized.false|VERIFY_NONE" --include=".ts" --include=".js" --include=".py" --include="*.java" src/ 2>/dev/null

What to flag:

• Passwords stored with MD5/SHA1 instead of bcrypt/argon2

• Sensitive data transmitted over HTTP

• Hardcoded encryption keys or secrets

• Weak TLS configuration

• Math.random() for security-sensitive values

• Sensitive data stored unencrypted at rest

• Missing HSTS headers

A03:2021 — Injection

WSTG Tests:

• WSTG-INPV-05: Testing for SQL Injection

• WSTG-INPV-06: Testing for LDAP Injection

• WSTG-INPV-07: Testing for XML Injection

• WSTG-INPV-12: Testing for Command Injection

• WSTG-INPV-11: Testing for Code Injection

SQL Injection — string concatenation in queries

grep -rn "SELECT.+|INSERT.+|UPDATE.+|DELETE.+|WHERE.+|`SELECT|`INSERT|`UPDATE|`DELETE" --include=".ts" --include=".js" --include=".py" --include=".java" --include=".php" src/ 2>/dev/null | grep -v "test|spec|mock"

SQL Injection — template literals in queries

grep -rn "query.${|execute.${" --include=".ts" --include=".js" src/ 2>/dev/null

NoSQL Injection

grep -rn "find(|findOne(|updateOne(|deleteOne(" --include=".ts" --include=".js" src/ 2>/dev/null | grep "req.|request."

Command Injection

grep -rn "exec(|execSync|spawn(|system(|popen|subprocess.(call|run|Popen)" --include=".ts" --include=".js" --include="*.py" src/ 2>/dev/null

XSS — innerHTML and dangerouslySetInnerHTML

grep -rn "innerHTML|dangerouslySetInnerHTML|v-html|.html(|{!!.!!}" --include=".ts" --include=".tsx" --include=".js" --include=".jsx" --include=".vue" --include="*.php" src/ 2>/dev/null

Template Injection

grep -rn "render_template_string|Template(|Jinja2|eval(" --include=".py" --include=".js" --include="*.ts" src/ 2>/dev/null

LDAP Injection

grep -rn "ldap.|LDAP.|search_s|search_ext" --include=".py" --include=".java" src/ 2>/dev/null

XPath Injection

grep -rn "xpath|XPath|selectNodes|evaluate(" --include=".ts" --include=".js" --include="*.java" src/ 2>/dev/null

What to flag:

• String concatenation or template literals in SQL queries

• User input passed directly to MongoDB queries

• User input in exec/spawn/system calls

• Unsanitized HTML rendering (innerHTML, dangerouslySetInnerHTML, v-html)

• Template injection via user-controlled template strings

• Missing parameterized queries

A04:2021 — Insecure Design

Check for missing rate limiting

grep -rn "rate.limit|rateLimit|throttle|slowDown" --include=".ts" --include=".js" --include="*.py" src/ 2>/dev/null

Check for missing input validation library

cat package.json 2>/dev/null | grep -E "zod|joi|yup|class-validator|express-validator" cat requirements.txt pyproject.toml 2>/dev/null | grep -E "pydantic|marshmallow|cerberus|voluptuous"

Check for missing error boundaries / global error handling

grep -rn "errorHandler|ErrorBoundary|unhandledRejection|uncaughtException" --include=".ts" --include=".js" --include="*.tsx" src/ 2>/dev/null

Check for business logic flaws

grep -rn "TODO.*secur|FIXME.auth|HACK.valid|XXX.check" --include=".ts" --include=".js" --include=".py" src/ 2>/dev/null

What to flag:

• Missing rate limiting on authentication endpoints

• Missing input validation framework

• No global error handler

• Missing account lockout mechanism

• No bot detection on public forms

• Missing business rule enforcement server-side

• Trusting client-side validation only

A05:2021 — Security Misconfiguration

Debug mode in production configs

grep -rn "DEBUG.=.True|debug.:.true|NODE_ENV.development" --include=".py" --include=".ts" --include=".js" --include=".yaml" --include=".yml" --include="*.json" src/ config/ 2>/dev/null | grep -v "test|spec|dev"

Default credentials

grep -rn "admin.admin|password.password|root.root|default.password|changeme" --include=".ts" --include=".js" --include=".py" --include=".yaml" --include=".yml" --include=".json" . 2>/dev/null | grep -v "node_modules|test|spec|.md"

Exposed stack traces / error details

grep -rn "stack.trace|traceback|stackTrace|.stack\b" --include=".ts" --include=".js" --include=".py" src/ 2>/dev/null | grep -i "res.|response.|send|json"

Security headers check

grep -rn "helmet|SecurityMiddleware|Content-Security-Policy|X-Frame-Options|X-Content-Type-Options|Strict-Transport-Security" --include=".ts" --include=".js" --include=".py" --include=".conf" src/ config/ 2>/dev/null

Permissive CORS

grep -rn "origin.*|Access-Control-Allow-Origin.*|cors({.origin.true" --include=".ts" --include=".js" --include="*.py" src/ 2>/dev/null

Exposed internal paths/ports

grep -rn "localhost|127.0.0.1|0.0.0.0" --include=".ts" --include=".js" --include=".py" --include=".yaml" --include="*.yml" src/ config/ 2>/dev/null | grep -v "test|spec|.md"

Dockerfile security

cat Dockerfile 2>/dev/null | grep -E "^USER|^FROM|COPY.*.env|--no-cache"

.env committed

git ls-files | grep -i ".env$|.env." | grep -v ".example|.sample|.template"

Exposed API docs in production

grep -rn "swagger|openapi|api-docs|graphql.playground|graphiql" --include=".ts" --include=".js" --include=".py" --include="*.yaml" src/ config/ 2>/dev/null

What to flag:

• Debug mode enabled in production configuration

• Default credentials present

• Stack traces returned in API responses

• Missing security headers (CSP, HSTS, X-Frame-Options)

• Wildcard CORS on authenticated endpoints

• .env files committed to Git

• Container running as root

• Swagger/GraphQL playground exposed in production

• Unnecessary services/ports exposed

A06:2021 — Vulnerable and Outdated Components

Node.js vulnerability audit

npm audit --json 2>/dev/null | head -100

Python vulnerability audit

pip audit --format json 2>/dev/null | head -100 safety check --json 2>/dev/null | head -100

Check for outdated packages

npm outdated 2>/dev/null | head -30 pip list --outdated 2>/dev/null | head -30

Check Node.js version EOL status

node --version 2>/dev/null

Check for known vulnerable package versions

cat package-lock.json 2>/dev/null | grep -E "jsonwebtoken|lodash|axios|express" | head -20

Check for unmaintained packages (rough heuristic)

cat package.json 2>/dev/null | grep -E '"dependencies"' -A 100 | grep -E '":' | head -30

What to flag:

• Dependencies with known CVEs (critical and high)

• Packages with no updates in 2+ years

• Runtime/language version past end-of-life

• Missing lockfile (package-lock.json, yarn.lock)

• Unpinned dependency versions

A07:2021 — Identification and Authentication Failures

Password policy

grep -rn "password.length|password.min|minLength.password|PASSWORD_MIN" --include=".ts" --include=".js" --include=".py" src/ 2>/dev/null

Session management

grep -rn "session|cookie.httpOnly|cookie.secure|cookie.sameSite|maxAge|expires" --include=".ts" --include=".js" --include=".py" src/ 2>/dev/null

JWT configuration

grep -rn "jwt.|jsonwebtoken|JWT_SECRET|JWT_EXPIR|expiresIn|algorithm.HS|algorithm.RS" --include=".ts" --include=".js" --include="*.py" src/ 2>/dev/null

Brute force protection

grep -rn "lockout|max.*attempt|failed.login|login.attempt|account.lock" --include=".ts" --include=".js" --include=".py" src/ 2>/dev/null

Password reset flow

grep -rn "reset.*password|forgot.password|password.reset|reset.token" --include=".ts" --include=".js" --include=".py" src/ 2>/dev/null

Multi-factor authentication

grep -rn "mfa|2fa|two.factor|totp|authenticator" --include=".ts" --include=".js" --include="*.py" src/ 2>/dev/null

Token storage

grep -rn "localStorage.(set|get)Item.token|sessionStorage.token" --include=".ts" --include=".tsx" --include=".js" --include=".jsx" src/ 2>/dev/null

What to flag:

• No minimum password length or complexity requirements

• Missing brute force protection on login

• Tokens stored in localStorage (should use httpOnly cookies)

• JWT with no expiration or very long expiration

• JWT using weak algorithm (HS256 with short secret)

• Missing session invalidation on logout

• Password reset tokens that don't expire

• Same error message for "user not found" and "wrong password" (information leakage)

• Missing MFA option for sensitive operations

A08:2021 — Software and Data Integrity Failures

Check for insecure deserialization

grep -rn "JSON.parse|pickle.load|yaml.load|unserialize|ObjectInputStream|eval(" --include=".ts" --include=".js" --include=".py" --include=".php" --include="*.java" src/ 2>/dev/null

Check for CI/CD security

cat .github/workflows/*.yml .gitlab-ci.yml 2>/dev/null | grep -E "secrets.|pull_request_target|npm install|pip install" | head -20

Check for subresource integrity

grep -rn "<script.src=|<link.href=" --include=".html" --include=".tsx" --include="*.jsx" src/ public/ 2>/dev/null | grep -v "integrity="

Check for webhook signature verification

grep -rn "webhook|signature|hmac|verify.signature" --include=".ts" --include=".js" --include=".py" src/ 2>/dev/null

What to flag:

• Unsafe deserialization of user input (pickle, yaml.load without SafeLoader, eval)

• CI/CD pipelines running untrusted code

• CDN scripts without subresource integrity (SRI) hashes

• Webhook endpoints not verifying signatures

• Missing code signing or integrity checks on updates

A09:2021 — Security Logging and Monitoring Failures

Check for logging framework

grep -rn "winston|pino|bunyan|morgan|log4j|logback|logging.|logger." --include=".ts" --include=".js" --include=".py" --include=".java" src/ 2>/dev/null | head -10

Check for security event logging

grep -rn "login.*log|auth.*log|failed.log|unauthorized.log|forbidden.log" --include=".ts" --include=".js" --include=".py" src/ 2>/dev/null

Check for sensitive data in logs

grep -rn "log.*password|log.*token|log.*secret|log.credit|log.ssn|console.log.req.body" --include=".ts" --include=".js" --include=".py" src/ 2>/dev/null

Check for error monitoring

cat package.json 2>/dev/null | grep -E "sentry|datadog|newrelic|bugsnag|rollbar"

Check for audit trail

grep -rn "audit|trail|history|changelog|activity.log" --include=".ts" --include=".js" --include=".py" src/ 2>/dev/null

What to flag:

• No structured logging framework in use

• Authentication events not logged (login, logout, failed attempts)

• Sensitive data appearing in logs (passwords, tokens, PII)

• No error monitoring service configured

• Missing audit trail for sensitive operations (admin actions, data changes)

• Log files accessible without authentication

• No alerting on security events

A10:2021 — Server-Side Request Forgery (SSRF)

Check for SSRF-prone code

grep -rn "fetch(|axios.|request(|http.get|urllib|requests.get|HttpClient" --include=".ts" --include=".js" --include=".py" --include=".java" src/ 2>/dev/null | grep -i "req.|params|body|query|input|user"

Check for URL validation

grep -rn "url.valid|isURL|parseURL|new URL" --include=".ts" --include=".js" --include=".py" src/ 2>/dev/null

Check for internal network access prevention

grep -rn "127.0.0.1|localhost|169.254|10.|172.16|192.168|0.0.0.0|::1" --include=".ts" --include=".js" --include="*.py" src/ 2>/dev/null | grep -i "block|deny|reject|filter|whitelist|allowlist"

What to flag:

• User-controlled URLs passed to fetch/axios/requests

• No URL validation or allowlist for outgoing requests

• No blocking of internal/private IP ranges

• Ability to specify protocols (file://, gopher://, dict://)

3. OWASP ASVS Compliance Check

Map findings to ASVS verification levels:

Level 1 — Minimum (All Applications)

ASVS ID Requirement Status

V1.2.1 Verify use of unique or special low-privilege OS account for all components ⬜

V2.1.1 Verify user set passwords are at least 12 characters ⬜

V2.1.2 Verify passwords of at least 64 characters are permitted ⬜

V2.1.7 Verify passwords submitted during registration are checked against breached password set ⬜

V3.2.1 Verify the application generates new session tokens on user authentication ⬜

V3.4.1 Verify cookie-based session tokens have Secure attribute ⬜

V3.4.2 Verify cookie-based session tokens have HttpOnly attribute ⬜

V3.4.3 Verify cookie-based session tokens use SameSite attribute ⬜

V4.1.1 Verify the application enforces access control rules on a trusted service layer ⬜

V4.1.2 Verify all user/data attributes cannot be manipulated by end users ⬜

V5.1.1 Verify the application has defenses against HTTP parameter pollution ⬜

V5.2.1 Verify all untrusted HTML input is properly sanitized using safe HTML library ⬜

V5.3.1 Verify output encoding relevant for the interpreter and context used ⬜

V5.3.4 Verify data selection or database queries use parameterized queries ⬜

V8.3.1 Verify sensitive data is sent using TLS ⬜

V8.3.4 Verify all sensitive data is created with associated mechanisms for removal ⬜

V9.1.1 Verify TLS is used for all client connectivity ⬜

V14.2.1 Verify all components are up to date ⬜

Level 2 — Standard (Applications Handling Sensitive Data)

ASVS ID Requirement Status

V1.11.1 Verify definition and documentation of all application components ⬜

V2.2.1 Verify anti-automation controls protect against breached credential testing ⬜

V2.5.1 Verify password change requires the current password ⬜

V2.8.1 Verify time-based OTPs have a defined lifetime ⬜

V3.3.1 Verify logout and expiration invalidates stateful session tokens ⬜

V3.5.1 Verify the application allows users to revoke OAuth tokens ⬜

V4.2.1 Verify sensitive data and APIs are protected against IDOR attacks ⬜

V5.2.4 Verify the application avoids use of eval() or dynamic code execution ⬜

V5.5.1 Verify serialized objects use integrity checks or encryption ⬜

V7.1.1 Verify the application does not log credentials or payment details ⬜

V7.1.2 Verify the application does not log other sensitive data ⬜

V8.1.1 Verify the application protects sensitive data from being cached in server components ⬜

V9.1.2 Verify TLS configuration uses current recommended cipher suites ⬜

V11.1.1 Verify the application will only process business logic flows in sequential order ⬜

V13.1.1 Verify all input is validated (API and web) ⬜

V14.4.1 Verify every HTTP response contains a Content-Type header ⬜

Level 3 — Advanced (Critical Applications: Healthcare, Finance, Military)

ASVS ID Requirement Status

V1.5.1 Verify input and output requirements are documented ⬜

V1.14.1 Verify segregation of components of differing trust levels ⬜

V6.2.1 Verify all cryptographic modules fail securely ⬜

V6.2.5 Verify known insecure block modes, padding modes, or ciphers are not used ⬜

V8.2.1 Verify the application sets sufficient anti-caching headers ⬜

V9.2.1 Verify connections to and from the server use trusted TLS certificates ⬜

V10.3.1 Verify the application source code and third-party libraries are free of backdoors ⬜

V14.5.1 Verify the application server only accepts defined HTTP methods ⬜

Mark each as: ✅ Pass | ❌ Fail | ⚠️ Partial | ⬜ Not Tested

4. CVSS v3.1 Scoring

Score each finding using CVSS v3.1:

Score Components

Metric Values

Attack Vector (AV) Network (N) / Adjacent (A) / Local (L) / Physical (P)

Attack Complexity (AC) Low (L) / High (H)

Privileges Required (PR) None (N) / Low (L) / High (H)

User Interaction (UI) None (N) / Required (R)

Scope (S) Unchanged (U) / Changed (C)

Confidentiality (C) None (N) / Low (L) / High (H)

Integrity (I) None (N) / Low (L) / High (H)

Availability (A) None (N) / Low (L) / High (H)

Severity Ratings

CVSS Score Rating Color

0.0 None ⬜

0.1 - 3.9 Low 🟢

4.0 - 6.9 Medium 🟡

7.0 - 8.9 High 🟠

9.0 - 10.0 Critical 🔴

Common CVSS Vectors for Web Vulnerabilities

SQL Injection (unauthenticated): CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H → 9.8 Critical

Stored XSS: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N → 5.4 Medium

IDOR (authenticated user): CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N → 6.5 Medium

Missing Rate Limiting on Login: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N → 7.5 High

Exposed Secrets in Source: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H → 9.8 Critical

Weak Password Storage (MD5): CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N → 7.4 High

Missing CSRF: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N → 6.5 Medium

Missing Security Headers: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N → 4.2 Medium

Debug Mode in Production: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N → 5.3 Medium

Vulnerable Dependency (RCE): CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H → 9.8 Critical

5. Report Format

Generate the full report in this structure:

Penetration Testing Report

Executive Summary

Application: [Application Name] Version: [Version/Commit] Assessment Date: [Date] Assessor: [Name/Team] Methodology: OWASP WSTG v4.2, OWASP Top 10 (2021), OWASP ASVS v4.0 Scope: [What was tested — application, API, infrastructure] Classification: [Confidential / Internal / Public]

Overall Risk Rating

Risk Distribution

🔴 Critical: ████░░░░░░ X findings 🟠 High: ██████░░░░ X findings 🟡 Medium: ████████░░ X findings 🟢 Low: ██░░░░░░░░ X findings ⬜ Info: █░░░░░░░░░ X findings

Key Findings Summary

Scope and Methodology

In Scope

• [Application URL / repository]
• [API endpoints]
• [Authentication flows]
• [Business logic]

Out of Scope

• [Infrastructure / hosting]
• [Third-party services]
• [Physical security]
• [Social engineering]

Testing Approach

• Static Application Security Testing (SAST) — source code review
• Dependency vulnerability scanning
• Configuration review
• OWASP Top 10 coverage
• OWASP ASVS Level [1/2/3] verification

Tools Used

• Manual code review
• grep-based pattern scanning
• npm audit / pip audit
• [Any additional tools]

Detailed Findings

Finding 1: [Title]

Description: [Detailed description of the vulnerability, how it was discovered, and what it allows an attacker to do]

Evidence:

// Vulnerable code const user = await db.query(SELECT * FROM users WHERE id = '${req.params.id}' );

Impact: [What an attacker could achieve — data breach, account takeover, RCE, etc.]

Proof of Concept:

Example attack request

curl "https://app.example.com/api/users/1' OR '1'='1"

Remediation:

// Fixed code const user = await db.query('SELECT * FROM users WHERE id = $1', [req.params.id]);

Remediation Priority: Immediate Estimated Effort: [time to fix]

[Repeat for each finding...]

OWASP Top 10 Coverage Matrix

ASVS Compliance Summary

Remediation Roadmap

Immediate (0-48 hours)

Short-Term (1-2 weeks)

Medium-Term (1 month)

Long-Term (1-3 months)

Positive Findings

List security controls that ARE properly implemented:

• [Example: Passwords are hashed with bcrypt with cost factor 12]
• [Example: All API endpoints require authentication]
• [Example: HTTPS is enforced with HSTS]
• [Example: SQL queries use parameterized statements]
• [Example: Dependency lockfile is committed]

Recommendations

Quick Wins

1. [Action that takes <1 hour and fixes a critical issue]
2. [Action that takes <1 hour and fixes a critical issue]

Process Improvements

1. [Add dependency scanning to CI/CD pipeline]
2. [Implement security code review checklist]
3. [Set up automated SAST scanning]
4. [Schedule quarterly penetration testing]

Architecture Improvements

1. [Implement WAF for additional protection layer]
2. [Add centralized logging and alerting]
3. [Implement secrets management solution]

Appendix

A. Testing Checklist (WSTG)

[Full list of WSTG test cases with pass/fail/N/A status]

B. Dependency Vulnerability Report

[Full output of npm audit / pip audit]

C. ASVS Detailed Results

[Full ASVS checklist with individual requirement status]

D. Glossary

Report prepared following OWASP standards. This report is confidential and intended for authorized recipients only.

Adaptation Rules

• Detect the ASVS level — Level 1 for basic apps, Level 2 for apps handling sensitive data, Level 3 for critical systems (healthcare, finance)

• Focus on the stack — only run checks relevant to the detected technology

• Use real file paths — reference exact lines where vulnerabilities are found

• Provide working fixes — not just descriptions, but actual corrected code

• Include positive findings — audits should acknowledge what's done well

• Prioritize by exploitability — a remotely exploitable unauthenticated vulnerability is more urgent than a local authenticated one

• Be specific — "SQL injection in user search endpoint at line 45" not "the app may have SQL injection"

• Include CVSS vectors — allow teams to validate and adjust severity ratings

• Generate remediation tickets — each finding should be actionable as a ticket

• Flag false positives — if a pattern looks vulnerable but has mitigations, note it

Summary

End every penetration testing report with:

• Overall risk rating — Critical / High / Medium / Low

• Finding count — total and by severity

• Top 3 most critical findings — immediate action items

• OWASP Top 10 coverage — which categories had findings

• ASVS compliance percentage — for the targeted level

• Remediation timeline — immediate, short-term, medium-term, long-term

• Retest recommendation — when to schedule the next assessment