Hi all,

I have been an ethical hacker for about 6 years but mainly operating out of Africa where PT is still being regarded as some sort of "black magic". Most of our clients are big financial institutions and a conglomerates.

I have been a passive member of this forum for some time now and would like to share with you a VA/PT report framework that i came up with from my experience consulting in this field. I do not know how reports are structured in other parts of the world, but i do know that other than the engagement itself, the report serves to justify the derived value around these parts.

I have googled for sample reports but to say i came up short is a masterpiece of understatement. What i found were either too verbose and grandiose or downright narrow in scope missing out salient but pertinent details in mostly  audacious attempts at describing all the technical input and results  - Detailed layout, logical flow and visual analysis are conspicuous only by their absence.

I have always believed that in order to get inside the mentality, first we have to jettison the PT myth. Furthermore I am also of the opinion that a VA/PT report should be as simple and clear as it is concise  and should cut across all strata of audience not just the technically minded.

All these put together led me to put up what is the first draft of the Open Source Security Assessment Report (OSSAR v 0.5). This is something that will be updated as often as i can with new information. I will kindly request members to download it and give an objective opinion on the material. I am very much interested in what this community thinks. Comments (+ve or -ve), suggestions and modifications are welcomed.

This is a VA/PT report for a fictitious bank called eClipse Bank PLC carried out by another fictitious company Cynergi Solutions Inc. All names, URLs, IPs, etc are fictitious. Some of the vulnerabilities discussed have actually occurred for real but i have replaced all the pesky details.

It can  be downloaded here http://uploading.com/files/E5MHOS2U/ossar_v0.5.pdf.html

Thanks

I will take a closer look too when I have some more time. However, I can already say that such a project is much appreciated and welcomed.

Some time ago I searched for some sample reports but did not find many free resources. One I found is from Offensive Security which can be found here.
Another one which is OSSTMM (Open Source Security Testing Methodology Manual) also includes the things a report should contain and is also widely used in Europe. It can be read here.
Third one I would like to mention is the Penetration Testing Framework which can be found here and inlcudes also some interesting things.
Sometimes it may be that the report itself is not included in the above mentioned and others, but it is said what is to be expected - with this information it should be possible to create your own report.

Although I like to pick the "best" things out of each and use it for my own reports, clients often like to stick to one, e.g. the OSSTMM.

I am really looking forward to read you approach. Thanks for sharing.

An amended copy of ossar can be downloaded here.

http://www.digitalencode.net/ossar/ossar_v0.5.pdf

Thanks

Thanks for taking the time to share your sample report. Like you say (and rightly so in some cases) there are not many sample reports available freely on the web, but most companies if you approach them will give you a sample.

I have has a look through and I did think the content was good, as people come to expect from these reports. Personally I did think that there was the occasionaly use of images without justification. I know a picture speaks a thousand words, but perhaps some additional commentry to accompany the imaging would help.
Finally perhaps I missed it, but the results dont give any detail as to if you exploited the vulnerabilities, or if the rating is just adapted from the Vuln scanners you have used. I know many organisations dont like what I call a true pen test and dont want things to be exploited, but on some occasions you may come across couter controls that may actually reduce the rating of a found issue.

I am probably being to picky as I see alot of these reports, but good work and thanks again for sharing, I am sure it will help out some of the readers.

@ dalepearson

Thanks for the comments. Your observations are well noted. Some of the vulnerabilities were exploited especially as regards the web application and were given risk ratings accordingly and the false positives were duly tested and risk ratings lowered

@ don

Thanks.