Feedback on Pentest Report: Implement all lecturer's points

This is a retake and below is feedback from my lecturer, please implement all the points.  I suggested that you created a checklist of the submissive requirements. Had you done so, some of you would not have omitted to

• submit your work in PDF format,

• with a table of contents,

• word count,

• list/description of the software tools to be used,

• proper cross-referencing to a reference/bibliography,

• each document would have started on a new page,

• and there would have been no cross-referencing between the documents.

• Contemporaneous notes could have been included as an appendix.

• Some/many of you do not see note taking as important. This is an error that you will probably be required to correct in your future employment.

• No one reported what language the web application was written in. Without this knowledge, there is little point in attempting to upload malicious scripts!

• There were syntactical grammatical and typographical errors. These are not acceptable in a professional report.

• Technical documents such as these would normally be written in the third person

. • Very few reports included an introduction to the web application under test

• what kind of web application was it?

• how many pages?

• etc Executive Summary

• Many of you ignored the comment that the ES was to be written for a busy and technically illiterate CEO. You will need to be able to empathise with your target reader.

• Many summaries wrote about hashing, MD5, OWASP Top 10, SQLi and XSS, etc. Although these are valid comments, this is the wrong document for them.

• The ES needs to be a succinct summary of the possible impact to the business and should include estimates of costings (time/money) for remediation work. • Infographics would have been useful to help get the message across in an easily digestible format. Always remember your target audience and adjust your writing style accordingly. Scoping Document

• The SD is NOT a questionnaire, but contains a set of clauses based upon the answers to questions asked in interviews with the client and/or on forms completed by the clients.

• It is a legal contract between the pentesters and the owner of the system to be tested. It requires signing, full contact details and a payments schedule.

• Many of you appeared to be offering to conduct a pentest for free!

• This was a black box test. You were not supplied with the IP address of the VM, or the name of the webapp. Where these appeared in the SD, it implies that the VM was accessed before the contract was signed. Technically, this is breaking scope, and if you do this in future, you could face prosecution.

• Very few of you included the disassociation clause: “Just because the test has not found vulnerabilities does not mean they are not there to be found, and the pentesters take no responsibility for any vulnerabilities that come to light and are exploited after the test is complete.”

• Very few of you made reference to an NDA Methodology

• Many reports briefly discussed a methodology, then seemed to completely ignore it for the actual test.

• Correct usage of a methodology (even if you create your own) will help to avoid mistakes and omissions in tests. Scans

• Zenmap, ZAP and Burpsuite scans were reported in many submissions. However several reports appeared to know where to go for vulnerabilities without taking the trouble to scan the application first.

• ZAP/Burpsuite profiles were not apparent in many reports.

• Very few reports included any attempt to review the HTML source code, or to draw a site-map giving the relationships between the pages, and where vulnerabilities might be found.

• Very few reports noted that the web application was actually an e-commerce site. Robots.txt file

• Most of you accessed the robots.txt file and acted upon the information found there. However, some of you ignored it, and others accessed it far too late in the process.

Finally Many/all of these comments were made in the lectures. However, as I saw very few of you taking notes, and very few people watched the Replay videos, it is perhaps not so surprising that many of you didn't follow the suggestions (thereby losing marks).