Course title: Web Application Penetration Test Reporting

Penetration Testing deliverables include a final report showing services provided, methodology, findings, and recommendations to remediate or correct issues discovered during the test. This course will show you how to use tools in Kali to help with reporting and to learn about methodologies. A penetration testing methodology is required to conduct the pen test in a consistent and standardized way for repeatable results.

One of the main questions a client will ask a pentester is what methodology is used for testing their assets. It is important to learn this to help clients understand how testing is conducted and to provide them with a deliverable that supports the findings. It is important to understand the basics of reporting prior to starting a pentest because findings need to be conveyed to a client in a way they can understand and then correct the issues.

By the end of the course, students will have materials that can be used on pen testing engagements. This includes a report template, reading materials for reference, and an understanding of various methodologies and ways to fit a methodology to a client’s requirement for a pentest.

What will you learn about?
Learn how to use tools like Faraday, Dradis or Magic Tree to take results from vulnerability scanners, such as Zap and Burp to create a final report.

What skills will you gain?
Students will understand what documents need to be exchanged between clients and testers.
Students will be able to deliver a professional penetration test report.
Learn to use reporting tools, such as Faraday and Dradis, for issues discovered during testing.
Skills gained include:
The ability to distinguish between vulnerability assessment, compliance reporting and pentest reporting.
Understand the typical documents provided between clients and testers, such as NDAs.
Learn a reporting format, use a reporting template, and understand how to choose the best pentest methodology for the client.
After taking the course, students will be able to communicate about how they test a client’s assets, what deliverables are expected between the client and tester, and will be able to describe the testing methodology and what is included in a final report.

What tools will you use?
OWASP ZAP, Burp, Kali Linux, Dradis, Magic Tree, and Nmap.

What will you need?
Laptop or desktop. For the operating system, use Kali Linux as a virtual machine, or installed on the HDD, SD card, or USB flash drive. It’s preferred to use a recent Kali Linux distro (2018.4). We will use free tools included in the Kali Linux distribution. We will need MS Word or another free documentation tool, such as LibreOffice or OpenOffice to make a report.

What should you know before you join?
You should already know how to install and configure Kali. Have familiarity with setup and configuration of Burp and Zap and have a basic understanding of penetration testing.

Define the different report types (vulnerability, compliance and pentesting reporting) and explain best practices in reporting. Define methodologies. APA guidelines and format for reporting.

These materials will help put your expertise in a written format so that people without the same knowledge can understand what you are trying to communicate. The goal is to use effective communication to help organizations grow and to keep them safe from unwanted intrusions.

Reading materials:
https://www.owasp.org/index.php/Penetration_testing_methodologies
https://faculty.washington.edu/heagerty/Courses/b572/public/StrunkWhite.pdf

Resources:
https://www.paperrater.com
https://owl.purdue.edu/owl/purdue_owl.html
https://github.com/enaqx/awesome-pentest
https://www.owasp.org/images/1/19/OTGv4.pdf
https://csrc.nist.gov/publications/detail/sp/800-115/final
http://www.pentest-standard.org/index.php/Main_Page
https://github.com/juliocesarfort/public-pentesting-reports
https://www.pcisecuritystandards.org/documents/Penetration_Testing_Guidance_March_2015.pdf

Module 1: Methodologies and Best Practices
This module defines a methodology and introduces the foundation of reporting including best practices. A primary question asked by a client is what methodology will be used during the pentest.

Methodologies define rules and practices that the tester implements during the course of the test. The methodology is a roadmap that helps the tester assess the security posture of the web application.
Customize a methodology from one of the industry-accepted standards.
Overview of OWASP Testing Guide, PCI Pentest Guide, Penetration Testing Execution Standard and NIST 800-115.
Introduction to the typical documents exchanged between clients and testers

Module 1 Exercises:
Students will pick a methodology based upon the testing scenario
Evaluate relevant standards
Pick a methodology
Create the report outline
The initial module provides information about the various standards and helps a student pick a methodology to use in testing.
The proof will be in an initial outline, and a brief paragraph that describes what was important for picking the standard for the test.
The paper will be checked for complete sections of the outline, grammar, and spelling, along with use of a methodology discussed in class.

Module 1 workload: 4,5 hours

Module 2: Introduction of tools
This module introduces the tools used to create reports. Learn about Dradis, Faraday and other reporting tools that are part of Kali. Start the process of adding the other tool results (Burp, Nmap, etc.) to the report. Have a methodology in place to help with writing.
Use and configuration of tools for generating a report.
Integration of the methodology into a suitable report format.
Use of a template for report format in either Word or a free reporting tool.

Module 2 exercises:
Students scan a host from a vulnerable app
Requires configuration of tools, and launching a scan
Scan data is used to populate vulnerabilities in the report
The next phase of the outline will be provided for review
The report will be checked to ensure it conforms with the methodology and contains test data in the form of vulnerabilities
Grammar, spelling and formatting will be checked to ensure they are consistent across the report

Module 2 workload: 4,5 hours

Module 3: Pentesting vs. Vulnerability Scanning
Learn how to break down testing into phases to aid in documentation.
Understand the differences between pentesting and vulnerability scanning.
Documentation and results verification will be described in this module.
Test phases.
Differences between pentesting and vulnerability scanning.
Learn results verification. Learn how to document findings.

Module 3 exercises:
Students will document additional findings and write up a conclusion
Findings will be checked to ensure they are accurate (verification)
Short quiz to test validation skills

Module 3 workload: 4,5 hours

Module 4: Report Types and Final Reporting
This module will go over how to combine tool results into a systematic and structured report.
We will learn about Executive, Managerial and Technical Reporting. The final report will be compiled and generated by the end of this module.
Executive Reporting
Managerial Reporting
Technical Reporting
Final Report
Risk Matrix, Vulnerability and Exploit Mapping, Testing Methodology and how to use them in reporting

Module 4 exercises:
Students will have the opportunity to provide the final report based up earlier modules.
The executive, managerial and technical reporting aspects will be rolled up into the front matter of the final report. This will give students an opportunity to understand the various styles of writing used for various client needs.

Module 4 workload: 4,5 hours

Final Exam:
Thirty question exam on the theoretical aspects of report writing for penetration testing

Penetration Testing deliverables include a final report showing services provided, methodology, findings, and recommendations to remediate or correct issues discovered during the test. This course will show you how to use tools in Kali to help with reporting and to learn about methodologies. A penetration testing methodology is required to conduct the pen test in a consistent and standardized way for repeatable results.

One of the main questions a client will ask a pentester is what methodology is used for testing their assets. It is important to learn this to help clients understand how testing is conducted and to provide them with a deliverable that supports the findings. It is important to understand the basics of reporting prior to starting a pentest because findings need to be conveyed to a client in a way they can understand and then correct the issues.

By the end of the course, you will have materials that can be used on pen testing engagements. This includes a report template, reading materials for reference, and an understanding of various methodologies and ways to fit a methodology to a client’s requirement for a pentest.


Course benefits:

What skills will you gain?

  • You will understand what documents need to be exchanged between clients and testers.
  • You will be able to deliver a professional penetration test report.
  • Learn to use reporting tools, such as Faraday and Dradis, for issues discovered during testing.
  • Skills gained include:
    • The ability to distinguish between vulnerability assessment, compliance reporting and pentest reporting.
    • Understand the typical documents provided between clients and testers, such as NDAs.
    • Learn a reporting format, use a reporting template, and understand how to choose the best pentest methodology for the client.
  • After taking the course, you will be able to communicate about how you test a client’s assets, will know what deliverables are expected between the client and tester, and will be able to describe the testing methodology and what is included in a final report.

What will you learn about?

Learn how to use tools like Faraday, Dradis or Magic Tree to take results from vulnerability scanners, such as Zap and Burp to create a final report.

What tools will you use?

OWASP ZAP, Burp, Kali Linux, Dradis, Magic Tree, and Nmap.


Course general information: 

DURATION: 18 hours

CPE POINTS: On completion you get a certificate granting you 18 CPE points. 

COURSE LAUNCH: September 19th 2019

Course format: 

  • Self-paced
  • Pre-recorded
  • Accessible even after you finish the course
  • No preset deadlines
  • Materials are video, labs, and text
  • All videos captioned

What will you need?

Laptop or desktop. For the operating system, use Kali Linux as a virtual machine, or installed on the HDD, SD card, or USB flash drive. It’s preferred to use a recent Kali Linux distro (2018.4). We will use free tools included in the Kali Linux distribution. We will need MS Word or another free documentation tool, such as LibreOffice or OpenOffice to make a report.

What should you know before you join?

  • You should already know how to install and configure Kali.
  • Have familiarity with setup and configuration of Burp and Zap and have a basic understanding of penetration testing.
  • Define the different report types (vulnerability, compliance and pentesting reporting) and explain best practices in reporting. Define methodologies. APA guidelines and format for reporting.

These materials will help put your expertise in a written format so that people without the same knowledge can understand what you are trying to communicate. The goal is to use effective communication to help organizations grow and to keep them safe from unwanted intrusions.


Get the intro:

In Module 0 for the course you can build the solid foundation needed to really master report writing. During the lecture you will learn: 

  • What kind of tasks or contracts you can encounter while working in security that will require a formal report? 
  • What methodologies are there when it comes to reporting? How to choose the best one? 
  • What's the difference between standards, best practices, and methodologies? 
  • How should you structure your report writing process?
  • How to best format your report? 
  • What parts should your report contain? 
  • What are the most common mistakes when writing a report? 

Remember, that's just the introduction, more awaits in the course! 


Your instructor: Chrissa Constantine

Chrissa is a web application pentester and has a Master of Science in Information Security, CISSP and CE|H certifications. She held positions as a consultant at Apple and for a Silicon Valley start-up as a penetration tester. Chrissa enjoys hacking competitions, meeting new people, and learning new things.

 

 

 

 

 


Course Syllabus


Module 1: Methodologies and Best Practices

This module defines a methodology and introduces the foundation of reporting including best practices. A primary question asked by a client is what methodology will be used during the pentest.

Methodologies define rules and practices that the tester implements during the course of the test. The methodology is a roadmap that helps the tester assess the security posture of the web application.

After this module, you'll be able to:

  • Customize a methodology from one of the industry-accepted standards.
  • Overview of OWASP Testing Guide, PCI Pentest Guide, Penetration Testing Execution Standard and NIST 800-115.
  • Introduction to the typical documents exchanged between clients and testers

Module 1 Exercises:

  • You will pick a methodology based upon the testing scenario
    • Evaluate relevant standards
    • Pick a methodology
    • Create the report outline
  • The initial module provides information about the various standards and helps a student pick a methodology to use in testing.
  • The paper will be checked for complete sections of the outline, grammar, and spelling, along with use of a methodology discussed in class.

Workload: 4 hours 30 minutes


Module 2: Introduction of tools

This module introduces the tools used to create reports. Learn about Dradis, Faraday and other reporting tools that are part of Kali. Start the process of adding the other tool results (Burp, Nmap, etc.) to the report. Have a methodology in place to help with writing.

After this module, you'll be able to:

  • Use and configuration of tools for generating a report.
  • Integrate the methodology into a suitable report format.
  • Use of a template for report format in either Word or a free reporting tool.

Module 2 exercises:

  • Students scan a host from a vulnerable app
    • Requires configuration of tools, and launching a scan
  • Scan data is used to populate vulnerabilities in the report
  • The next phase of the outline will be provided for review
  • The report will be checked to ensure it conforms with the methodology and contains test data in the form of vulnerabilities
  • Grammar, spelling and formatting will be checked to ensure they are consistent across the report

Workload: 4 hours 30 minutes


Module 3: Pentesting vs. Vulnerability Scanning

Learn how to break down testing into phases to aid in documentation.

After this module, you'll be able to:

  • Understand the differences between pentesting and vulnerability scanning.
  • Document and verify results
  • Differentiate between pentesting and vulnerability scanning.
  • Learn results verification. Learn how to document findings.

Module 3 exercises:

  • You will document additional findings and write up a conclusion
  • Findings will be checked to ensure they are accurate (verification)
  • Short quiz to test validation skills

Workload: 4 hours 30 minutes


Module 4: Report Types and Final Reporting

This module will go over how to combine tool results into a systematic and structured report.

We will learn about Executive, Managerial and Technical Reporting. The final report will be compiled and generated by the end of this module.

After this module, you'll be skilled in:

  • Executive Reporting
  • Managerial Reporting
  • Technical Reporting
  • Final Report
  • Risk Matrix, Vulnerability and Exploit Mapping, Testing Methodology and how to use them in reporting

Module 4 exercises:

  • You will have the opportunity to provide the final report based up earlier modules.
  • The executive, managerial and technical reporting aspects will be rolled up into the front matter of the final report. This will give students an opportunity to understand the various styles of writing used for various client needs.

Workload: 4 hours 30 minutes


Final Exam:

  • Thirty question exam on the theoretical aspects of report writing for penetration testing

QUESTIONS? 

If you have any questions,  please contact our eLearning Manager Marta at [email protected]

Course Reviews

N.A

ratings
  • 5 stars0
  • 4 stars0
  • 3 stars0
  • 2 stars0
  • 1 stars0

No Reviews found for this course.

TAKE THIS COURSECOURSE STARTS IN 3 days
  • $249.00 $219.00
  • UNLIMITED ACCESS
  • Course Certificate
151 STUDENTS ENROLLED

Who’s Online

There are no users currently online

Certificate Code

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013