Descubra como escrever um relatório de pentest do zero

Introduction

This tutorial will guide you through the process of writing a penetration test report from scratch, as taught by Alan Lacerda from Desec Security. A well-structured report is crucial for communicating findings and recommendations to stakeholders after conducting a pentest. This guide will break down the key components and steps involved in creating an effective report.

Step 1: Understand the Purpose of the Report

Before you start writing, clarify the report's objectives:

• Identify the Audience: Determine who will read the report (e.g., technical team, management).
• Define Goals: Establish what you aim to achieve with the report (e.g., outline vulnerabilities, suggest fixes).
• Gather Background Information: Include context about the pentest, such as the scope and methodology.

Step 2: Outline the Report Structure

A well-organized report enhances readability. Here’s a standard structure:

1. Executive Summary

   • Provide a high-level overview of findings and recommendations.
   • Keep it concise and jargon-free for non-technical readers.

2. Introduction

   • State the purpose of the pentest.
   • Include details about the scope and objectives.

3. Methodology

   • Describe the testing methods used (e.g., automated tools, manual testing).
   • Explain the framework or standards followed (e.g., OWASP).

4. Findings

   • List vulnerabilities discovered, categorized by severity.
   • Include technical details such as affected systems or data.

5. Recommendations

   • Provide actionable remediation steps for each finding.
   • Prioritize recommendations based on risk.

6. Appendices

   • Attach additional information, such as raw data or logs.
   • Include any relevant charts or diagrams.

Step 3: Write the Executive Summary

The executive summary should encapsulate the most critical points of your findings:

• Summarize key vulnerabilities.
• Highlight the potential impact of these vulnerabilities.
• Present a brief overview of recommendations.

Step 4: Detail the Methodology

In this section, explain how the pentest was conducted:

• Specify the tools and techniques used.
• Mention any frameworks or standards adhered to.
• Discuss the testing environment (e.g., production, staging).

Step 5: Document Findings

Clearly articulate each vulnerability discovered during the test:

• Use a consistent format for each finding:
  • Title: Brief description of the vulnerability.
  • Description: Detailed explanation of the issue.
  • Impact: Potential consequences if not mitigated.
  • Evidence: Screenshots, logs, or code snippets as proof.

Example Format:

### Title: SQL Injection Vulnerability
- **Description**: The application is vulnerable to SQL injection due to improper input validation.
- **Impact**: An attacker could exploit this vulnerability to access sensitive data.
- **Evidence**: Screenshot of the exploit.

Step 6: Provide Clear Recommendations

For each finding, suggest concrete remediation steps:

• Use clear, actionable language.
• Prioritize based on the severity of the vulnerabilities.
• Include any relevant references or resources for further reading.

Step 7: Review and Edit the Report

Ensure the report is polished and professional:

• Check for clarity and coherence.
• Proofread for grammatical errors.
• Confirm that technical details are accurate and well-explained.

Conclusion

Writing a penetration test report requires careful planning and structuring. By following this step-by-step guide, you can create a comprehensive document that effectively communicates your findings and recommendations. Remember to tailor the report to your audience and ensure that it is both informative and actionable. As a next step, consider reviewing sample reports or templates to refine your writing style.