Engagement Findings
Last updated
Last updated
During a security assessment we often discover vulnerabilities in web applications, network infrastructure, and Active Directory environments, generally called Findings. These issues need to be documented and later reported back to the client for remediation. The new Findings System in PenTest.WS aims to make this process of collection & documentation as easy as possible.
Example URL: https://pentest.ws/e/{engagement.id}/findings
Visiting the Findings tab in an Engagement brings up the Engagement Findings screen. Here you will see all of the previously identified vulnerabilities with their various details. The colors of the Findings are defined in your Findings Admin screen.
Auto ID is a time-saving feature that automatically sets the Finding's ID value based on a template you define for each Engagement. Use any format you need and include hash marks (#) where you want the system to sequentially number each finding.
In this example we have defined "ACME.##" as the Auto ID format. The Findings System then numbers the Findings:
ACME.01
ACME.02
ACME.03
The numbers are left padded with zeros based on the number of hash marks.
Auto ID values are automatically updated when you re-sort the Findings list.
Most things in PenTest.WS can be drag-and-dropped to sort the objects, including your Findings. Drag a Finding card up or down and the system will not only sort them as requested, but also re-number the Findings according to your Auto ID format.
Example URL: https://pentest.ws/e/{engagement.id}/findings/add
Click an entry in the Findings list to import the Finding into your current Engagement.
Before a Finding from your Findings Library is imported into the current engagement, you are presented with a Finding Preview window.
This allows you to review the details of the Findings Library entry and decide to Add To Engagement or not. This step is useful if you have multiple listings describing the same issue but each have slightly different information or circumstances.
Example URL: https://pentest.ws/e/{engagement.id}/findings/{findings.id}
Title: the main title of the Finding, such as "SQL Injection".
Environment: custom or pre-defined environment where the Finding was discovered
Category: the category of the Finding. In a web application assessment, this might map to the OWASP Top 10.
Risk Level: rate how critical this Finding typically is. This value can be adjusted when creating an Engagement Finding if required.
Enter details about the Finding's Common Vulnerability Scoring System (CVSS) score. More information about CVSS scoring is available here:
Assign values for each of DREAD categories:
Damage – how bad would an attack be?
Reproducibility – how easy is it to reproduce the attack?
Exploitability – how much work is it to launch the attack?
Affected users – how many people will be impacted?
Discoverability – how easy is it to discover the threat?
https://en.wikipedia.org/wiki/DREAD_(risk_assessment_model)
Provide some general background information about the vulnerability. This is not meant to include specific details about the client's environment, application, system, people, etc. Background should provide context for the client to better understand the nature of the vulnerability.
Brief Fields
The Description, Impact and Recommendation fields have Brief variants of their values. These are meant to be short descriptive versions of the full language field. For example, "Description - Brief" summarizes the Finding's "Description" in one or two sentences. These brief fields are useful for short executive summaries where the longer version is not needed.
Describe the vulnerability in detail. Consider including the following information:
What you saw
Where you saw it
When you saw it
How you discovered it
Variables, URLs or file paths relevant to the Finding
Another import detail to include in the Description is the authorization and/or authentication required to exploit this vulnerability as this can greatly affect the Impact and Risk Level of the vulnerability.
The Impact of a vulnerability is a description of the harm an attacker could inflict on a client when exploiting the vulnerability. This is often related to the confidentiality, integrity and availability of the client's assets, known as the CIA Triad.
Confidentiality - be sure to consider the type of data exposed in a loss of confidentiality. When Personally Identifiable Information (PII) is leaked, the Impact can be greatly increased.
Integrity - adjust the risk to integrity in accordance with the control an attacker would gain over a client's data. Can the attacker modify existing data or inject new records such as hidden admin accounts? What about removing event logs to hide the attack's evidence?
Availability - during a Denial of Service (DoS) attack, data and services may be slow or unreachable, but these attacks are typically temporary. The Impact might be greater if an attacker can delete data or completely crash a service that requires human intervention to recover.
Provide a list of recommended steps to remediate the vulnerability. Classic recommendations include validating user supplied data, implementing the Principle of Least Privilege and practicing Defense in Depth.
Increase the value of your recommendation by providing an effort level and time-frame the client can expect to fully patch a system or implement additional security controls.
Consider adding reference URLs to support the Background, Impact and Recommendations your are providing to your client. Try to limit your reference links to primary sources of information.
A single Finding may apply to single or multiple Targets. List the vulnerability end-points, systems or networks where your Finding applies.
Provide supporting evidence to your Finding. Common evidence includes screenshots and command logs. Timestamps are a great idea to help the client's investigation during a debrief.
Once the client has remediated the vulnerability outlined in your Finding, validation should be performed. It may be easiest for the original penetration tester to describe the steps needed to conduct this validation, and the Validation Steps is a convenient way to document these details at the time the Finding is discovered.
Many times the validation can occur weeks or months after the initial report, and sometimes conducted by a different penetration test, team or the client themselves. A few quick notes on how to validate the solution can save everyone a bit of time in the future.
The Remediation Log is meant to be an internal field for keeping track of the remediation status the client has reported. This data is not necessarily meant to be shared with the client. Date and time stamps, along with the name of the person updating the log, is good information to include for long running remediation processes.
Engagement Findings are available on Hobby Tier and Pro Tier.
When you click the button on the Engagement Findings screen you will be presented with the Add Engagement Findings utility. Search is available as a global search in the top right, or search specific columns using their header search fields.
If you do not have a Findings Library entry for your new Finding, click the button and fill out the vulnerability information.
