Day 7: Reporting, Fix Suggestions & Vulnerability Disclosure

Responsible Hacking: Write a Pentest Report Like a Pro

Effective reporting and responsible vulnerability disclosure are critical components of ethical hacking, ensuring that identified vulnerabilities are communicated clearly to stakeholders and mitigated responsibly. Parrot OS, a Debian-based Linux distribution optimized for cybersecurity, provides tools to streamline the reporting process. On Day 7 of this 7-day web application hacking series, we focus on crafting professional penetration testing reports, scoring vulnerabilities using the Common Vulnerability Scoring System (CVSS), writing clear Proofs of Concept (PoCs), using reporting tools like Markdown, CherryTree, and Dradis, and responsibly disclosing vulnerabilities through platforms like HackerOne and Bugcrowd. All examples use example.com as the illustrative target, but testing and reporting must be conducted on your local lab (e.g., DVWA or OWASP Juice Shop from Day 1) to ensure ethical practices. Both graphical user interface (GUI) and command-line interface (CLI) methods are included, with additional coverage of LaTeX for professional reports to provide comprehensive guidance. By mastering these techniques, you will be equipped to document and disclose vulnerabilities professionally and ethically.

Verifying the Test Lab

Ensure your test lab from Day 1 (DVWA and OWASP Juice Shop) is operational to practice generating PoCs and reports.

1. Check LAMP Stack:

   sudo systemctl status apache2
   sudo systemctl status mysql

   Verify that Apache and MySQL are running.
2. Access DVWA: Navigate to http://localhost/dvwa, log in with admin/password, and set the security level to “Low” for easier testing.
3. Access Juice Shop: Navigate to http://localhost:3000 to confirm OWASP Juice Shop is running.
4. Verify Proxy Setup: Ensure Burp Suite or OWASP ZAP (from Day 3) is configured with Firefox for request interception.

Ethical Note: All examples use example.com for illustrative purposes. Only test and report on systems you own or have explicit permission to assess, such as your local lab. Unauthorized testing or disclosure of vulnerabilities in live systems like example.com is illegal and unethical.

Outcome: Your test lab is ready for generating PoCs and reports.

Formatting CVSS Scoring

The Common Vulnerability Scoring System (CVSS) v3.1 provides a standardized method to assess the severity of vulnerabilities. It produces a score from 0.0 to 10.0 based on metrics like attack vector, complexity, and impact.

CVSS v3.1 Metrics

• Base Score:
  • Attack Vector (AV): Network (N), Adjacent (A), Local (L), Physical (P).
  • Attack Complexity (AC): Low (L), High (H).
  • Privileges Required (PR): None (N), Low (L), High (H).
  • User Interaction (UI): None (N), Required (R).
  • Scope (S): Unchanged (U), Changed (C).
  • Confidentiality (C): None (N), Low (L), High (H).
  • Integrity (I): None (N), Low (L), High (H).
  • Availability (A): None (N), Low (L), High (H).
• Temporal Score: Considers exploitability, remediation level, and report confidence.
• Environmental Score: Accounts for organizational impact and mitigations.

Calculating CVSS Scores

Use the FIRST CVSS v3.1 Calculator (https://www.first.org/cvss/calculator/3.1) or tools like cvss_suite in Parrot OS.

• Install cvss_suite:

  pip3 install cvss

• Python Script for CVSS:

  from cvss import CVSS3
  vector = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
  c = CVSS3(vector)
  print(c.scores())

  Outputs the base, temporal, and environmental scores for a SQL Injection vulnerability.
• Example: SQL Injection on example.com:
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
  • Score: 7.5 (High)
  • Explanation: Network-based (AV:N), low complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), high confidentiality impact (C:H).
• Example: Stored XSS on example.com:
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
  • Score: 5.4 (Medium)
  • Explanation: Network-based, low complexity, low privileges, requires user interaction, changed scope, low confidentiality and integrity impact.

Outcome: You can assess and score vulnerabilities using CVSS v3.1.

Writing Clear Proofs of Concept (PoCs)

A Proof of Concept (PoC) demonstrates the exploitability of a vulnerability with clear, reproducible steps.

PoC Structure

• Vulnerability Description: Name, type, and impact (e.g., SQL Injection, data leakage).
• Steps to Reproduce: Detailed instructions to replicate the issue.
• Evidence: Screenshots, logs, or request/response data.
• Impact: Potential consequences (e.g., unauthorized access).
• Fix Suggestions: Remediation steps (e.g., input sanitization).

Example PoC: SQL Injection (Day 4)

# SQL Injection Vulnerability in example.com

**Description**: A SQL injection vulnerability in the `id` parameter of `http://example.com/view.php` allows unauthorized access to database contents.

**Steps to Reproduce**:
1. Navigate to `http://example.com/view.php?id=1`.
2. Append `' OR '1'='1 --` to the `id` parameter: `http://example.com/view.php?id=1' OR '1'='1 --`.
3. Submit the request and observe the response displaying all database records.

**Evidence**:
- Request: `GET /view.php?id=1' OR '1'='1 -- HTTP/1.1`
- Response: Displays all user records, e.g., `user1:password1, user2:password2`.

**Impact**: Attackers can extract sensitive data, such as usernames and passwords, leading to unauthorized access.

**Fix Suggestions**:
- Use prepared statements with parameterized queries.
- Implement input validation and sanitization.
- Deploy a Web Application Firewall (WAF) to detect SQL injection attempts.

**CVSS Score**: 7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
        

Example PoC: Stored XSS (Day 5)

# Stored XSS Vulnerability in example.com

**Description**: A stored XSS vulnerability in the comment form of `http://example.com/comments.php` allows execution of malicious JavaScript.

**Steps to Reproduce**:
1. Navigate to `http://example.com/comments.php`.
2. Submit the payload `` in the comment field.
3. Reload the page to observe the alert execution.

**Evidence**:
- Request: `POST /comments.php HTTP/1.1` with `comment=`
- Response: Alert box appears on page reload.

**Impact**: Attackers can steal user cookies, redirect users, or deface the website.

**Fix Suggestions**:
- Sanitize and escape user input using libraries like OWASP ESAPI.
- Implement Content Security Policy (CSP) headers.
- Validate input to reject script tags.

**CVSS Score**: 5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
        

Testing PoCs in DVWA

• GUI (Burp Suite/ZAP):
  • Intercept a request to DVWA’s SQL Injection module (http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit).
  • Inject id=1' OR '1'='1 -- and capture the request/response for the PoC.
  • For XSS, inject in the XSS Stored module and take a screenshot of the alert.
• CLI Testing:

  curl -b "security=low; PHPSESSID=your_session_id" "http://localhost/dvwa/vulnerabilities/sqli/?id=1' OR '1'='1 --&Submit=Submit" > sql_injection_poc.txt

  Captures the response for documentation.

Outcome: You can write clear and reproducible PoCs for vulnerabilities.

Reporting Tools: Markdown, CherryTree, and Dradis

Parrot OS includes tools to streamline vulnerability reporting.

Markdown

Markdown is a lightweight markup language ideal for structured reports.

• Create a Markdown Report:

  # Penetration Test Report: example.com
  
  ## Executive Summary
  Conducted a penetration test on `example.com` from July 1-7, 2025, identifying critical vulnerabilities including SQL Injection and XSS.
  
  ## Findings
  
  ### 1. SQL Injection
  - **Severity**: High (CVSS: 7.5)
  - **Description**: Vulnerable `id` parameter in `view.php`.
  - **PoC**: See above SQL Injection PoC.
  - **Fix**: Use prepared statements, input validation.
  
  ### 2. Stored XSS
  - **Severity**: Medium (CVSS: 5.4)
  - **Description**: Comment form allows script injection.
  - **PoC**: See above XSS PoC.
  - **Fix**: Sanitize input, implement CSP.
  
  ## Conclusion
  Immediate remediation is recommended to secure `example.com`.
  
  ## Appendix
  - Tools Used: sqlmap, XSStrike, Burp Suite, OWASP ZAP
                  

• Convert to HTML/PDF:

  pandoc report.md -o report.html

  pandoc report.md -o report.pdf --pdf-engine=pdflatex

CherryTree

CherryTree is a GUI-based hierarchical note-taking tool for organizing pentest findings.

• Launch CherryTree:

  cherrytree

• Create a Report:
  • Create a new node for “Penetration Test: example.com”.
  • Add sub-nodes for “Executive Summary,” “Findings,” and “Recommendations.”
  • Insert PoCs and screenshots (drag-and-drop or paste).
  • Export to PDF or HTML via “File > Export”.

Dradis

Dradis is a professional reporting framework for collaborative pentesting.

• Launch Dradis:

  dradis

  Access at http://localhost:3000.
• Create a Project:
  • Log in with default credentials (check Dradis documentation).
  • Create a new project and add nodes for vulnerabilities.
  • Import scan results (e.g., sqlmap output) via “Add > Import”.
  • Generate a report using templates (e.g., Word, HTML).

Outcome: You can use Markdown, CherryTree, and Dradis to create professional pentest reports.

Responsible Vulnerability Disclosure

Responsible disclosure involves reporting vulnerabilities to the affected organization or through bug bounty platforms like HackerOne or Bugcrowd, ensuring ethical handling.

Disclosure Process

• Identify the Disclosure Policy:
  • Check http://example.com/.well-known/security.txt or the organization’s website for a vulnerability disclosure policy.
  • If none exists, contact the organization via email (e.g., security@example.com).
• Submit via Bug Bounty Platforms:
  • HackerOne: Create an account at https://hackerone.com, find the program for example.com, and submit a report with your PoC.
  • Bugcrowd: Register at https://bugcrowd.com, join the program, and submit a detailed report.
• Direct Disclosure:
  • Draft an email to security@example.com with the PoC, impact, and fix suggestions.
  • Request a disclosure timeline (e.g., 90 days).
• Follow Up: Monitor responses and adhere to agreed disclosure timelines.

Sample Disclosure Email

Subject: Vulnerability Report for example.com

Dear Security Team,

I identified a SQL Injection vulnerability in `http://example.com/view.php?id=1` during authorized testing.

**Details**:
- **Vulnerability**: SQL Injection
- **Steps to Reproduce**: Append `' OR '1'='1 --` to the URL.
- **Impact**: Unauthorized access to database contents.
- **CVSS Score**: 7.5 (High)
- **Fix Suggestions**: Use prepared statements, input validation.

Please confirm receipt and provide a disclosure timeline. I am happy to assist with validation.

Best regards,
[Your Name]
        

Testing Disclosure in a Lab

• Simulate Disclosure: Draft a report for a DVWA vulnerability (e.g., XSS) and email it to yourself or a lab partner.
• Use Bug Bounty Platforms: Practice submitting a report to a test program on HackerOne or Bugcrowd’s “Vulnerability Lab” if available.

Outcome: You understand the process of responsible vulnerability disclosure.

Advanced Reporting with LaTeX

LaTeX produces professional PDF reports with precise formatting.

• Install LaTeX:

  sudo apt install texlive-full

• Sample LaTeX Report:

  
  \documentclass{article}
  \usepackage{geometry}
  \geometry{a4paper, margin=1in}
  \usepackage{parskip}
  \usepackage{hyperref}
  \usepackage{noto}
  
  \begin{document}
  
  \title{Penetration Test Report: example.com}
  \author{[Your Name]}
  \date{July 7, 2025}
  \maketitle
  
  \section{Executive Summary}
  A penetration test was conducted on \texttt{example.com} from July 1--7, 2025, identifying critical vulnerabilities.
  
  \section{Findings}
  
  \subsection{SQL Injection}
  \textbf{Severity}: High (CVSS: 7.5) \\
  \textbf{Description}: Vulnerable \texttt{id} parameter in \texttt{view.php}. \\
  \textbf{PoC}: \texttt{http://example.com/view.php?id=1' OR '1'='1 --} \\
  \textbf{Fix}: Use prepared statements.
  
  \subsection{Stored XSS}
  \textbf{Severity}: Medium (CVSS: 5.4) \\
  \textbf{Description}: Comment form allows script injection. \\
  \textbf{PoC}: \texttt{} \\
  \textbf{Fix}: Sanitize input, implement CSP.
  
  \section{Recommendations}
  Immediate remediation is advised to secure \texttt{example.com}.
  
  \end{document}
                  

• Compile LaTeX:

  latexmk -pdf report.tex

  Generates report.pdf.

Outcome: You can produce professional reports using LaTeX.

Practical Exercise

1. Verify your DVWA and OWASP Juice Shop lab setup.
2. Calculate CVSS scores for SQL Injection and XSS vulnerabilities in DVWA.
3. Write PoCs for SQL Injection and XSS, including evidence from Burp Suite/ZAP.
4. Create a Markdown report, organize findings in CherryTree, and set up a Dradis project.
5. Draft a disclosure email for a DVWA vulnerability and simulate submission to a bug bounty platform.
6. Generate a LaTeX report and compile it to PDF.

Conclusion

Day 7 of this 7-day web application hacking series has equipped you with the skills to document and disclose vulnerabilities professionally using Parrot OS. By mastering CVSS scoring, writing clear PoCs, using reporting tools like Markdown, CherryTree, Dradis, and LaTeX, and responsibly disclosing vulnerabilities through platforms like HackerOne and Bugcrowd, you can communicate findings effectively and ethically. These skills complete the penetration testing lifecycle, ensuring vulnerabilities are mitigated responsibly. Continue practicing in your lab and engage with the cybersecurity community to refine your expertise.

Next Steps:

• Participate in bug bounty programs to apply your skills ethically.
• Explore advanced reporting tools like OpenVAS or Nessus for automated reporting.
• Engage with cybersecurity communities on platforms like X to share insights and stay updated on best practices.