Engagement outline

outline

Project’s name

Start date: XX/XX/XXXX
Finish date: XX/XX/XXXX

Network information (attacking IP address, DNS servers used, etc)
Day1
$ifconfig
[...]

$ cat /etc/resolv.conf
[...]

$ route -n
[...]

Info/Credentials - Info from client instead of reasking
- Application1
test/test123
admin/password

• Application2
  [still waiting]

Todos-
- double check for XSS in the login form in Application2
- weird behaviour in Application1 /showUser.jsp?id=1'
-

Issues - list of issues, with as much detail as possible
[ ] Login form over HTTP for Application1{{ ...}}
[ ] Cookies without Secure flag{{}}
[ ] SQL injection in Application2{{http://application2.client/index.do?id=1' union select 1,2,3,@@versionscreenshot -> application2_sqli_version.pngpre-auth
• authenticated vs unauthenticated
• screenshot
• URL
• …
The little box near the issue’s title is used to know the state of the issue:
• [ ]: new. The issue has not been communicated.
• [-]: communicated. The issue has been communicated to the client/project/…
• [X]: reported. The issue is in the report.