Page 179 - Hands-On Bug Hunting for Penetration Testers
P. 179
Formatting Your Report Chapter 10
3. When the code submits successfully, you should be redirected back to the page
of the thread where you were adding the comment. You should see that the
script has executed, BMFSU -ing the URL location of the vulnerability.
Using EPDVNFOU MPDBUJPO PSJHJO allows us to prove to the team receiving our
submission that the XSS is being executed on an active, non-sandboxed
production instance, where it can affect live user data. We've also included a
screenshot showing the actual execution of our vulnerability. It's great if you want
to include a screenshot for each individual step, which can reveal markup
artifacts that might be of interest to the app's developers, but the essential state to
capture is the execution of the vulnerability PoC.
Critical Information ` What Your Report
Needs
Although report information will vary based on what the vulnerability is (you might
stumble upon encoded-but-decodable sensitive material, which would mean that you
wouldn't have any Payload information to submit), there is a common set of fields you will
always need:
The location (URL) of the vulnerability
The vulnerability type
When it was found
How it was found (automated/manual, tool)
How to reproduce it
How the bug can be exploited
We've had examples throughout this book of each of these fields, but there are two in
particular that deserve greater mention. The location URL is clear, as well as the type, time,
method, and all direct information, but ensuring the bug in the report is reproducible and
that there's a compelling attack scenario detailing the horrific things it has done, leaving the
bug un-patched will be critical to both ensuring your bug gets rewarded and with the
highest possible payout.
Beyond the essential information, a comprehensive reproducibility path, and a compelling
attack scenario, there is also some extra data you can include, some that's vulnerability-
specific and some that's optional-but-illuminating.
[ 164 ]
