` element - Client information, in the `<client>` element - Targets listing, in the `<targets>` element - (Optionally) Pentest-related information, in the `<activityinfo>` element - People who worked on the pentest and/or report, in the `<collaborators>` element - Document classification, in the `<classification>` element - The document's version history, in the `<version_history>` element - Your company contact information, in the `<company>` element For more details, see the sections below. ### The document title In the `<title>` element, put the document title (in text). This is something like 'Penetration Test Report', 'Security Audit Report', whatever fits the bill. Example: `<title>`Penetration Test Report`

` elements - A variable number of appendices (extra content), in one or more `` elements Additionally, the `` element has two attributes: - `findingCode`, which is a three-letter prefix for the finding numbers, derived from the client name (e.g. 'SID' for Sitting Duck BV, 'BIC' for Big International Company Ltd, etc.). When this is not filled in you will see three question marks '???' in the finding ID columns in the Table of Contents and detailed finding sections. - `findingNumberingBase`, which can be set to 'Report' or 'Section' - this configures whether the numbering of findings in the report is report-based (i.e. starting with XXX-001 and continuing upwards) or section-based (i.e. findings in section 3 are numbered XXX-301 and up, findings in section 5 are numbered XXX-501 and up). Use 'Report' for smaller pentest reports and 'Section' for large ones. Document information / metadata ------------------------------- This is the part where we put all information that is *about the report* rather than about the pentest itself (hence the term metadata): who has been working on it, what is the document title, what versions has it gone through, etc. In XML, this part is indicated by the `` element. It contains the following elements (mandatory and in the listed order): TODO - The document title, in the `` element - Client information, in the `<client>` element - Targets listing, in the `<targets>` element - (Optionally) Pentest-related information, in the `<activityinfo>` element - People who worked on the pentest and/or report, in the `<collaborators>` element - Document classification, in the `<classification>` element - The document's version history, in the `<version_history>` element - Your company contact information, in the `<company>` element For more details, see the sections below. ### The document title In the `<title>` element, put the document title (in text). This is something like 'Penetration Test Report', 'Security Audit Report', whatever fits the bill. Example: `<title>`Penetration Test Report`` ### Client information The `` element contains two other elements: - ``, in which you should type the client's official name, e.g. 'Sitting Duck BV', or 'Big International Company Ltd' - ``, in which you should type the client's shorter name, e.g. 'Sitting Duck' or 'Big International' (or, if there is no shorter name, just type the long name again) Example: Sitting Duck B.V. Sitting Duck ### Targets The `` element contains one or more `` elements, one for each target specified for the pentest. Put every target of the pentest in its own `` element. If there is only one target, you'll end up with a `` element containing only one `` element. This is ok. Example: fishinabarrel.sittingduck.com hackthis.sittingduck.com Sitting Duck's support staff ### Pentest Info The `` element contains some data about the pentest itself. This element is optional, but may be useful as you can refer to its content using placeholders, allowing e.g. for standard referrals to the tested application name, pentest type or pentest duration. Example: 10 January 1st until January 12th, 2015 January 15th until January 20th, 2015 January 23rd, 2015 time-boxed black-box FishInABarrel H4ckers 'R' Us ### Collaborators The `` element contains three other elements, mandatory and in the listed order: - ``, containing one or more `` elements (same system as ``; put the name of each reviewer in its own `` element.) - ``, containing only text. Here you put the name of the person who has approved the document for distribution to the client (usually this is Melanie) - ``, containing one or more `` elements (*not* the same system as targets, see the section on pentesters for more details) Example: Patricia Piolon Melanie Rieback ... ### Pentesters As said, the `` element contains one or more `` elements. The `` element contains two other elements: - ``, containing the pentester's name (in text) - ``, containing a paragraph about the pentester's l33tness :) - For many pentesters, you can get this bio from a previous pentest. If we're working with a new guy or girl, ask them for some info about themselves. The names of the pentesters will appear on the document info page and their names and bios will be listed automatically in a table wherever you insert the `` element. Example: ... Melanie Rieback Melanie Rieback is a former Asst. Prof. of Computer Science from the VU, who is also the co-founder/CEO of Radically Open Security. William of Ockham English Franciscan friar and scholastic philosopher and theologian. Considered to be one of the major figures of medieval thought. At the centre of some major intellectual and political controversies. ### Document Classification The `` element contains information on the confidentiality level of the report. Usually this will be 'Confidential'. The classification will appear in the header of each page. Example: Confidential ### Version History The `` element contains one or more `` elements, one for each version of the document you create. Whenever you start a new version, add a `` element to the list. The `` element should contain the following: - a `date` attribute with a date of your version as a value, in the format YYYY-MM-DDT00:00:00, e.g. 2015-04-18T00:00:00 - a `number` attribute with the version number as a value. This value can either be 'auto' or an actual version number, e.g. 1.0. If you use the 'auto' value, the system will automatically count it (starting with 0.1 for the first `` element and going up from there: 0.2, 0.3, etc...). - One or more `` elements, each containing the name of the person who worked on this version (that would be you at least, and perhaps a pentester or colleague who did significant work on it) - A `` element with a (very short!) description of what has been done in this version, e.g. 'Added non-findings' or 'Revision' Example: Bob Goudriaan Initial draft Bob Goudriaan Patricia Piolon Revision ### Contact information This is the contact information in a basic XML format. It never changes, so it has been isolated in its own little xml file, which is referred to from the main document with an `` element: `` If you need to edit the contact information, edit that file. But it's extremely likely that you won't need to. The index --------- The document index is generated at the location of the element ``. To make sure the index works (meaning that a reference page number is listed for each section), you will need to give a unique `id` attribute to all elements (sections, appendices, findings and non-findings) that need to be listed in the index. Insert the `` element immediately after the `` element. Sections -------- The main bulk of the pentest report is made up of normal content. We divide our content into sections using the `

` element. ### `id` Make sure that every `

` element, no matter where in the structure it is located, gets a unique id attribute. By 'unique' we mean that no other element in the report should have the same value for its id attribute. This is enforced by the schema, so you will get an error message if you have duplicate ids in your report. The exact value of the id attribute doesn't really matter, it can be anything, but it is good practice to pick an id that has some kind of relation to the section subject. For example, if your section is titled 'Technical Summary', a good id value for this `

` element would be 'technicalsummary'. You can use dots (.), dashes (-), underscores (\_) and numbers and letters in the id. You cannot use spaces. Example:

...

### Section title A section must always start with a `` element, which should only contain text; after that you're free to do what you want. As explained in the previous section, it's a good idea to have the section id and the title be somewhat related. Example: <section id="summary_of_findings"> <title>Summary of Findings ...

### Section content As said, after the title, anything goes (well, almost): - A section can be subdivided into smaller sections (section 1 can be subdivided into 1.1, 1.2, etc.) - A section can contain generic content, that is to say any number and order of: - paragraphs (`

`) - lists (ordered `

`)
- div containers (``)
- A section can contain any number of findings (``)
- A section can contain any number of non-findings (``)
- A section can contain any number of finding or recommendation
summary tables (``, ``)
- A section can contain a listing of targets, taken from the
`` element in the meta section (``)

All of these elements are described elsewhere in this document; see the
appropriate sections for details.

Appendices
----------

Appendices (using the `` element) work the same as sections,
they just come last in the report. Like sections, they must have a
unique id, and must start with a title. Also like sections, the rest of
their content is free-form.

You will need at least one appendix, for the pentester listing (name and
bio). This is generated from the info you provided in the ``
section in the beginning of the report, so all you need to do is insert
a `` element.

Example:

Pentesters

Findings
--------

Findings are special sections with a specific structure. Findings are
written by the pentesters. It is the job of a report writer to copy them
into the report (or reference them using an xi:include) and
edit/elaborate.

A finding consists of a `` element with the following
attributes:

- `id` - to uniquely identify the finding in the document
- `threatLevel` - which can be set to 'N/A', 'Low', 'Moderate',
'Elevated', 'High', or 'Extreme'
- `type` - the finding type (free text, but keep it short)

Furthermore, the `` is made up of several sub-elements:

- ``, a title for the finding
- `<description>`, a short, general description of the finding
- `<description_summary>`, an *optional* shorter description for use
in the summary tables
- `<technicaldescription>`, a technical elaboration on what the
problem entails
- `<impact>`, the finding's impact on the target's security
- `<recommendation>`, instructions or advice on how to improve
security
- `<recommendation_summary>`, an *optional* shorter recommendation for
use in the summary tables

For more details, see the sections below.

### Note to pentesters

**PENTESTERS** should only use the `<finding>` element containing:

- the `threatLevel` attribute
- the `type` attribute
- the `<title>` element
- the `<description>` element
- the `<technicaldescription>` element
- the `<impact>` element, and
- the `<recommendation>` element

The contents of these elements is free - write whatever you like. The
report writer will mark up your text.

Please create one file per finding.

There is no need to number your findings, as they will be numbered
automatically in the report. There is also no need to add an `id` since
the report writer is better positioned to do that.

Finding template:

<finding threatLevel="SelectFromList" type="ThreatTypeText">
<title>Finding Title
General Description of the problem
Technical description of the problem.
Impact of the finding
Advice/tips/instructions on how to solve the problem

### Note to report writers

**REPORT WRITERS** should: - Add any necessary xml to the main structure
elements (e.g. add paragraphs or `` text to the technical
description) - Edit the text so that it is in correct english and
informative/helpful to the client (or, when in doubt, ask pentesters to
make it more informative/helpful) - Add a `` and/or
`` element if necessary.

### Description

This is a general intro to the problem. It can be left as-is, in which
case the contents of this element will be treated as a paragraph, or it
can be marked up as generic text (using the Generic content elements
listed elsewhere in this document - with paragraphs, lists, tables,
images).

The contents of the `` element will be used verbatim in the
finding summary table **unless** the finding *also* contains a
`` element, in which case that element will be
used.

Example:

XML signature exclusion

This is a reasonably short general description. It can easily fit in the summary table.

...

### Description for Summary Table

If the general finding description is too long or uses elements like
images or tables, it will not be usable to put in the finding summary
table. In this case you can add a `` element right
after the `` element. The system will then use this
description for the summary table instead. The contents of the
`` element will **only be used in the summary
table**. This means that it **will not be visible in the finding text**.

Example:

XML signature exclusion

This is a more elaborate general description:

In this case, the screenshot above makes this description a bad candidate for inclusion in the summary table.
Additionally, the description is very very very very very very very very very very very very
very very very very very very very very very very very very very very very very very very very
very very very very very very very very very very very very very very very very very very very very
very very very very very very very very very very very very very very very very very very very
very very very very very very very very very very very very very very very very very very very very very
very very very very very very very very very very very very very very very very very very very
very very very very very very very long.

This is the alternative summary.

...

### Technical Description

This is a technical description of the problem. It can be left as-is, in
which case the contents of this element will be treated as a paragraph,
or it can be marked up as generic text (using the Generic content
elements listed elsewhere in this document - with paragraphs, lists,
tables, images).

Example:

XML signature exclusion

This is a reasonably short general description. It can easily fit in the summary table.

This is a very detailed and technical description of the finding using a screenshot:

And another screenshot:

...

### Impact

This describes the impact of the problem. It can be left as-is, in which
case the contents of this element will be treated as a paragraph, or it
can be marked up as generic text (using the Generic content elements
listed elsewhere in this document - with paragraphs, lists, tables,
images).

Example:

XML signature exclusion
...
This finding is not a big threat because most people don't even know what a
signature inclusion is. Do you?

### Recommendation

This element contains tips/advice/instructions to deal with the problem.
It can be left as-is, in which case the contents of this element will be
treated as a paragraph, or it can be marked up as generic text (using
the Generic content elements listed elsewhere in this document - with
paragraphs, lists, tables, images).

The contents of the `` element will be used verbatim in
the recommendation summary table **unless** the finding *also* contains
a `` element, in which case that element will be
used.

Example:

XML signature exclusion
...
Advise all users to change their passwords. That's always a good idea.

### Recommendation for Summary Table

If the recommendation is too long or uses elements like images or
tables, it will not be usable to put in the recommendation table. In
this case you can add a `` element right after
the `` element. The system will then use this
recommendation for the summary table instead. The contents of the
`` element will **only be used in the summary
table**. This means that it **will not be visible in the finding text**.

Example:

XML signature exclusion
...

Advise all users to:

Stand on their head
Restart their computers
Change their passwords

Advise all users to change their passwords.

Non-findings
------------

Non-findings are much more freeform than findings. They consist of a
`` element with: - a `` - generic elements such as
paragraphs, images, etc.

`<non-finding>` elements must have an `id` attribute.

(Basically, they are a `<section>` with a special name.)

Example:

<non-finding id="nf_xss">
<title>Mail Server

The server was running MailServer ABC for SMTP, POP3 and IMAP. This is
the most recent version of this particular piece of software.
No relevant vulnerabilities or exploits were found.

Note that this does not mean it's a good idea to use it, since the company
making MailServer ABC is notoriously terrible at pushing out secure software.

Summary tables
--------------

Every pentest report should include summary tables for all findings and
recommendations. This is easy, however, as these tables are generated
automatically by the software. You just need to indicate where, by using
the `` and `` elements.

`` and `` will generate
findings/recommendation summary tables for the complete report. If you
only want to generate a table for findings in a specific section, add a
`Ref` attribute and enter the id of the section you want to reference as
its value.

Example:

Summary

Generic content
---------------

Generic content is modeled on very basic HTML.

### Paragraphs

Paragraphs ('

') go in sections or in the various sub-elements of findings and
non-findings. They are the basic way of displaying text.

Example:

This is a paragraph

### Lists

Lists can be ordered (``, for '**o**rdered **l**ist') or unordered
(``, for **u**nordered **l**ist). Regardless of whether a list is
ordered or unordered, it contains one or more list items (``, for
**l**ist **i**tem).

**Unordered lists**

Example:

Some item
Some other item

**Ordered lists**

Ordered lists are numbered by default. You can configure a different
ordering system by setting its `type` attribute to one of the following
values:

type ordering
------ ----------------------
a lowercase alphabetic
A uppercase alphabetic
i lowercase roman
I uppercase roman

Example:

Some item
Some other item

### Code/Input/Output Blocks

Whenever you need to display some command line input/output or code, use
the `` element. It will conserve any whitespace you leave, so you
can format the contents of this element in a pleasant/readable way. Use
spaces for indents. Note that text in the `` element *will not
wrap*.

Example:

nmap
Command:
$ nmap -vvvv -oA fishinabarrel.sittingduck.com_complete -sV -sC -A -p1-65535 -T5 fishinabarrel.sittingduck.com
Outcome:
Nmap scan report for fishinabarrel.sittingduck.com (10.10.10.1)
In several lines
Some indented
and some not

This is not a haiku.

#### Help! The code in my pre element contains \< characters and it messes with my xml!

You can escape the \< character by replacing it with its entity `<`.

### Div containers

#### What does `` do?

Nothing. `` just *is*.

#### Sigh. Ok, why *is* ``?

You can use `` as a container for other block elements. This is basically only (but very) useful for snippets, as snippets need to be well-formed XML documentlets and can therefore only have one root element. If the snippet is a complete section, this is not a problem. If the snippet is a bunch of paragraphs or something, your snippet can be `` (root element), containing everything you want. Well, everything that's allowed, anyway.

#### So what's allowed in ``?

All block elements: ``, `
`, ``, `

`

#### And what elements can *contain* ``?

`` and ``.

### Tables

**Rows**

Tables consist of a `

Cell 1 in row 1	Cell 2 in row 1
Cell 1 in row 2	Cell 2 in row 2

Header cell 1 in row 1	Header cell 2 in row 1
Cell 1 in row 2	Cell 2 in row 2

cell 1	cell 2	cell 3
cell 4	cell 5	cell 6

` tags. Example: `
This text is bold and this text is not.
` **Italic** To make text italic, wrap it in `` tags. Example: `
This text is italic and this text is not.
` **Underline** To make text underlined, wrap it in `` tags. Example: `
This text is underlined and this text is not.
` **Monospace/code font** To have inline text in a monospace font, wrap it in `` tags. Example: `This text is monospace and this text is not.` **Superscript** To have inline text in superscript, wrap it in `^{` tags. Example: `^{This text is in superscript} and this text is not.` **Subscript** To have inline text in subscript, wrap it in `_{` tags. Example: `_{This text is in subscript} and this text is not.` **Links** Link to internal (in the report) or external (on the web) pages using the `` element. For internal destinations, you can either use an empty `` (recommended, see example 1) or 'normal' linking (see example 2). In the `href` attribute of the `` element, type: - # + the id of the section you're linking to (when linking to a section in the report), or - the url of the website you're linking to (when linking to a website) Example 1 - linking with an empty element: `Please refer to . ` (Note that in this case, we would need to have an element with id "xss\_finding" in the report, otherwise the link wouldn't resolve.) This will auto-generate the linked text: 'Please refer to SID-004 (page 4).', or 'Please refer to section 2 (page 13).' Example 2: `Please refer to our finding on insecure mailservers.` (Again, we would need to have an element with id "xss\_finding" in the report, otherwise the link wouldn't resolve.) Example 3: `Please refer to our amazing website.` Manual breaks ------------- ### Line breaks Mostly text is broken automatically (between paragraphs etc.) but in some rare cases you may need to insert a manual line break. To do so, use the ` ` element. Example: This is my haiku my line is broken, but still the paragraph flows ### Page breaks To force a page break before or after a section, set its `break` attribute to 'before' or 'after'. Note: breaks are inserted automatcally before every appendix and before/after the index. Example: Technical Findings ...}}