Skip to content

Commit

Permalink
Merge branch 'update-htb-cwee' into 'main'
Browse files Browse the repository at this point in the history 
Update HTB CWEE design

See merge request reportcreator/reportcreator!464
@MWedl
MWedl committed Feb 23, 2024
2 parents 6806a37 + 0d4e600 commit 0db0363
Showing 1 changed file with 654 additions and 658 deletions.
1,312 changes: 654 additions & 658 deletions demo_data/htb-designs/cwee.toml
View file
Original file line number Diff line number Diff line change
@@ -19,659 +19,659 @@ finding_field_order = [
]
default_notes = []
report_template = """
<div id="header" data-sysreptor-generated="page-header">
<div id="header-left">
<img id="header-logo" src="/assets/name/logo-transparent.png" alt="logo" />
<div id="header-text">
<strong>HACK</strong>THE<strong>BOX</strong>
</div>
</div>
</div>
<div id="footer" data-sysreptor-generated="page-footer">
<div id="footer-left"><em>CONFIDENTIAL</em></div>
<div id="footer-center">{{ report.title }}</div>
</div>
<section id="page-cover" data-sysreptor-generated="page-cover">
<img id="page-cover-logo" src="/assets/name/logo-transparent.png" alt="">
<div id="page-cover-logo-title">
<strong>HACK</strong>THE<strong>BOX</strong>
</div>
<div id="page-cover-title">
<h1 id="page-cover-report-title">{{ report.title }}</h1>
<h2>Report of Findings</h2>
<h3>HTB Certified Web Exploitation Expert (CWEE) Exam Report</h3>
<h3>Candidate Name: {{ report.candidate.a_name }}</h3>
</div>
<div id="page-cover-recipient">
<h2>{{ formatDate(report.report_date, 'long') }}</h2>
<h2>Version: {{ report.report_version }}</h2>
</div>
<pagebreak />
</section>
<table-of-contents id="toc" v-slot="tocItems">
<h1>Table of Contents</h1>
<ul>
<li v-for="item in tocItems" :class="'toc-level' + item.level">
<ref :to="item.id" />
</li>
</ul>
<pagebreak />
</table-of-contents>
<markdown>
# Statement of Confidentiality {#SoC .in-toc.numbered}
The contents of this document have been developed by Hack The Box. Hack The Box considers the contents of this document to be proprietary and business confidential information. This information is to be used only in the performance of its intended use. This document may not be released to another vendor, business partner or contractor without prior written consent from Hack The Box. Additionally, no portion of this document may be communicated, reproduced, copied or distributed without the prior consent of Hack The Box.
The contents of this document do not constitute legal advice. Hack The Box's offer of services that relate to compliance, litigation or other legal interests are not intended as legal counsel and should not be taken as such. The assessment detailed herein is against a fictional company for training and examination purposes, and the vulnerabilities in no way affect Hack The Box external or internal infrastructure.
<pagebreak />
</markdown>
<section>
<div>
<h1 id="contacts" class="in-toc numbered">Engagement Contacts</h1>
<table>
<tr>
<th colspan="3" style="text-align: center">
{{ report.customer_short }} Contacts
</th>
</tr>
<tr>
<td><strong>Contact</strong></td>
<td><strong>Title</strong></td>
<td><strong>Contact Email</strong></td>
</tr>
<tr v-for="contact in report.customer_contacts">
<td>{{ contact.a_name }}</td>
<td>{{ contact.b_title }}</td>
<td>{{ contact.c_email }}</td>
</tr>
</table>
<table>
<tr>
<th colspan="3" style="text-align: center">
Assessor Contact
</th>
</tr>
<tr>
<td><strong>Assessor Name</strong></td>
<td><strong>Title</strong></td>
<td><strong>Assessor Contact Email</strong></td>
</tr>
<tr>
<td>{{ report.candidate.a_name }}</td>
<td>{{ report.candidate.b_title }}</td>
<td>{{ report.candidate.c_email }}</td>
</tr>
</table>
</div>
<pagebreak />
</section>
<section>
<h1 id="summary" class="in-toc numbered">Executive Summary</h1>
<markdown :text="report.executive_summary" />
<div>
<h2 id="approach" class="in-toc numbered">Approach</h2>
<markdown :text="report.approach" class="markdown-inline"/>
</div>
<pagebreak />
</section>
<section>
<div>
<h1 id="scope" class="in-toc numbered">Scope</h1>
<markdown :text="report.scope" />
</div>
<pagebreak />
</section>
<section>
<h1 id="web-application-security-assessment-summary" class="in-toc numbered">Web Application Security Assessment Summary</h1>
<div>
<h2 class="in-toc numbered">Summary of Findings</h2>
<markdown>
During the course of testing, {{ report.candidate.a_name }} uncovered a total of **{{ finding_stats.count_total }}** findings that pose a material risk to client’s web applications and systems. The below chart provides a summary of the findings by severity level.
</markdown>
<p>
In the course of this penetration test
<comma-and-join>
<template #critical v-if="finding_stats.count_critical > 0"><strong class="risk-critical">{{ finding_stats.count_critical }} Critical</strong></template>
<template #high v-if="finding_stats.count_high > 0"><strong class="risk-high">{{ finding_stats.count_high }} High</strong></template>
<template #medium v-if="finding_stats.count_medium > 0"><strong class="risk-medium">{{ finding_stats.count_medium }} Medium</strong></template>
<template #low v-if="finding_stats.count_low > 0"><strong class="risk-low">{{ finding_stats.count_low }} Low</strong></template>
<template #info v-if="finding_stats.count_info > 0"><strong class="risk-info">{{ finding_stats.count_info }} Info</strong></template>
</comma-and-join>
vulnerabilities were identified:
</p>
<figure>
<chart :width="15" :height="10" :config="{
type: 'bar',
data: {
labels: ['Critical', 'High', 'Medium', 'Low', 'Info'],
datasets: [{
data: [
finding_stats.count_critical,
finding_stats.count_high,
finding_stats.count_medium,
finding_stats.count_low,
finding_stats.count_info
],
backgroundColor: [
cssvar('--color-risk-critical'),
cssvar('--color-risk-high'),
cssvar('--color-risk-medium'),
cssvar('--color-risk-low'),
cssvar('--color-risk-info')
],
}],
},
options: {
scales: {
x: {
ticks: { color: 'white' }, // Specify the font color for the x-axis ticks
grid: { color: cssvar('--color-secondary') }, // Set the grid color for the x-axis
},
y: {
beginAtZero: true,
ticks: { precision: 0, color: 'white' },
grid: { color: cssvar('--color-secondary') }, // Set the grid color for the y-axis
},
},
plugins: {legend: { display: false }},
},
}" />
<figcaption>Distribution of identified vulnerabilities</figcaption>
</figure>
<markdown>
Below is a high-level overview of each finding identified during the course of testing. These findings are covered in depth in the
<ref to="findings">Technical Findings Details</ref> section of this report.
</markdown>
<table class="findings-list">
<thead>
<tr>
<th>#</th>
<th>Severity Level</th>
<th>Finding Name</th>
<th align="center">Page</th>
</tr>
</thead>
<tbody>
<tr v-for="finding in findings" class="table-row-link">
<td>
<ref :to="finding.id" class="ref-finding-number" />
</td>
<td :class="'risk-bg-' + finding.cvss.level">
<ref :to="finding.id">{{ finding.cvss.score}} ({{ lodash.capitalize(finding.cvss.level) }})</ref>
</td>
<td>
<ref :to="finding.id">{{ finding.title }}</ref>
</td>
<td align="center">
<ref :to="finding.id" class="ref-page" />
</td>
</tr>
</tbody>
</table>
</div>
<h2 id="assessment-overview-and-recommendations" class="in-toc numbered">Assessment Overview and Recommendations</h2>
<markdown :text="report.assessment_overview_and_recommendations" />
<pagebreak />
</section>
<section class="findings-list">
<h1 id="findings" class="in-toc numbered">Technical Findings Details</h1>
<div v-for="finding in findings">
<h2 :id="finding.id" class="in-toc finding-number" :data-toc-title="finding.title">
{{ finding.title }} -
<span :class="'risk-' + finding.cvss.level">{{ lodash.capitalize(finding.cvss.level) }}</span>
</h2>
<table class="finding-header">
<tr>
<th :class="'risk-bg-' + finding.cvss.level">CWE</th>
<td>
{{ finding.cwe.value || '-' }}
</td>
</tr>
<tr>
<th :class="'risk-bg-' + finding.cvss.level">CVSS 4.0</th>
<td>
<span v-if="!finding.cvss.vector || finding.cvss.vector === 'n/a'">N/A</span>
<span v-else>{{ finding.cvss.score}} / {{ finding.cvss.vector }}</span>
</td>
</tr>
<tr>
<th :class="'risk-bg-' + finding.cvss.level">Description & Cause</th>
<td>
<markdown :text="finding.summary" />
</td>
</tr>
<tr>
<th :class="'risk-bg-' + finding.cvss.level">Security Impact</th>
<td>
<markdown :text="finding.impact" />
</td>
</tr>
<tr v-if="finding.affected_components.length > 0">
<th :class="'risk-bg-' + finding.cvss.level">Affected Component(s)</th>
<td>
<span v-if="finding.affected_components.length === 0">-</span>
<span v-else-if="finding.affected_components.length === 1">{{ finding.affected_components[0]
}}</span>
<ul v-else :class="{'finding-systems': true, 'finding-systems-cols': finding.affected_components.length >= 4}">
<li v-for="c in finding.affected_components">{{ c }}</li>
</ul>
</td>
</tr>
<tr>
<th :class="'risk-bg-' + finding.cvss.level">External References</th>
<td>
<span v-if="finding.references.length === 0">-</span>
<span v-else-if="finding.references.length === 1">{{ finding.references[0] }}</span>
<ul v-else>
<li v-for="r in finding.references">{{ r }}</li>
</ul>
</td>
</tr>
</table>
<div v-if="finding.description">
<h3>Detailed Walkthrough</h3>
<markdown :text="finding.description" />
</div>
<div v-if="finding.recommendation">
<h3>Patching and Remediation</h3>
<markdown :text="finding.recommendation" />
</div>
<pagebreak />
</div>
</section>
<section class="appendix">
<h1 id="appendix" class="in-toc numbered">Appendix</h1>
<div v-if="report.appendix_severities">
<h2 class="in-toc numbered">Finding Severities</h2>
<markdown :text="report.appendix_severities" />
<pagebreak />
</div>
<div v-if="report.appendix_flags">
<h2 class="in-toc numbered">Flags Discovered</h2>
<markdown :text="report.appendix_flags" />
<pagebreak />
</div>
<div v-for="appendix_additional_section in report.appendix_additional_sections">
<h2 class="in-toc numbered">{{ appendix_additional_section.title }}</h2>
<markdown :text="appendix_additional_section.content" />
<pagebreak />
</div>
</section>
<section>
<div class="end-of-report">
End of Report
</div>
<div class="end-of-report">
This report was rendered<br>
by <a href="https://docs.sysreptor.com/">SysReptor</a> with<br>
<span style="color:red;">&hearts;</span><br>
</div>
<div id="header" data-sysreptor-generated="page-header">
<div id="header-left">
<img id="header-logo" src="/assets/name/logo-transparent.png" alt="logo" />
<div id="header-text">
<strong>HACK</strong>THE<strong>BOX</strong>
</div>
</div>
</div>
<div id="footer" data-sysreptor-generated="page-footer">
<div id="footer-left"><em>CONFIDENTIAL</em></div>
<div id="footer-center">{{ report.title }}</div>
</div>
<section id="page-cover" data-sysreptor-generated="page-cover">
<img id="page-cover-logo" src="/assets/name/logo-transparent.png" alt="">
<div id="page-cover-logo-title">
<strong>HACK</strong>THE<strong>BOX</strong>
</div>
<div id="page-cover-title">
<h1 id="page-cover-report-title">{{ report.title }}</h1>
<h2>Report of Findings</h2>
<h3>HTB Certified Web Exploitation Expert (CWEE) Exam Report</h3>
<h3>Candidate Name: {{ report.candidate.a_name }}</h3>
</div>
<div id="page-cover-recipient">
<h2>{{ formatDate(report.report_date, 'long') }}</h2>
<h2>Version: {{ report.report_version }}</h2>
</div>
<pagebreak />
</section>
<table-of-contents id="toc" v-slot="tocItems">
<h1>Table of Contents</h1>
<ul>
<li v-for="item in tocItems" :class="'toc-level' + item.level">
<ref :to="item.id" />
</li>
</ul>
<pagebreak />
</table-of-contents>
<markdown>
# Statement of Confidentiality {#SoC .in-toc.numbered}
The contents of this document have been developed by Hack The Box. Hack The Box considers the contents of this document to be proprietary and business confidential information. This information is to be used only in the performance of its intended use. This document may not be released to another vendor, business partner or contractor without prior written consent from Hack The Box. Additionally, no portion of this document may be communicated, reproduced, copied or distributed without the prior consent of Hack The Box.
The contents of this document do not constitute legal advice. Hack The Box's offer of services that relate to compliance, litigation or other legal interests are not intended as legal counsel and should not be taken as such. The assessment detailed herein is against a fictional company for training and examination purposes, and the vulnerabilities in no way affect Hack The Box external or internal infrastructure.
<pagebreak />
</markdown>
<section>
<div>
<h1 id="contacts" class="in-toc numbered">Engagement Contacts</h1>
<table>
<tr>
<th colspan="3" style="text-align: center">
{{ report.customer_short }} Contacts
</th>
</tr>
<tr>
<td><strong>Contact</strong></td>
<td><strong>Title</strong></td>
<td><strong>Contact Email</strong></td>
</tr>
<tr v-for="contact in report.customer_contacts">
<td>{{ contact.a_name }}</td>
<td>{{ contact.b_title }}</td>
<td>{{ contact.c_email }}</td>
</tr>
</table>
<table>
<tr>
<th colspan="3" style="text-align: center">
Assessor Contact
</th>
</tr>
<tr>
<td><strong>Assessor Name</strong></td>
<td><strong>Title</strong></td>
<td><strong>Assessor Contact Email</strong></td>
</tr>
<tr>
<td>{{ report.candidate.a_name }}</td>
<td>{{ report.candidate.b_title }}</td>
<td>{{ report.candidate.c_email }}</td>
</tr>
</table>
</div>
<pagebreak />
</section>
<section>
<h1 id="summary" class="in-toc numbered">Executive Summary</h1>
<markdown :text="report.executive_summary" />
<div>
<h2 id="approach" class="in-toc numbered">Approach</h2>
<markdown :text="report.approach" class="markdown-inline"/>
</div>
<pagebreak />
</section>
<section>
<div>
<h1 id="scope" class="in-toc numbered">Scope</h1>
<markdown :text="report.scope" />
</div>
<pagebreak />
</section>
<section>
<h1 id="web-application-security-assessment-summary" class="in-toc numbered">Web Application Security Assessment Summary</h1>
<div>
<h2 class="in-toc numbered">Summary of Findings</h2>
<markdown>
During the course of testing, {{ report.candidate.a_name }} uncovered a total of **{{ finding_stats.count_total }}** findings that pose a material risk to client’s web applications and systems. The below chart provides a summary of the findings by severity level.
</markdown>
<p>
In the course of this penetration test
<comma-and-join>
<template #critical v-if="finding_stats.count_critical > 0"><strong class="risk-critical">{{ finding_stats.count_critical }} Critical</strong></template>
<template #high v-if="finding_stats.count_high > 0"><strong class="risk-high">{{ finding_stats.count_high }} High</strong></template>
<template #medium v-if="finding_stats.count_medium > 0"><strong class="risk-medium">{{ finding_stats.count_medium }} Medium</strong></template>
<template #low v-if="finding_stats.count_low > 0"><strong class="risk-low">{{ finding_stats.count_low }} Low</strong></template>
<template #info v-if="finding_stats.count_info > 0"><strong class="risk-info">{{ finding_stats.count_info }} Info</strong></template>
</comma-and-join>
vulnerabilities were identified:
</p>
<figure>
<chart :width="15" :height="10" :config="{
type: 'bar',
data: {
labels: ['Critical', 'High', 'Medium', 'Low', 'Info'],
datasets: [{
data: [
finding_stats.count_critical,
finding_stats.count_high,
finding_stats.count_medium,
finding_stats.count_low,
finding_stats.count_info
],
backgroundColor: [
cssvar('--color-risk-critical'),
cssvar('--color-risk-high'),
cssvar('--color-risk-medium'),
cssvar('--color-risk-low'),
cssvar('--color-risk-info')
],
}],
},
options: {
scales: {
x: {
ticks: { color: 'white' }, // Specify the font color for the x-axis ticks
grid: { color: cssvar('--color-secondary') }, // Set the grid color for the x-axis
},
y: {
beginAtZero: true,
ticks: { precision: 0, color: 'white' },
grid: { color: cssvar('--color-secondary') }, // Set the grid color for the y-axis
},
},
plugins: {legend: { display: false }},
},
}" />
<figcaption>Distribution of identified vulnerabilities</figcaption>
</figure>
<markdown>
Below is a high-level overview of each finding identified during the course of testing. These findings are covered in depth in the
<ref to="findings">Technical Findings Details</ref> section of this report.
</markdown>
<table class="findings-list">
<thead>
<tr>
<th>#</th>
<th>Severity Level</th>
<th>Finding Name</th>
<th align="center">Page</th>
</tr>
</thead>
<tbody>
<tr v-for="finding in findings" class="table-row-link">
<td>
<ref :to="finding.id" class="ref-finding-number" />
</td>
<td :class="'risk-bg-' + finding.cvss.level">
<ref :to="finding.id">{{ finding.cvss.score}} ({{ lodash.capitalize(finding.cvss.level) }})</ref>
</td>
<td>
<ref :to="finding.id">{{ finding.title }}</ref>
</td>
<td align="center">
<ref :to="finding.id" class="ref-page" />
</td>
</tr>
</tbody>
</table>
</div>
<h2 id="assessment-overview-and-recommendations" class="in-toc numbered">Assessment Overview and Recommendations</h2>
<markdown :text="report.assessment_overview_and_recommendations" />
<pagebreak />
</section>
<section class="findings-list">
<h1 id="findings" class="in-toc numbered">Technical Findings Details</h1>
<div v-for="finding in findings">
<h2 :id="finding.id" class="in-toc finding-number" :data-toc-title="finding.title">
{{ finding.title }} -
<span :class="'risk-' + finding.cvss.level">{{ lodash.capitalize(finding.cvss.level) }}</span>
</h2>
<table class="finding-header">
<tr>
<th :class="'risk-bg-' + finding.cvss.level">CWE</th>
<td>
{{ finding.cwe.value || '-' }}
</td>
</tr>
<tr>
<th :class="'risk-bg-' + finding.cvss.level">CVSS 4.0</th>
<td>
<span v-if="!finding.cvss.vector || finding.cvss.vector === 'n/a'">N/A</span>
<span v-else>{{ finding.cvss.score}} / {{ finding.cvss.vector }}</span>
</td>
</tr>
<tr>
<th :class="'risk-bg-' + finding.cvss.level">Description & Cause</th>
<td>
<markdown :text="finding.summary" />
</td>
</tr>
<tr>
<th :class="'risk-bg-' + finding.cvss.level">Security Impact</th>
<td>
<markdown :text="finding.impact" />
</td>
</tr>
<tr v-if="finding.affected_components.length > 0">
<th :class="'risk-bg-' + finding.cvss.level">Affected Component(s)</th>
<td>
<span v-if="finding.affected_components.length === 0">-</span>
<span v-else-if="finding.affected_components.length === 1">{{ finding.affected_components[0]
}}</span>
<ul v-else :class="{'finding-systems': true, 'finding-systems-cols': finding.affected_components.length >= 4}">
<li v-for="c in finding.affected_components">{{ c }}</li>
</ul>
</td>
</tr>
<tr>
<th :class="'risk-bg-' + finding.cvss.level">External References</th>
<td>
<span v-if="finding.references.length === 0">-</span>
<span v-else-if="finding.references.length === 1">{{ finding.references[0] }}</span>
<ul v-else>
<li v-for="r in finding.references">{{ r }}</li>
</ul>
</td>
</tr>
</table>
<div v-if="finding.description">
<h3>Detailed Walkthrough</h3>
<markdown :text="finding.description" />
</div>
<div v-if="finding.recommendation">
<h3>Patching and Remediation</h3>
<markdown :text="finding.recommendation" />
</div>
<pagebreak />
</div>
</section>
<section class="appendix">
<h1 id="appendix" class="in-toc numbered">Appendix</h1>
<div v-if="report.appendix_severities">
<h2 class="in-toc numbered">Finding Severities</h2>
<markdown :text="report.appendix_severities" />
<pagebreak />
</div>
<div v-if="report.appendix_flags">
<h2 class="in-toc numbered">Flags Discovered</h2>
<markdown :text="report.appendix_flags" />
<pagebreak />
</div>
<div v-for="appendix_additional_section in report.appendix_additional_sections">
<h2 class="in-toc numbered">{{ appendix_additional_section.title }}</h2>
<markdown :text="appendix_additional_section.content" />
<pagebreak />
</div>
</section>
<section>
<div class="end-of-report">
End of Report
</div>
<div class="end-of-report">
This report was rendered<br>
by <a href="https://docs.sysreptor.com/">SysReptor</a> with<br>
<span style="color:red;">&hearts;</span><br>
</div>
</section>
"""
report_styles = """
@import "/assets/global/base.css";
/* Define variables */
:root {
--color-risk-critical: #E83221;
--color-risk-high: #FF9300;
--color-risk-medium: #ffc400;
--color-risk-low: #4285F5;
--color-risk-info: #00AE51;
--color-highlight: #9FEF00;
--color-secondary: #A6B0CB;
--color-table-header: #9FEF00;
--color-table-row-even: #A4B1CD;
--color-table-row-odd: #BFC8DC;
--color-table-content: #151515;
--color-page-background: #161D2A;
}
@page {
size: A4 portrait;
margin: 35mm 20mm 25mm 20mm;
background-color: var(--color-page-background);
}
/* Font */
html {
font-family: "Noto Sans", sans-serif;
font-size: 10pt;
color: white;
}
h1, h2, h3, h4, h5, h6 {
color: var(--color-highlight);
}
/* Justify text */
p {
text-align: justify;
text-align-last: start;
}
a {
color: var(--color-secondary); /* Set the color of unvisited links */
text-decoration: underline; /* Remove the underline from unvisited links */
}
/* Table styling */
table, th, td {
border: 1px solid white;
}
th {
background-color: var(--color-table-header);
color: var(--color-table-content);
}
th, td {
padding: 0.2em 0.5em 0.2em 0.5em;
}
tr.table-row-link td {
padding: 0;
}
tr.table-row-link td a {
display: block;
padding: 0.2em 0.5em 0.2em 0.5em;
color: inherit;
text-decoration: none;
font-style: inherit;
}
td.table-key {
height: 3em;
width: 10em;
}
tr{
color: var(--color-table-content);
}
tr:nth-child(even) {
background-color: var(--color-table-row-even)
}
tr:nth-child(odd) {
background-color: var(--color-table-row-odd)
}
/* Code block styling */
pre code {
border: 1px solid white;
padding: 0.2em !important;
}
code {
color: var(--color-highlight);
background-color: inherit;
}
.code-important{
\tbackground-color: yellow;
color: red;
font-style: italic;
}
/* Footnotes */
@page {
@footnote {
border-top: 1px solid white;
}
}
footnote {
font-size: 8pt;
}
/* Classes for risk colors */
.risk-critical { color: var(--color-risk-critical) !important; font-weight: bold; }
.risk-high { color: var(--color-risk-high) !important; font-weight: bold; }
.risk-medium { color: var(--color-risk-medium) !important; font-weight: bold; }
.risk-low { color: var(--color-risk-low) !important; font-weight: bold; }
.risk-info { color: var(--color-risk-info) !important; font-weight: bold; }
.risk-bg-critical { background-color: var(--color-risk-critical) !important; color: white !important; }
.risk-bg-high { background-color: var(--color-risk-high) !important; }
.risk-bg-medium { background-color: var(--color-risk-medium) !important; }
.risk-bg-low { background-color: var(--color-risk-low) !important; }
.risk-bg-info { background-color: var(--color-risk-info) !important; }
/* Helper class for referencing page number */
.ref-page::before {
content: "" !important;
}
.ref-page .ref-title, .ref-finding-number .ref-title {
display: none !important;
}
.ref-page::after {
content: target-counter(attr(href), page) !important;
}
.ref-finding-number::before {
content: target-counter(attr(href), finding-number);
}
.findings-list {
counter-reset: finding-number;
}
.finding-number {
color: white;
}
.finding-number::before {
counter-increment: finding-number;
content: counter(finding-number) ". ";
}
/* Finding */
.finding-header th {
font-weight: normal;
width: 7em;
}
.finding-header tr {
break-inside: auto;
}
.finding-header-color{
font-size: 12pt;
color: white !important;
}
/*CSS classes for multiple systems */
.finding-systems {
padding-left: 1em;
}
.finding-systems-cols {
column-count: 2;
padding-top: 1em;
margin-bottom: 1em;
}
.end-of-report {
text-align:center;
font-style:italic;
margin-top:70px;
line-height:1.7;
}
/* #region header */
@page {
margin-top: 35mm;
--header-margin-bottom: 5mm;
@top-left-corner {
content: "";
margin-bottom: var(--header-margin-bottom);
border-bottom: 2px dotted white;
}
@top-left {
content: element(header-left);
margin-bottom: var(--header-margin-bottom);
border-bottom: 2px dotted white;
width: 100%;
}
@top-right-corner {
content: "";
margin-bottom: var(--header-margin-bottom);
border-bottom: 2px dotted white;
}
}
#header-left {
position: running(header-left);
display: flex;
flex-direction: row;
align-items: center;
}
#header-logo { height: 20mm; }
#header-text { font-size: 14pt; margin-left: -3mm; }
/* #endregion header */
/* #region footer */
@page {
@bottom-left { content: element(footer-left); }
@bottom-center { content: element(footer-center); }
@bottom-right-corner { content: counter(page); }
}
#footer-left { position: running(footer-left); }
#footer-center { position: running(footer-center); }
/* #endregion footer */
/* #region page-cover */
#page-cover-logo {
position: absolute;
top: 5%;
left: 2cm;
height: 6cm;
transform: translate(-50%, -50%);
display: inline-block
}
#page-cover-logo-title {
position: absolute;
top: 5%;
left: 9.5cm;
transform: translate(-50%, -50%);
display: inline-block;
font-size: 42pt;
}
#page-cover-title {
position: absolute;
top: 40%;
left: 50%;
width: 14cm;
transform: translate(-50%, -50%);
text-align: center;
}
#page-cover-title h1 {
font-size: 32pt;
color: white;
}
#page-cover-title h2 {
font-size: 24pt;
color: white;
}
#page-cover-title h3 {
font-size: 12pt;
color: white;
}
#page-cover-report-title{
color: var(--color-highlight) !important;
}
#page-cover-recipient {
position: absolute;
top: 80%;
left: 50%;
width: 14cm;
transform: translate(-50%, -50%);
display: inline-block;
text-align: right;
}
#page-cover-recipient h1 {
font-size: 16pt;
color: var(--color-highlight);
}
#page-cover-recipient h2 {
font-size: 12pt;
color: var(--color-secondary);
}
@page :first {
/* Hide header */
@top-left-corner { content: none !important; }
@top-left { content: none !important; }
@top-right-corner { content: none !important; }
/* Hide footer (except "confidential") */
@bottom-center { content: none !important; }
@bottom-right-corner { content: none !important; }
}
/* #endregion page-cover */
/* #region toc */
#toc li {
list-style: none;
margin: 0;
padding: 0;
color: var(--color-secondary);
}
#toc .ref::before {
padding-right: 0.5em;
}
#toc .ref::after {
content: " " leader(".") " " target-counter(attr(href), page);
}
#toc .toc-level1 {
font-size: 14pt;
margin-top: 0.8em;
color: white;
}
#toc .toc-level2 {
font-size: 12pt;
margin-top: 0.5em;
margin-left: 1em;
}
#toc .toc-level3 {
font-size: 10pt;
margin-top: 0.4em;
margin-left: 2em;
}
@import "/assets/global/base.css";
/* Define variables */
:root {
--color-risk-critical: #E83221;
--color-risk-high: #FF9300;
--color-risk-medium: #ffc400;
--color-risk-low: #4285F5;
--color-risk-info: #00AE51;
--color-highlight: #9FEF00;
--color-secondary: #A6B0CB;
--color-table-header: #9FEF00;
--color-table-row-even: #A4B1CD;
--color-table-row-odd: #BFC8DC;
--color-table-content: #151515;
--color-page-background: #161D2A;
}
@page {
size: A4 portrait;
margin: 35mm 20mm 25mm 20mm;
background-color: var(--color-page-background);
}
/* Font */
html {
font-family: "Noto Sans", sans-serif;
font-size: 10pt;
color: white;
}
h1, h2, h3, h4, h5, h6 {
color: var(--color-highlight);
}
/* Justify text */
p {
text-align: justify;
text-align-last: start;
}
a {
color: var(--color-secondary); /* Set the color of unvisited links */
text-decoration: underline; /* Remove the underline from unvisited links */
}
/* Table styling */
table, th, td {
border: 1px solid white;
}
th {
background-color: var(--color-table-header);
color: var(--color-table-content);
}
th, td {
padding: 0.2em 0.5em 0.2em 0.5em;
}
tr.table-row-link td {
padding: 0;
}
tr.table-row-link td a {
display: block;
padding: 0.2em 0.5em 0.2em 0.5em;
color: inherit;
text-decoration: none;
font-style: inherit;
}
td.table-key {
height: 3em;
width: 10em;
}
tr{
color: var(--color-table-content);
}
tr:nth-child(even) {
background-color: var(--color-table-row-even)
}
tr:nth-child(odd) {
background-color: var(--color-table-row-odd)
}
/* Code block styling */
pre code {
border: 1px solid white;
padding: 0.2em !important;
}
code {
color: var(--color-highlight);
background-color: inherit;
}
.code-important{
\tbackground-color: yellow;
color: red;
font-style: italic;
}
/* Footnotes */
@page {
@footnote {
border-top: 1px solid white;
}
}
footnote {
font-size: 8pt;
}
/* Classes for risk colors */
.risk-critical { color: var(--color-risk-critical) !important; font-weight: bold; }
.risk-high { color: var(--color-risk-high) !important; font-weight: bold; }
.risk-medium { color: var(--color-risk-medium) !important; font-weight: bold; }
.risk-low { color: var(--color-risk-low) !important; font-weight: bold; }
.risk-info { color: var(--color-risk-info) !important; font-weight: bold; }
.risk-bg-critical { background-color: var(--color-risk-critical) !important; color: white !important; }
.risk-bg-high { background-color: var(--color-risk-high) !important; }
.risk-bg-medium { background-color: var(--color-risk-medium) !important; }
.risk-bg-low { background-color: var(--color-risk-low) !important; }
.risk-bg-info { background-color: var(--color-risk-info) !important; }
/* Helper class for referencing page number */
.ref-page::before {
content: "" !important;
}
.ref-page .ref-title, .ref-finding-number .ref-title {
display: none !important;
}
.ref-page::after {
content: target-counter(attr(href), page) !important;
}
.ref-finding-number::before {
content: target-counter(attr(href), finding-number);
}
.findings-list {
counter-reset: finding-number;
}
.finding-number {
color: white;
}
.finding-number::before {
counter-increment: finding-number;
content: counter(finding-number) ". ";
}
/* Finding */
.finding-header th {
font-weight: normal;
width: 7em;
}
.finding-header tr {
break-inside: auto;
}
.finding-header-color{
font-size: 12pt;
color: white !important;
}
/*CSS classes for multiple systems */
.finding-systems {
padding-left: 1em;
}
.finding-systems-cols {
column-count: 2;
padding-top: 1em;
margin-bottom: 1em;
}
.end-of-report {
text-align:center;
font-style:italic;
margin-top:70px;
line-height:1.7;
}
/* #region header */
@page {
margin-top: 35mm;
--header-margin-bottom: 5mm;
@top-left-corner {
content: "";
margin-bottom: var(--header-margin-bottom);
border-bottom: 2px dotted white;
}
@top-left {
content: element(header-left);
margin-bottom: var(--header-margin-bottom);
border-bottom: 2px dotted white;
width: 100%;
}
@top-right-corner {
content: "";
margin-bottom: var(--header-margin-bottom);
border-bottom: 2px dotted white;
}
}
#header-left {
position: running(header-left);
display: flex;
flex-direction: row;
align-items: center;
}
#header-logo { height: 20mm; }
#header-text { font-size: 14pt; margin-left: -3mm; }
/* #endregion header */
/* #region footer */
@page {
@bottom-left { content: element(footer-left); }
@bottom-center { content: element(footer-center); }
@bottom-right-corner { content: counter(page); }
}
#footer-left { position: running(footer-left); }
#footer-center { position: running(footer-center); }
/* #endregion footer */
/* #region page-cover */
#page-cover-logo {
position: absolute;
top: 5%;
left: 2cm;
height: 6cm;
transform: translate(-50%, -50%);
display: inline-block
}
#page-cover-logo-title {
position: absolute;
top: 5%;
left: 9.5cm;
transform: translate(-50%, -50%);
display: inline-block;
font-size: 42pt;
}
#page-cover-title {
position: absolute;
top: 40%;
left: 50%;
width: 14cm;
transform: translate(-50%, -50%);
text-align: center;
}
#page-cover-title h1 {
font-size: 32pt;
color: white;
}
#page-cover-title h2 {
font-size: 24pt;
color: white;
}
#page-cover-title h3 {
font-size: 12pt;
color: white;
}
#page-cover-report-title{
color: var(--color-highlight) !important;
}
#page-cover-recipient {
position: absolute;
top: 80%;
left: 50%;
width: 14cm;
transform: translate(-50%, -50%);
display: inline-block;
text-align: right;
}
#page-cover-recipient h1 {
font-size: 16pt;
color: var(--color-highlight);
}
#page-cover-recipient h2 {
font-size: 12pt;
color: var(--color-secondary);
}
@page :first {
/* Hide header */
@top-left-corner { content: none !important; }
@top-left { content: none !important; }
@top-right-corner { content: none !important; }
/* Hide footer (except "confidential") */
@bottom-center { content: none !important; }
@bottom-right-corner { content: none !important; }
}
/* #endregion page-cover */
/* #region toc */
#toc li {
list-style: none;
margin: 0;
padding: 0;
color: var(--color-secondary);
}
#toc .ref::before {
padding-right: 0.5em;
}
#toc .ref::after {
content: " " leader(".") " " target-counter(attr(href), page);
}
#toc .toc-level1 {
font-size: 14pt;
margin-top: 0.8em;
color: white;
}
#toc .toc-level2 {
font-size: 12pt;
margin-top: 0.5em;
margin-left: 1em;
}
#toc .toc-level3 {
font-size: 10pt;
margin-top: 0.4em;
margin-left: 2em;
}
/* #endregion toc */
"""

@@ -709,9 +709,7 @@ origin = "custom"
default = """
{{ report.candidate.a_name }} performed testing under a mixture of "blackbox" and a "whitebox" approach from {{ formatDate(report.pentest_start, 'long', 'en-US') }} to {{ formatDate(report.pentest_end, 'long', 'en-US') }}, as follows:
- `{{ report.customers[0].customer_short }}` <markdown :text="report.customers[0].pentest_approach" class="markdown-inline" />
- `{{ report.customers[1].customer_short }}` <markdown :text="report.customers[1].pentest_approach" class="markdown-inline" />
- `{{ report.customers[2].customer_short }}` <markdown :text="report.customers[2].pentest_approach" class="markdown-inline" />
<ul><li v-for="customer in report.customers"> <code>{{ customer.customer_short }}</code> <markdown :text="customer.pentest_approach" class="markdown-inline" /></li></ul>
Testing was performed remotely from a non-evasive standpoint, with the goal of uncovering as many misconfigurations and vulnerabilities as possible. Each weakness identified was documented and manually investigated to determine exploitation possibilities and escalation potential.
@@ -891,7 +889,7 @@ type = "markdown"
label = "Executive Summary"
origin = "custom"
default = """
{{ report.customers[0].customer_full }} (“{{ report.customers[0].customer_short }}” herein), {{ report.customers[1].customer_full }} (“{{ report.customers[1].customer_short }}” herein), and {{ report.customers[2].customer_full }} (“{{ report.customers[2].customer_short }}” herein) have invited {{ report.candidate.a_name }} to perform a targeted Web Application Penetration Test of their web applications to identify high-risk security weaknesses, assess their impact, document all findings in a clear, professional, and repeatable manner, and provide remediation recommendations.
{{ report.customers[0]?.customer_full }} (“{{ report.customers[0]?.customer_short }}” herein), {{ report.customers[1]?.customer_full }} (“{{ report.customers[1]?.customer_short }}” herein), and {{ report.customers[2]?.customer_full }} (“{{ report.customers[2]?.customer_short }}” herein) have invited {{ report.candidate.a_name }} to perform a targeted Web Application Penetration Test of their web applications to identify high-risk security weaknesses, assess their impact, document all findings in a clear, professional, and repeatable manner, and provide remediation recommendations.
All web-related findings were considered in-scope, as long as they can be proven harmful to the client with a Medium-High impact. The following types of activities were considered out-of-scope for this test:
@@ -1170,7 +1168,7 @@ zugreift.
target_systems = "TODO: fill field in report"
internal_contact = "TODO: fill field in report"
executive_summary = """
{{ report.customers[0].customer_full }} (“{{ report.customers[0].customer_short }}” herein), {{ report.customers[1].customer_full }} (“{{ report.customers[1].customer_short }}” herein), and {{ report.customers[2].customer_full }} (“{{ report.customers[2].customer_short }}” herein) have invited {{ report.candidate.a_name }} to perform a targeted Web Application Penetration Test of their web applications to identify high-risk security weaknesses, assess their impact, document all findings in a clear, professional, and repeatable manner, and provide remediation recommendations.
{{ report.customers[0]?.customer_full }} (“{{ report.customers[0]?.customer_short }}” herein), {{ report.customers[1]?.customer_full }} (“{{ report.customers[1]?.customer_short }}” herein), and {{ report.customers[2]?.customer_full }} (“{{ report.customers[2]?.customer_short }}” herein) have invited {{ report.candidate.a_name }} to perform a targeted Web Application Penetration Test of their web applications to identify high-risk security weaknesses, assess their impact, document all findings in a clear, professional, and repeatable manner, and provide remediation recommendations.
All web-related findings were considered in-scope, as long as they can be proven harmful to the client with a Medium-High impact. The following types of activities were considered out-of-scope for this test:
@@ -1187,9 +1185,7 @@ customer_full = "Royal Flush Ltd."
approach = """
{{ report.candidate.a_name }} performed testing under a mixture of "blackbox" and a "whitebox" approach from {{ formatDate(report.pentest_start, 'long', 'en-US') }} to {{ formatDate(report.pentest_end, 'long', 'en-US') }}, as follows:
- `{{ report.customers[0].customer_short }}` <markdown :text="report.customers[0].pentest_approach" class="markdown-inline" />
- `{{ report.customers[1].customer_short }}` <markdown :text="report.customers[1].pentest_approach" class="markdown-inline" />
- `{{ report.customers[2].customer_short }}` <markdown :text="report.customers[2].pentest_approach" class="markdown-inline" />
<ul><li v-for="customer in report.customers"> <code>{{ customer.customer_short }}</code> <markdown :text="customer.pentest_approach" class="markdown-inline" /></li></ul>
Testing was performed remotely from a non-evasive standpoint, with the goal of uncovering as many misconfigurations and vulnerabilities as possible. Each weakness identified was documented and manually investigated to determine exploitation possibilities and escalation potential.

0 comments on commit 0db0363

Please sign in to comment.