LET'S TALK
← All work
CVSS 3.1OWASP Top-10OWASP API Top-10PCI-DSS Req 11.4NIST 800-115Deep Prototype

PenTestFindings — Penetration-Test Tracker (CVSS + Retest)

28 findings from FY24 annual pen-test. Per finding: CVSS 3.1 base + vector, OWASP / CWE mapping, exploitability rating, evidence, our remediation, retest status. SLA clock per severity (critical 24h, high 7d, medium 30d, low 90d). 4 critical fixed in <2 weeks; 3 past SLA; 2 explicitly accepted as residual risk with documented rationale.

PenTestFindings — Penetration-Test Tracker (CVSS + Retest) preview
Open live →

What it is

The artifact every security team builds in Excel and wishes they’d built once properly. 28 findings from a real-shape pen test. Per finding: CVSS vector, OWASP/CWE mapping, exploitability, evidence, our fix, retest status, SLA clock.

What’s in it

  • 28 findings spanning realistic OWASP Top-10 + OWASP API Top-10 categories:
    • A01 — IDOR cross-tenant order access; CSRF on admin actions; path traversal; OAuth open redirect
    • A02 — TLS pinning missing on mobile (RISK ACCEPTED for v3.x with documented mitigation)
    • A03 — SQL injection in admin search; stored XSS in support-ticket comments
    • A05 — verbose error messages with stack traces; subdomain takeover risk; XXE; HSTS missing
    • A06 — Log4j 2.14 (Log4Shell) on a java-microservice
    • A07 — weak password-reset token (Math.random); user enumeration via timing
    • A08 — Python pickle deserialization in ETL
    • A09 — insufficient logging on admin actions
    • A10 — SSRF via URL-fetcher tool reaching AWS metadata (highest-impact: CVSS 9.8, fixed in 12d)
    • API1 — IDOR + cross-tenant cache-key leak
    • API2 — JWT signature not verified on internal endpoints
    • API3 — sensitive data in URL query string (cross-references APIDocsLinter OD-005)
    • API4 — missing rate-limit (cross-references APIRateLimit EP01)
    • API6 — mass-assignment on POST /v1/customers
    • API9 — GraphQL introspection enabled in prod
  • Per-finding 9-field shape:
    • CVSS 3.1 base + vector breakdown
    • OWASP + CWE mapping
    • Days open + SLA-remaining countdown
    • Exploitability rating (easy / medium / difficult / passive)
    • Evidence (Burp screenshot reference, PoC commands)
    • Vendor-suggested remediation
    • Our remediation
    • Retest status (passed / in progress / risk accepted)
  • Critical findings — 4 critical (CVSS ≥9), all fixed within SLA. 3 past-SLA at high severity (CSRF, stored XSS, subdomain takeover). 2 risk-accepted with documented mitigation.

Why this shape

PCI-DSS v4.0 Req 11.4 mandates annual pen tests with documented remediation. SOC2 CC7.1 + ISO 27001 A.8.29 demand the same. The hardest finding to track properly: a high-CVSS bug in a mobile client where the fix requires a release cadence the team can’t compress. PenTestFindings prototypes the shape that handles that — RISK ACCEPTED with explicit mitigation + roadmap.

How it ships

Single HTML file, ~22KB. Zero dependencies. 28 findings × 9-field shape × CVSS-vector renderer + SLA-clock per severity in 220 lines of vanilla JavaScript.

Open the tool →