Pentest Expectations
2019-11-23, 13:00–13:40, Grammarly

What do pentesters looking for and what customers wish to receive in their reports?
Examples of easy account compromise.

What do pentesters look for the rest of the project time?
Classic OWASP checklist.

What are pentesters tired to report but still have to


What do we expect? A total compromise.
• Account Takeover
• Logic Bypass
• Remote Code Execution
• Easy Exploitation

What do we get? OWASP daily work.
• XSS
• CSRF
• Session Fixation
• IDOR
• Information Disclosure
• Unlimited Email Spam
• ARP poisoning
• Mountable NFS volumes

What are we bored of in the reports?
• Versions
• Ciphers
• Headers
• Checklists
• False Positives
• Automatic Reports

How to get an empty pretest report?