juliocesarfort / public-pentesting-reports Goto Github PK

View Code? Open in Web Editor NEW

8.2K 8.2K 1.9K 706.65 MB

A list of public penetration test reports published by several consulting firms and academic security groups.

C 1.93% Makefile 0.16% Shell 0.10% CSS 7.17% JavaScript 0.33% HTML 90.31%

public-pentesting-reports's People

Contributors

Stargazers

Watchers

Forkers

antonini lucabongiorni geezer-workshop jamesarlen-lsg kochergan alienwithin pentestify wflk yakar jofrep yashodhank cure53 djoffrey sopsmattw chrisukgit quikilr revengervn dmwoods38 burdzwastaken hackforce r--w titanous 0x13337 pereirasecteam olemoudi caoimhinp dipsec cji blark bupt007 aa2288207 kernux smallmeet pandada8 h1d3r idkwim l4inoday xkon sandeepl337 sagittarius-a stayliv3 0x24bin returnhere t0data cechu66 npc7 1ookup dsimun b1gw00d webshell520 tuian cerebralmischief beelives jamalmo sampr0 amotmot secwiki oneoneplus andrewbrooks bingtanguan sucof ethack thanatoskira hungnv0789 dpalecek ccavxx titan39 jumbo-wjb instruder songofhack key20 eniac888 lxghost bijaye jackhuyh dptechma r0zero hujian92 sharpsec aigangjingye brianluby exiahan psuedoelastic followmaster jilir rayankobz maciekit izogain osakaaa nj4c0b gitcollect micxu rolinston darenfy-zz zeusmk warrior1724 lu-chi sigma-random mk-z mpishu

public-pentesting-reports's Issues

Add Office of Inspector General report on the NASA Jet Propulsion Laboratory

https://oig.nasa.gov/docs/IG-19-022.pdf

Some great content in here!

More public pentest reports

Nice collection, thanks for putting this up!
Here is a couple of more: https://cure53.de/#publications

[Proposal] Organize documents according to the audit type

Hello,

first of all, thank you for doing this, it's very useful for learning!

I noticed that these reports all have different goals; some of them are code auditing reports, some are pentest reports, others are APT reports...

That's why I would suggest organizing the documents into specific folders according to their audit type. I think it would be easier to browse rather than by security companies.

Securitum - New public reports

Proton VPN no-logs security audit - https://protonvpn.com/blog/wp-content/uploads/2022/04/securitum-protonvpn-nologs-20220330.pdf

Simple Login (Proton) - WEB - https://simplelogin.io/audit2022/web.pdf

Simple Login (Proton) - Android - https://simplelogin.io/audit2022/android.pdf

Livecall.io - WEB - https://sekurak.pl/wp-content/uploads/2020/06/Livecall_web_20200306_public.pdf

ProteGO Safe (Polish gov COVID app) - lang PL - https://www.gov.pl/web/protegosafe/audyt-bezpieczenstwa--zobacz-raport

CANAL + - lang PL - https://sekurak.pl/zobacz-pelen-nieocenzurowany-raport-z-testow-penetracyjnych-canal/

Report: Securitum - Eventory

https://cdn.sekurak.pl/eventory-sample-pentest-report.pdf

More pentest reports (Paragon Initiative Enterprises)

https://paragonie.com/security - So far we've published 6 of our audit reports. (I'm not sure how well Github handles pull requests that contain PDF files, but I can send one if you prefer.)

New reports

https://www.securityevaluators.com/hospitalhack/securing_hospitals.pdf
https://jhalderm.com/pub/papers/dcvoting-fc12.pdf

Illumio public assessment report to add to Bishop Fox folder

@juliocesarfort Would you mind taking a look at the Illumio assessment report below and let me know if you think it qualifies to be added to the Bishop Fox folder?

https://know.bishopfox.com/hubfs/Bishop-Fox-Research-Report-Efficacy-of-micro-segmentation-V01.pdf

Let me know what you think, Thank you.

Virginie

Should new submitted PRs include a metadata txt file along with the PDF report? The number of reports has grown as others have realized its value. However, it's impossible to quickly identify mobile-related reports for example.

Metadata.txt:
Name: name.pdf
Security Company: Foo
In-Scope Company: Bar
Pentest Date: DD/MM/YYYY
In-Scope: Service A, Service B, ...
Language: Scala
Metadata: Mobile, Android, ...

Volkis - Pentest report

Annoucement : https://twitter.com/volkisau/status/1662594681937461248

report : https://handbook.volkis.com.au/assets/doc/Volkis%20-%20Anonymous%20Client%20-%20Penetration%20Test%20May%202023.pdf

[Proposal] Add index with project names

Hi Julio,
good job.

It will help to have an index including the project names in the Readme.
Happy to give it a try if you agree

Regards
Jofre

More network pentest will be appreciate

Hi i think if you separate the reports in categories like wep app pen test report, network pen test report, etc.. it will be better... Cuz most of the visitors are coming here to see more Full Black Box Penetration Testing report than app audit or blockchain blabla audit... They want full sample/examples of a real complete pentesting engagement.. maybe im wrong..

Thank you.

National Cybersecurity Assessments and Technical Services (NCATS) Reports

https://www.us-cert.gov/sites/default/files/resources/ncats/CyHy-Sample-Report.pdf
https://www.us-cert.gov/sites/default/files/resources/ncats/Phishing-Campaign-Assessment-Sample-Report.pdf
https://www.us-cert.gov/sites/default/files/resources/ncats/RVA-Sample-Report.pdf

Joint Reports - How do we format?

This is bound to come up again but there's already some instances of this with the Kudelski Security - X41 reports.

Some suggestions on how to tackle this would be: A defined naming convention for this (which company first? Alphabetical or as it appears on the report?), or possibly a folder that is titled Joint Reports that then has folders inside.

Organize files by subject not author

I don't understand why the project uses the report author's organization for subdirectories? Why not subjects?

Libraries/Crypto
MobileApps
Hardware/Net
Hardware/IoT

If I want to find reports by a certain consulting company I can just go to their website. The same cannot be said if I want to find reports about domestic robots. If you actually "curated" the reports and organized them by subject you would add real value.

Bishop Fox - Executive Report

Unsure if this technically counts as public, but stumbled across it on a google for other public pentest reports:

http://wwwimages.adobe.com/content/dam/acom/en/products/coldfusion/pdfs/cf2016/CF2016_Security_Audit_Report.pdf

From a quick look, it seems to just be the executive summary, without any specific finding details.