BetaWe're currently in beta. Signing in will place you on our waitlist.
Running Pentests & Reading Results

Interpreting Findings

Anatomy of a Finding

Every finding in a TurboPentest report contains a structured set of fields designed to tell you exactly what was found, how severe it is, how it maps to industry standards, and what to do about it. Understanding these fields is essential for effective prioritization and remediation.

A finding includes: a title describing the vulnerability, a severity level, a CVSS score and vector string, a CWE identifier, an OWASP Top 10 category mapping, the affected URL or endpoint, a detailed description, proof-of-concept exploit details, remediation guidance, and a Docker retest command. Some findings also include CVE identifiers when the vulnerability matches a known published CVE.

Severity Levels

TurboPentest uses five severity levels, aligned with industry conventions:

Critical — Vulnerabilities that allow immediate, unauthenticated compromise of the target. Examples include remote code execution (RCE), SQL injection with data exfiltration, and authentication bypass to admin panels. Critical findings demand immediate attention; an attacker can exploit them right now with significant impact.

High — Vulnerabilities with serious impact that may require some conditions to exploit. Examples include stored cross-site scripting (XSS) in sensitive contexts, server-side request forgery (SSRF) with internal network access, and insecure direct object references (IDOR) exposing other users' data. High findings should be addressed in your next sprint.

Medium — Vulnerabilities with moderate impact or that require significant attacker effort. Examples include reflected XSS, missing security headers that enable attacks, information disclosure of internal paths or versions, and TLS configuration weaknesses. Medium findings should be scheduled for remediation within a reasonable timeframe.

Low — Vulnerabilities with minor security impact. Examples include verbose error messages, missing non-critical headers, and directory listings of non-sensitive paths. Low findings improve security hygiene but are unlikely to lead to compromise on their own.

Info — Informational observations that are not vulnerabilities but provide useful security context. Examples include technology stack detection, open ports running expected services, and security header presence confirmations. Info findings help you understand your attack surface.

CVSS Scoring

Each finding includes a CVSS (Common Vulnerability Scoring System) score from 0.0 to 10.0 and a CVSS vector string that breaks down how the score was calculated. TurboPentest uses CVSS v3.1, which evaluates vulnerabilities across eight metrics:

Attack Vector (AV) — How the attacker reaches the vulnerable component: Network (N), Adjacent (A), Local (L), or Physical (P). Most web findings are Network.

Attack Complexity (AC) — Conditions beyond the attacker's control: Low (L) means reproducible every time; High (H) means race conditions, specific configurations, or other factors are required.

Privileges Required (PR) — Authentication level needed: None (N), Low (L) for a regular user account, or High (H) for admin-level access.

User Interaction (UI) — Whether a victim must take action: None (N) means the attacker acts alone; Required (R) means the victim must click a link or visit a page.

Scope (S) — Whether the vulnerability impacts components beyond its security authority: Unchanged (U) or Changed (C). XSS has Changed scope because it executes in the victim's browser, crossing the server-client boundary.

Confidentiality (C), Integrity (I), Availability (A) — The impact on each security pillar, rated None (N), Low (L), or High (H).

A vector string like CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H describes a network-accessible, low-complexity, no-auth, no-interaction vulnerability with high impact across all three pillars — a textbook critical finding scoring 9.8.

Understanding the vector string is more important than memorizing the numeric score. Two findings can both score 7.5 but have very different vectors: one requiring authentication, the other requiring user interaction. The vector tells you the real-world exploitation conditions.

CWE Categories

CWE (Common Weakness Enumeration) identifiers classify the type of vulnerability. Each finding's cweId field maps to a specific weakness type in the MITRE CWE database. Key CWE categories you will encounter in TurboPentest reports include:

  • CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-Site Scripting)
  • CWE-89: Improper Neutralization of Special Elements Used in an SQL Command (SQL Injection)
  • CWE-22: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)
  • CWE-918: Server-Side Request Forgery (SSRF)
  • CWE-287: Improper Authentication
  • CWE-862: Missing Authorization
  • CWE-200: Exposure of Sensitive Information
  • CWE-326: Inadequate Encryption Strength
  • CWE-502: Deserialization of Untrusted Data

CWE identifiers are useful for categorizing and trending vulnerabilities across pentests. If your reports consistently show CWE-79 findings, that signals a systemic input validation gap in your development process.

OWASP Top 10 Mapping

Every finding maps to an OWASP Top 10 (2021) category through the owaspCategory field. This mapping helps organizations that use OWASP as their security framework for risk management and compliance:

  • A01: Broken Access Control — IDOR, privilege escalation, missing authorization
  • A02: Cryptographic Failures — Weak TLS, exposed credentials, inadequate encryption
  • A03: Injection — SQL injection, command injection, LDAP injection, XSS
  • A04: Insecure Design — Business logic flaws, missing rate limiting, race conditions
  • A05: Security Misconfiguration — Default credentials, unnecessary features, verbose errors
  • A06: Vulnerable and Outdated Components — Known CVEs in libraries and frameworks
  • A07: Identification and Authentication Failures — Weak passwords, missing MFA, session issues
  • A08: Software and Data Integrity Failures — Insecure deserialization, unsigned updates
  • A09: Security Logging and Monitoring Failures — Missing audit logs, unmonitored events
  • A10: Server-Side Request Forgery — SSRF allowing internal network access

Prioritization Strategy

When reading a TurboPentest report, combine severity, CVSS vector, and OWASP mapping for effective prioritization:

  1. Address critical findings immediately — These represent active, exploitable risk
  2. Review CVSS vectors for high findings — Prioritize those with PR:N (no auth needed) and UI:N (no user interaction)
  3. Use CWE trends to identify systemic issues — Repeated CWE categories indicate process gaps
  4. Map to OWASP for compliance reporting — OWASP categories help communicate risk to non-technical stakeholders
  5. Consider finding context — A medium-severity finding on an admin panel may matter more than a high-severity finding on a test endpoint

Previous

Live Agent Activity

Next

Proof of Concept

On this page