Confidential
Northwind Community Health (Demo) Patient Notes Platform Penetration Test Final Report v1.0
This document is a fully synthetic example for training and blog publication. All data is fictional.
Document Information and Control
Information
| Field | Value |
|---|---|
| Document Type | Report |
| Project Name | Patient Notes Platform Penetration Test |
| File Name | NC-H-PatientNotes-Pentest-Final-v1.0.pdf |
Preparation
| Action | Name | Title | Contact Details |
|---|---|---|---|
| Prepared by | Jordan Hale | Senior Security Consultant | E: jordan.hale@example-security.test, P: +61 7 3000 1001 |
| Reviewed by | Priya Singh | Principal Security Consultant | E: priya.singh@example-security.test, P: +61 7 3000 1002 |
Revision History
| Version | Date | Remarks | Author |
|---|---|---|---|
| 0.1 | 02/02/2026 | Initial draft completed | JH |
| 0.2 | 04/02/2026 | QA review updates | PS |
| 1.0 | 06/02/2026 | Final report issued | JH |
Contact Details
| Contact Type | Name | Phone | |
|---|---|---|---|
| Business Development Manager | Morgan Lee | +61 7 3000 1010 | morgan.lee@example-security.test |
Distribution List
| Name | Title | Organization |
|---|---|---|
| Sam Carter | Head of Cyber Security | Northwind Community Health |
| Erin Walsh | Infrastructure Manager | Northwind Community Health |
Approvals List
| Name | Title | Organization |
|---|---|---|
| Jordan Hale | Senior Security Consultant | Example Security Pty Ltd |
Related Documents
| Name | Description |
|---|---|
| Penetration Test Statement of Work | Defines scope, constraints, and delivery assumptions |
| Rules of Engagement | Testing windows, emergency contacts, and exclusions |
Table of Contents
- Executive Summary
1.1 Overview - Remediation Action Plan
- Suggested Remediation Plan
- Assessment Information
4.1 Scope of the Assessment
4.2 Host Identification
4.3 Assumptions
4.4 Constraints
4.5 Quoting
4.6 Testing Locations - Detailed Findings
A1. References
1 Executive Summary
1.1 Overview
Northwind Community Health engaged Example Security Pty Ltd to perform a targeted security assessment of the Patient Notes Platform web and infrastructure components.
Testing was performed between 27/01/2026 and 31/01/2026, with a limited retest on 05/02/2026.
The assessment identified eight vulnerabilities:
- 1 High
- 5 Medium
- 2 Low
The highest risk issue was a stored cross-site scripting vulnerability in the Notes module, which could allow credential theft or session hijack if exploited.
A full remediation matrix is provided in Section 2, and finding-by-finding technical details are provided in Section 5.
Business Risks
- Strategic Planning
- Delivery of Safe Services (Clinical)
- Service Availability
- Regulatory Compliance
- Reputation
Impact on Business Risks
Figure 1 (example): business risk ratings across identified domains.
Vulnerability Findings
Figure 2 (example): findings distribution by severity.
2 Remediation Action Plan
| Finding | Description | Severity Rating | Notes | Retest (Pass/Fail) |
|---|---|---|---|---|
| 1 | Stored Cross-Site Scripting in Clinical Notes | High (7.6) | Input handling fixed; output encoding added | Pass |
| 2 | Outdated Third-Party JavaScript Library | Medium (5.0) | Library upgraded in staging only | Fail |
| 3 | SMB Signing Not Required | Medium (4.8) | Group Policy updated on one host | Fail |
| 4 | TLS Weak Cipher Suites Enabled | Medium (4.6) | Legacy suites removed in production | Pass |
| 5 | SSL Certificate Chain Misconfiguration | Medium (4.4) | Intermediate cert added | Pass |
| 6 | Cookie Missing Secure Flag | Low (3.2) | Session cookie policy updated | Pass |
| 7 | Missing Security Headers | Low (2.8) | CSP and X-Content-Type-Options added | Pass |
| 8 | Excessive Error Detail in API Responses | Medium (4.1) | Generic error handling partially implemented | Fail |
3 Suggested Remediation Plan
The following findings are high severity or can be remediated quickly. These should be resolved within 30 days.
- Stored Cross-Site Scripting in Clinical Notes
- Cookie Missing
SecureFlag - Missing Security Headers
- Excessive Error Detail in API Responses
The following findings require planned remediation and change control. These should be resolved within 60 days.
- Outdated Third-Party JavaScript Library
- SMB Signing Not Required
- TLS Weak Cipher Suites Enabled
- SSL Certificate Chain Misconfiguration
4 Assessment Information
4.1 Scope of the Assessment
The engagement covered internet-exposed and selected internal assets that support the Patient Notes Platform, in line with the signed Statement of Work.
Objectives:
- identify exploitable security weaknesses,
- provide business-focused risk context,
- and provide practical remediation actions.
4.2 Host Identification
| Asset ID or IP | URL or Hostname | Operating System | Components |
|---|---|---|---|
| 203.0.113.21 | https://portal.northwind-demo.example | Linux | Nginx, Node.js |
| 198.51.100.34 | https://api.northwind-demo.example | Linux | API Gateway, .NET runtime |
| 192.0.2.18 | filesrv01.northwind-demo.local | Windows Server | SMB, IIS Management |
4.3 Assumptions
- No major production configuration changes occurred during testing without notice.
- Client-provided test accounts reflected standard user permissions.
- Compensating controls not visible to testers were considered out of scope unless documented.
4.4 Constraints
This assessment was limited to systems and services listed in Section 4.2.
Out of scope:
- Denial of Service testing
- Social engineering
- Source code review
- Physical security testing
4.5 Quoting
This report is valid only within the context of this specific engagement and should be quoted in full, not as isolated excerpts.
4.6 Testing Locations
| Location | Utilized in Current Assessment | Reason for Exclusion | Date and Times |
|---|---|---|---|
| External (Remote) | Yes | N/A | 27/01/2026 to 31/01/2026 |
| DMZ Network | Yes | N/A | 29/01/2026 |
| Wireless (Wi-Fi) | No | Not in scope | N/A |
| Internal (On-premises) | Yes | N/A | 30/01/2026 |
5 Detailed Findings
Scoring guide used in this example:
- 9.0 to 10.0: Critical
- 7.0 to 8.9: High
- 4.0 to 6.9: Medium
- 0.1 to 3.9: Low
- 0.0: Information only
Finding 1 Stored Cross-Site Scripting in Clinical Notes
- Base Score: 8.2
- Environmental Score: 7.6
- Severity: High
Affected Hosts or URLs
Overview
User-supplied note content was rendered as active HTML/JavaScript in the browser, enabling persistent XSS.
Proof
Script payload entered by a standard user account was stored and executed when an administrator viewed the note.
Remediation
- Apply strict server-side input validation.
- Perform context-aware output encoding.
- Add Content Security Policy with restrictive script sources.
References
- OWASP Cross Site Scripting Prevention Cheat Sheet
Finding 2 Outdated Third-Party JavaScript Library
- Base Score: 5.4
- Environmental Score: 5.0
- Severity: Medium
Affected Hosts or URLs
Overview
A legacy JavaScript library version with known vulnerabilities was detected.
Proof
Static asset fingerprint matched a vulnerable release branch.
Remediation
- Upgrade to current stable version.
- Implement Software Bill of Materials and dependency monitoring.
References
- OWASP Dependency-Check
Finding 3 SMB Signing Not Required
- Base Score: 5.1
- Environmental Score: 4.8
- Severity: Medium
Affected Hosts or URLs
- 192.0.2.18 (445/tcp)
Overview
SMB signing was enabled but not enforced, allowing potential relay attack conditions in internal networks.
Proof
Protocol negotiation showed optional message signing.
Remediation
- Enforce SMB signing via Group Policy.
- Disable NTLM where feasible.
References
- Microsoft SMB security guidance
Finding 4 TLS Weak Cipher Suites Enabled
- Base Score: 4.9
- Environmental Score: 4.6
- Severity: Medium
Affected Hosts or URLs
- portal.northwind-demo.example (443/tcp)
Overview
Server accepted weak legacy cipher suites that reduce transport security.
Proof
TLS scan identified CBC/3DES-compatible fallback suites.
Remediation
- Restrict TLS policy to modern cipher suites.
- Disable TLS 1.0 and TLS 1.1.
References
- Mozilla SSL Configuration Guidelines
Finding 5 SSL Certificate Chain Misconfiguration
- Base Score: 4.6
- Environmental Score: 4.4
- Severity: Medium
Affected Hosts or URLs
- api.northwind-demo.example (443/tcp)
Overview
Intermediate certificate was not consistently presented, causing trust warnings in some clients.
Proof
Certificate chain validation failed in multiple TLS client checks.
Remediation
- Install full certificate chain.
- Validate with independent SSL testing tools after deployment.
References
- CAB Forum Baseline Requirements
Finding 6 Cookie Missing Secure Flag
- Base Score: 3.6
- Environmental Score: 3.2
- Severity: Low
Affected Hosts or URLs
Overview
Session-related cookie was missing the Secure attribute.
Proof
Set-Cookie response header did not include Secure.
Remediation
- Set
Secure,HttpOnly, andSameSiteappropriately on all session cookies.
References
- OWASP Secure Cookie Attribute
Finding 7 Missing Security Headers
- Base Score: 3.1
- Environmental Score: 2.8
- Severity: Low
Affected Hosts or URLs
Overview
Responses were missing key hardening headers such as CSP and X-Content-Type-Options.
Proof
Header inspection from multiple routes confirmed missing values.
Remediation
- Configure a baseline security header policy at reverse proxy level.
- Tune CSP iteratively to avoid breaking legitimate functionality.
References
- OWASP HTTP Security Response Headers Cheat Sheet
Finding 8 Excessive Error Detail in API Responses
- Base Score: 4.4
- Environmental Score: 4.1
- Severity: Medium
Affected Hosts or URLs
Overview
Unhandled exceptions exposed stack-trace fragments and internal component names.
Proof
Malformed requests returned verbose framework and module details.
Remediation
- Replace verbose exception output with generic error responses.
- Log technical details server-side only.
References
- CWE-209: Information Exposure Through an Error Message
A1 References
Terms and Abbreviations
| Term | Definition |
|---|---|
| CVE | Common Vulnerabilities and Exposures |
| CVSS | Common Vulnerability Scoring System |
| CSP | Content Security Policy |
| SMB | Server Message Block |
| TLS | Transport Layer Security |
| XSS | Cross-Site Scripting |
Vulnerability Reference Information
| Document Title | Document Location |
|---|---|
| OWASP | https://owasp.org |
| MITRE CWE | https://cwe.mitre.org |
| MITRE CVE | https://www.cve.org |
| NIST NVD | https://nvd.nist.gov |
Leave a Reply