Create Test Finding

This document is intended for organizations that want to test their integrations in a non-prod environment. It includes detailed steps for populating an in-house pentest with fake findings for testing purposes.

Prerequisites

  • Cobalt staff have already created and set up a test organization for you. If not, please contact your customer success manager.

  • You have been invited to the test organization, accepted the invitation, and have an Owner role. This user will be referred to as the primary user throughout the rest of the document.

    ℹ️️️️ The email address of this user will be referenced as the primary email.

    Verify primary user role

+1 email address trick

In this tutorial, we will explore the +1 email address trick to simulate multiple users within the Cobalt application.

The +1 email address trick is a syntax technique used to create multiple email addresses based on a single Gmail address. This trick involves appending a “+1” (or any combination of numbers and letters) to the local part of your Gmail address, before the “@” symbol.

For example, if your Gmail address is joeman@gmail.com, you can create a new email address by adding “+1” to the local part: joeman+1@gmail.com. For more comprehensive information about this functionality, please refer to the official Gmail blog here.

Limitations

⚠️ It’s important to note that the +1 email address trick is specific to Gmail and allows users to create aliases for better inbox organization. However, it may not be compatible with all email providers such as Hotmail, Outlook, or iCloud.

Set up secondary user

  1. Log in to the Cobalt application with your primary user.

  2. Open the People page from the sidebar.

  3. Click on the Invite Users button.

    Invite a user

  4. Enter the email address of the secondary user using the +1 email address trick and click on Add or press Enter.

    Add secondary user

    ℹ️️ Insert +1 before the @.

  5. Click on the Invite button.

    Invite secondary user

  6. Verify that the secondary user has been invited.

    Verify secondary user invited

    ️️ℹ️️ You may need to scroll down in the list of people in your organization.

  7. Check your primary email inbox for the invitation of the secondary user.

    Check invitation email

  8. Click on Get Started in the email.

    Get started with secondary user

  9. Set a new password for the new user and click Continue.

    Set password for secondary user

  10. Open a new browser window in incognito or private browsing mode.

  11. In the private browser window, navigate to https://app.us.cobalt.io to access the Cobalt application.

  12. Enter your secondary email address and click on Continue, then use the password you set for the secondary email address to log in to the application and click Continue again.

    Log in with secondary user

    🎉 You have successfully logged into Cobalt using your secondary user.

Create In-House Pentest (primary user)

  1. Using your primary user, open the Pentests page from the sidebar and click on Create Pentest.

    Create pentest

  2. Click on Get Started if you have not yet enabled the In-House Pentest Beta feature for your organization.

    Get started with In-House Pentests

    ️ ℹ️️ You can skip this step if the In-House Pentest Beta feature is already enabled for your organization.

  3. Click on Enter the Beta if you want to enable the In-House Pentest Beta feature.

    Enter In-House Pentests Beta

    ️ ℹ️️ You can skip this step if the In-House Pentest Beta feature is already enabled for your organization.

  4. Select the In-House Pentest type and asset you want to test, then click on Continue.

    In-House Pentests Beta Enabled

    Create In-House Pentest

    ️ ℹ️️ You can create a dedicated asset for testing purposes or use an existing one.

  5. No changes are required on the Asset page. You can proceed by clicking on Next.

    Rename In-House Pentest

    ℹ️️ Changing the pentest name is optional but helps to distinguish test pentests from each other. The pentest can be renamed by clicking on the pencil icon next to the pentest name and confirm the changes with Done.

  6. On the Requirements page, the following fields must be set:

    • Targets
    • Objectives
    • Technology stack

    Set targets

    Set objectives

    Set technology stack

    ️ ℹ️️ The input content is irrelevant.

  7. No changes are required on the Details page. Proceed by clicking on Next.

    Optional details

  8. Select the required Start and End dates on the Scope & Plan page, and click on Save & Exit to create the pentest.

    Configure plan

    ℹ️️ You can check the I’m a point of contact for this pentest checkbox.

  9. The In-House pentest is in the Draft state. Click on Move to Planned.

    Pentest created

  10. Confirm it by clicking on Move to Planned in the modal dialog.

    Plan pentest

  11. Click on staff your in-house pentesters in the flash message to assign the secondary user to the pentest.

    Pentest planned

    ℹ️️ Pentesters and collaborators can also be accessed and configured from the Collaborators tab. Select Pentests from the sidebar, select a pentest, then open the Collaborators tab.

  12. Click on the down pointing triangle () and select In-House Pentester.

    Add In-House pentester

  13. Set the secondary email as the input and click on the Add In-House Pentester button.

    Add secondary user to pentest

  14. Verify the secondary user is in the Collaborators list with the In-House Pentester role.

    Secondary user invited

    🎉 You have successfully created an in-house pentest and staffed the secondary user as a pentester.

Create Test Finding (secondary user)

ℹ️️ The pentest must be live to submit findings.

  1. From the incognito browser window, open the previously created pentest and launch it by clicking on Launch Pentest.

    Launch pentest

  2. The pentest is now in the live state.

    Live pentest

  3. Click on Submit Finding.

    Submit finding

    The following information must be set to create a test finding:

    • Vulnerability type
    • Description
    • Proof of Concept
    • Severity
    • Suggested fix

    Set description

    Set proof of concept

    Set severity

    Set suggested fix

    ️ ℹ️️ The input content is irrelevant but some validation constraints must be fulfilled. For example, the severity must contain at least 3 characters.

  4. Click on Submit for Triaging at the bottom of the page when all required info is set.

    Submit for triage

  5. The pentest finding is now in the Triaging state.

    ‘Triaging’ finding

  6. Change the finding state to Pending Fix from the State dropdown and submit the evaluation.

    Select ‘Pending Fix’ state

  7. Set the Likelihood, Business Impact, and the Report Quality values by clicking on the circles () and on the Submit evaluation button.

    Submit evaluation

  8. The pentest finding is now in the Pending Fix state.

    ‘Pending Fix’ finding

  9. See all pentest findings.

    In-House pentest findings

    🎉 You have successfully created a finding for the in-house pentest with the secondary user.

Working with the test findings (primary user)

  1. The findings created by the secondary user for the in-house pentest are visible to the primary user.

    New findings notification

    Review new finding

Last modified August.08.2024