Create Test Finding
Prerequisites
-
Cobalt staff have already created and set up a test organization for you. If not, please contact your customer success manager.
-
You have been invited to the test organization, accepted the invitation, and have an Owner role. This user will be referred to as the primary user throughout the rest of the document.
ℹ️️️️ The email address of this user will be referenced as the primary email.
+1 email address trick
In this tutorial, we will explore the +1 email address trick to simulate multiple users within the Cobalt application.
The +1 email address trick is a syntax technique used to create multiple email addresses based on a single Gmail address. This trick involves appending a “+1” (or any combination of numbers and letters) to the local part of your Gmail address, before the “@” symbol.
For example, if your Gmail address is joeman@gmail.com
, you can create a new email address by adding “+1” to the local part: joeman+1@gmail.com
. For more comprehensive information about this functionality, please refer to the official Gmail blog here.
Limitations
⚠️ It’s important to note that the +1 email address trick is specific to Gmail and allows users to create aliases for better inbox organization. However, it may not be compatible with all email providers such as Hotmail, Outlook, or iCloud.
Set up secondary user
-
Log in to the Cobalt application with your primary user.
-
Open the People page from the sidebar.
-
Click on the Invite Users button.
-
Enter the email address of the secondary user using the +1 email address trick and click on Add or press Enter.
ℹ️️ Insert
+1
before the@
. -
Click on the Invite button.
-
Verify that the secondary user has been invited.
️️ℹ️️ You may need to scroll down in the list of people in your organization.
-
Check your primary email inbox for the invitation of the secondary user.
-
Click on Get Started in the email.
-
Set a new password for the new user and click Continue.
-
Open a new browser window in incognito or private browsing mode.
-
In the private browser window, navigate to https://app.us.cobalt.io to access the Cobalt application.
-
Enter your secondary email address and click on Continue, then use the password you set for the secondary email address to log in to the application and click Continue again.
🎉 You have successfully logged into Cobalt using your secondary user.
Create In-House Pentest (primary user)
-
Using your primary user, open the Pentests page from the sidebar and click on Create Pentest.
-
Click on Get Started if you have not yet enabled the In-House Pentest Beta feature for your organization.
️ ℹ️️ You can skip this step if the In-House Pentest Beta feature is already enabled for your organization.
-
Click on Enter the Beta if you want to enable the In-House Pentest Beta feature.
️ ℹ️️ You can skip this step if the In-House Pentest Beta feature is already enabled for your organization.
-
Select the In-House Pentest type and asset you want to test, then click on Continue.
️ ℹ️️ You can create a dedicated asset for testing purposes or use an existing one.
-
No changes are required on the Asset page. You can proceed by clicking on Next.
ℹ️️ Changing the pentest name is optional but helps to distinguish test pentests from each other. The pentest can be renamed by clicking on the pencil icon next to the pentest name and confirm the changes with Done.
-
On the Requirements page, the following fields must be set:
- Targets
- Objectives
- Technology stack
️ ℹ️️ The input content is irrelevant.
-
No changes are required on the Details page. Proceed by clicking on Next.
-
Select the required Start and End dates on the Scope & Plan page, and click on Save & Exit to create the pentest.
ℹ️️ You can check the I’m a point of contact for this pentest checkbox.
-
The In-House pentest is in the Draft state. Click on Move to Planned.
-
Confirm it by clicking on Move to Planned in the modal dialog.
-
Click on staff your in-house pentesters in the flash message to assign the secondary user to the pentest.
ℹ️️ Pentesters and collaborators can also be accessed and configured from the Collaborators tab. Select Pentests from the sidebar, select a pentest, then open the Collaborators tab.
-
Click on the down pointing triangle (▼) and select In-House Pentester.
-
Set the secondary email as the input and click on the Add In-House Pentester button.
-
Verify the secondary user is in the Collaborators list with the In-House Pentester role.
🎉 You have successfully created an in-house pentest and staffed the secondary user as a pentester.
Create Test Finding (secondary user)
ℹ️️ The pentest must be live to submit findings.
-
From the incognito browser window, open the previously created pentest and launch it by clicking on Launch Pentest.
-
The pentest is now in the live state.
-
Click on Submit Finding.
The following information must be set to create a test finding:
- Vulnerability type
- Description
- Proof of Concept
- Severity
- Suggested fix
️ ℹ️️ The input content is irrelevant but some validation constraints must be fulfilled. For example, the severity must contain at least 3 characters.
-
Click on Submit for Triaging at the bottom of the page when all required info is set.
-
The pentest finding is now in the Triaging state.
-
Change the finding state to Pending Fix from the State dropdown and submit the evaluation.
-
Set the Likelihood, Business Impact, and the Report Quality values by clicking on the circles (●) and on the Submit evaluation button.
-
The pentest finding is now in the Pending Fix state.
-
See all pentest findings.
🎉 You have successfully created a finding for the in-house pentest with the secondary user.
Working with the test findings (primary user)
-
The findings created by the secondary user for the in-house pentest are visible to the primary user.