How to report related findings in a pentest report
I am running a pentest on a web application, and I detected a vulnerability but I am not sure how to report it. I am confused if I should split it or document it as 1 finding. I will explain below.
So the finding is, a JWT token with large TTL value(finding 1 ) that is being saved in the browser local storage(finding 2), and and XSS script in one of the urls (finding 3). The combination of these 3 findings helped me do an exploit, the exploit requires the user to click on a link and sign in, and then the JWT Token of the user is sent to a remote server.
If I want to report all this, what is the best approach? Shall I report 3 findings + 1 poc? Or 1 finding and 1 poc? or ? And is the poc considered a finding here or it is just an exploit of the vulnerabilities detected?
