Andrew follows a three-point checklist for writing reproduction-steps in the pentest reports. May be you will find them helpful.

1 - Use Browser Dev Tools

The purpose of the reproduction-steps is for a developer to reproduce the vulnerability. It is not “how pentester found the vulnerability?”, or “how you can find the issue using a DAST/SAST scanner?”. Developers usually don't have access to paid tools like Burp Suite Pro, Veracode, or Nessus. Sometimes their work laptops are so restricted that they can't even install free tools like OWASP ZAP, Fiddler, or Nmap.

If you can write reproduction steps using browser-dev tools, you can enable developers to reproduce the vulnerability on their own. Here is a guide on using browser-dev tools to perform basic security-checks on web-applications - getmantra.com/web-app-security-testing-with-browsers/ .

2 - Provide cURL!

If you can provide a cURL command to reproduce the vulnerability, you can enable QA testers to write security-tests.

3 - Use POSTMan

Web developers usually have access to tools like POSTMan or Insomnia. If you can provide reproduction-steps as a POSTMan collection, you can enable developers to reproduce the vulnerability on their own.