Understanding Application Scanning results

We’re aware it’s important to not only find vulnerabilities in your attack surface, but also provide the best possible information to allow you to resolve these issues. Depending on the severity, you may want to start fixing instantly once we find a vulnerability.

You can find all your vulnerabilities under Vulnerabilities in the Detectify tool, whether they are found by Application Scanning or Surface Monitoring. For Application Scanning, it’s also possible to review the results of each scan that ran. Results are presented in the form of reports. Each report has a list of findings, that is either a vulnerability, or additional information about the scan, such as the list of crawled URLs. Findings are classified by severity, which is based on the CVSS score of the finding.

You can see the results by selecting the name or last scan of the Scan Profile in Scan Management. Under Scan Profile results, you will find 3 tabs.

Findings list

Here you can see the findings of a scan grouped by category and color coded by severity. You can also see, which findings are new (were found the first time in this scan), and the number of findings in the group. Use the menu items to sort or filter the list. Selecting a group expands it to show information on the group, and list the individual findings by location including their tags

As we instantly report vulnerabilities as soon as we find them, you may see the list changing if you are looking at the report of a scan that is still running.

You are able to export selected findings so you can forward them to colleagues, partners or customers to PDF, JSON or XML format, or share via Trello or integrations.

Selecting “view finding” brings you to the finding page, that provides you with extensive information, for example

  • Request & response holds the HTTP request we sent out, and the HTTP response we received from the web application.

  • Details provide additional information, such as what we are basing the finding on. Depending on the finding type, you might see a code snippet, screenshots, or other information. In the example below, you can see the highlighted text.

  • References to online resources from Detectify and other sources that help you to understand and resolve the issue.

 

OWASP top 10

The worldwide non-profit organization Open Web Application Security Project (OWASP)’s list of the ten most common vulnerabilities, known as OWASP Top 10, is often used as a security standard. Here you can see which categories your web application passed or failed in the scan. If the category has findings, you can select the findings for that specific category.  You can find more information about OWASP top 10 in our blog.

Reports & Activity log

Here you can see the list of all existing reports for the Scan Profile in the past. Reports are listed until they are removed, which you can specify using report lifespan. For each report, you can see the threat score, and the number of findings for different levels of severity.