Vulnerability Details Report - Site

The Vulnerability Details Report includes detailed description of the vulnerabilities found in each site selected for this report, grouped by category, and includes for reference the code snippets associated with the vulnerabilities along with appropriate remediation instructions, followed by a list of the specific instances of that vulnerability found in the application code. This is an excellent report for helping developers remediate vulnerabilities, or providing an in-depth understanding of the specific vulnerabilities found for a particular asset.

Asset List

The The Vulnerability Details Report provides a list of assets included in this report, shown below.

asset list vuln detail report app

Demo Site BE

This table sorts by the importance (score) of your site set by vulnerability assessor. The higher the score, the more important the site. Your vulnerabilities are then categorized by the vulnerability class and then by the vulnerability level.

demo site be vuln detail report sites

Vulnerabilities Covered

The table below illustrates which classes of vulnerabilities are covered for which service levels (BE,PE,SE) in the Vulnerability Details Report.

Vulnerability Class BE PE SE

URL Redirector Abuse

table tick

table cross

table tick

SQL Injection

table tick

table cross

table cross

Server Misconfiguration

table tick

table tick

table tick

Remote File Inclusion

table tick

table cross

table cross

Predictable Resource Location

table tick

table cross

table tick

Path Traversal

table tick

table cross

table cross

OS Command Injection

table tick

table cross

table cross

OS Commanding

table tick

table cross

table cross

Insufficient Transport Layer Protection

table tick

table tick

table tick

Information Leakage

table tick

table cross

table tick

Directory Traversal

table tick

table tick

table cross

Directory Indexing

table tick

table tick

table tick

Cross Site Scripting

table tick

table tick

table tick

Content Spoofing

table tick

table cross

table tick

Insufficient Authorization

table cross

table tick

table tick

Insufficient Authentication

table cross

table tick

table cross

Fingerprinting

table cross

table cross

table tick

Report Sample

A sample report for Insufficient Authorization is shown below, each vulnerability is reported in the same format.

sample report vuln detail report

Definition

Descriptions and Solutions for each vulnerability class detailed in the table above are included in the report. References are provided for both description and solutions. A sample definition for Insufficient Authorization is shown below.

sample definition vuln detail report

Appendix - Vulnerability Level Definitions (by Risk)

This section details how the vulnerability levels are defined, risk Levels for the WhiteHat Sentinel Source solution are based on the OWASP risk rating methodology, based on the standard risk model (Risk = Likelihood x Impact) with several factors contributing to the likelihood and impact. The following tables show how the vulnerability ratings are calculated in The Vulnerability Details Report.

impact level table
  • The Impact can be broken down into the Technical Impact and Business Impact. Technical impact considers the traditional areas of security: confidentiality, integrity, availability, and accountability.

  • The business impact stems from the technical impact and consider things such as: financial damage, reputational damage, non-compliance, and privacy violations.

After scoring the Likelihood and Impact, the Risk Rating is determined using the following table:

likelihood level table

Risk ratings are defined below:

risk level table

Vulnerability verification status indicated below:

vuln verifi icon

The Vulnerability Details Report Options

The Vulnerability Details Report. can be run for Sites or groups; select your preference under the Generate For column in the Reports tab. You can select specific assets and specify:

  • Whether you want to see Open, Closed, or Both (all) vulnerabilities.

  • Which vulnerability classes you want to include in the detail report.

  • The date range for the report.

  • Which severity levels should be included in the report.

  • Whether or not Attack Vectors should be shown.

  • Whether or not the CVSS Score should be shown.

You can select what is to be included in the report by individual site or by group.

For more information on generating reports, please see Reports Section.