The Attack Vector Detail Report

The Attack Vector Details Report provides details of vulnerability instances (attack vectors) found on sites or APIs selected for Dynamic Analysis. In addition to the location and time that the vulnerability was discovered, the attack vector details include a breakdown of the exact request and response so that developers may easily replicate the problem. This report is most likely to be of interest to developers engaged in remediating a specific vulnerability.

Asset List

The The Attack Vector Details Report provides a list of assets included in this report, shown below.

asset list attack vec report

Issue Summary

The following table displays a breakdown of vulnerabilities by class. The table shows the Vulnerability ID, Class, Rating and Attack Vector ID.

issue summary attack vec report

Attack Vector Details

The report provides a short vulnerability overview as shown below for each attack vector.

vuln summary attack vec report

This overview is followed by the Attack Vector Details.

attack vec details attack vec report 1

The attack vector details include a breakdown of the exact request and response so that developers may easily replicate the problem. (as shown below)

attack vec details attack vec report 2
attack vec details attack vec report 3

Definitions

Descriptions and Solutions for each vulnerability class detailed in the report are included. References are provided for both descriptions and solutions. A sample definition for Cross Site Scripting is shown below.

sample definition attack vec report

Appendix - Vulnerability Level Definitions (by Risk)

This section details how the vulnerability levels are defined, risk Levels for the WhiteHat Sentinel Source solution are based on the OWASP risk rating methodology, based on the standard risk model (Risk = Likelihood x Impact) with several factors contributing to the likelihood and impact. The following tables show how the vulnerability ratings are calculated in The Attack Vector Details Report.

impact level table

  • The Impact can be broken down into the Technical Impact and Business Impact. Technical impact considers the traditional areas of security: confidentiality, integrity, availability, and accountability.

  • The business impact stems from the technical impact and consider things such as: financial damage, reputational damage, non-compliance, and privacy violations.

After scoring the Likelihood and Impact, the Risk Rating is determined using the following table:

likelihood level table

Risk ratings are defined below:

risk level table

Vulnerability verification status indicated below:

vuln verifi icon

The Attack Vector Detail Report - Options

The following are some of the other attack vector detail report options to choose from:

vuln filter options

  1. Select whether you want to see Open, Closed, or Both (all) vulnerabilities.

  2. Specify the severity rating level to include.

  3. Filter by date.

  4. Show the CVSS scores.

  5. Determine whether you want to Limit to five Attack Vectors or show the Response Body in the report.

  6. Choose to generate the report as a PDF or as a CSV file

For more information on generating reports, see the following Report Section.

The Attack Vector Detail Report - Selection by Groups

You can also select sites based on groups. When you have made your selections and clicked on Generate Report, the report will return to you as a pdf file. For each vulnerability class included in the report, you will first see the description and solution for the vulnerability, and then the details of the attack vectors.