A test consisting of HTTP requests and responses that indicate the presence of a vulnerability. Because injection-based attacks usually target specific parameter injection points, attack vectors for vulnerabilities such as Cross-Site Scripting (XSS) and SQL Injection are grouped by each vulnerable parameter.
All open attack vectors must be resolved in order to close a vulnerability. The same attack vectors will be re-sent during a retest. If the vulnerability can no longer be found, the attack vectors (and thus the vulnerability) will be closed. Should future scans reveal new or re-opened attack vectors, the closed vulnerability may be re-opened.
Global Rank
A percentile rank indicating your site's approximate rank against all sites that have been scanned at least twice. The percent shown in the box represents the percentage of sites that contain more vulnerabilities than your site. For example, if your Global Rank is 20%, then 80% of all scanned sites are more secure. Sites that have not yet been globally ranked are labeled ‘Unranked.’
Hostname
An identifying domain name assigned to a host computer, usually a combination of the host's local name with its parent domain's name.
Industry Rank
A percentile rank indicating your site's approximate rank against all sites within your vertical market that have been scanned at least twice.
Priority
On a scale of 1 to 10, a customer-determined level of value or importance of a site. Priority is initially set to the default level of 5, but can be modified from Site Summary >
Settings. A change in Priority additively affects the Score of all vulnerabilities found in
Severity
The potential business impact if a specific vulnerability is exploited. The levels of severity are based on the same conditions factored into the PCI Security Scan report ratings, but the definitions below are clarified for Web application security concerns.
Level 5 - Urgent
• Attacker can assume remote root or remote administrator roles
• Exposes entire host to attacker; backend database, personally identifiable records, credit card data
• Full read and Write access, remote execution of commands • Example Business Vulnerability: Insufficient Authorization
• Example Technical Vulnerability: Format String Attack, SQL Injection, Directory/Path Traversal
Level 4 - Critical
• Attacker can assume remote user only, not root or admin • Exposes internal IP addresses, source code
• Partial file-system access (full read access without full write access)
• Example Business Vulnerability: Insufficient Authentication, Session Fixation, Abuse of Functionality, Credential/Session Prediction, Insufficient
Authentication, Cross-Site Request Forgery (CSRF)
• Example Technical Vulnerability: Cross-Site Scripting (XSS), Server Side Include (SSI) Injection, OS Command Injection
Level 3 - High
• Exposes security settings, software distributions and versions, database names
• Example Business Vulnerability: Weak Password Recovery Validation, Denial of Service, Insufficient Process Validation, Brute Force
• Example Technical Vulnerability: Information Leakage, Content Spoofing, Predictable Resource Location, LDAP Injection, Directory Indexing, HTTP Response Splitting
Level 2 - Medium
• Exposes precise versions of applications
• Sensitive configuration information may be used to research potential attacks against host
• Example Business Vulnerability: Insufficient Session Expiration, Insufficient Anti-automation
• Example Technical Vulnerability: XPath Injection Level 1 - Low
Threat
A measure of feasibility in which a specific Vulnerability can be exploited. Criteria can include the skill level required of the attacker, the context of the attack surface, the transience of the vulnerable code, and the dependencies for access to the vulnerability. Threat level is one of the factors used to calculate the Score of a vulnerability. The higher the threat level, the greater the ease of exploitation for the vulnerability.
Threat levels of some vulnerability classes are subject to change on a case-by-case basis.
Level 5 - Urgent
• Very low time, resources, and skill levels are needed for execution • Easily exploitable
• Can be accidentally triggered by unsuspecting, non-technical user • Authentication may not be required
• Details of past exploits and demonstrations are widely available
• Extensive educational materials have been published about this vulnerability class
• Large, almost universal attack surface with many entry points Level 4 - Critical
• Little time and few resources are needed for execution • Some background knowledge may be required for execution • Remotely exploitable
• Authentication, if required by the Web application, is easily defeated • Details of past exploits somewhat available
Level 3 - High
• Tools to automate the attack are available, but require some background knowledge
• A moderate amount of time and resources are required
• Proofs-of-concept and a few real-world exploits have occurred, but details may not be known
Level 2 - Medium
• At least one proof-of-concept has been demonstrated, but there are no records of real world attacks
• Considerable technical skill is required
• Attack vector is moderately transient and conditional • Attack vector is moderately deep in the code
Level 1 - Low
• Attack method is obscure, brand-new, or strictly a theory
• Distributed systems knowledge (or insider status) required for execution • Origin of attack is typically local
• Authentication is required
• Attack vector is highly transient, conditional, and located deep in the code • Extremely narrow attack surface
Score
The sum total of the Threat and Severity levels of an identified vulnerability, plus the
Priority of the site. Scores range from 3 to 20.
• For example, a Cross-Site Scripting vulnerability with a Severity level of 5 and a Threat level of 5 on a Priority 10 site results in a Score of 20.
• Priority is initially set to the default level of 5. If you increase the Priority for a site that has been scanned, the Score for any vulnerability found on that site automatically updates.
• Threat and Severity levels have default levels that can be overridden by WhiteHat Security on a case-by-case basis. Each vulnerability's Score is indicated in the Vulnerability Summary and Findings pages.
Site Credentials
A username and password a customer provides in order for scanners to perform tests as a logged-in user. This feature is required if your site requires user accounts. We
recommend creating two accounts for each access level (two users, two administrators, and so on), pre-populated with example test data, to ensure a thorough scan.
In the Site Credentials page, you can enter the credentials of multiple accounts to represent different roles, such as users and administrators, to test various permission and access levels.
The Site Credentials page indicates whether existing credentials, if any, have been used for testing. In some cases, separate "sites" are created for each credential set. You can add, change, or delete the credentials for a given site by selecting the site in the
Executive Summary page, and then clicking the Site Credentials link.
Vulnerability
An instance of weakness in a Web application that can result in harm to the Web application, its operations, or its end users, especially when exploited by a malicious individual or script.
VulnID (Vulnerability Identification)
A unique identifier of a specific vulnerability in your account.