Editing vulnerabilities and assigning security standards in Acunetix 360

The Vulnerability Editor allows you to modify vulnerability details, such as description, name, severity, and impact. You can also edit or assign classifications to vulnerabilities, including CVSS, OWASP, PCI, and other security standards. These changes are applied to custom report policies that you attach when running a scan and they affect your scan result report. This guide explains how to edit vulnerabilities and assign security standards.

NOTE: To edit a vulnerability's details inAcunetix 360, you need to create a new report policy or clone the default report policy. For more information, refer to Custom Report Policies.

How to edit vulnerability details with the Vulnerability Editor

  1. Log in to Acunetix 360.
  2. From the main menu, select Policies > Report Policies.
  3. On the Report Policies page, click Edit next to the custom report policy you want to edit.

  1. Select the Editor tab.

  1. Use the Search field or scroll down to find the vulnerability you want to edit and select it by clicking on it.

  1. Click Edit.

  1. In the Vulnerability Editor window that opens, make changes to any of the following fields:
  • Description: Name of the vulnerability.
  • Type: This field is read-only and identifies the type of vulnerability.
  • Severity: This defines the importance of the vulnerability. For more information, refer to Vulnerability Severity Levels.

BE CAUTIOUS: Changing an SQL injection severity to "Best Practice" might cause you to miss critical issues in your web application.

  • Signature Type: Determines how Acunetix 360 reports identified vulnerabilities. The drop-down options are:
  • Active: Used for active attacks where Acunetix 360 sends an attack payload to identify vulnerabilities. Acunetix 360 reports the vulnerability each time it is identified. For example, if an SQL Injection is found on ten different web pages, Acunetix 360 reports it on all of those web pages.
  • Passive: Used for passive attacks where Acunetix 360 analyzes responses to identify vulnerabilities. Acunetix 360 reports the vulnerability each time it is identified. For example, if a Microsoft Outlook Personal Folders File (.pst) is found on ten different web pages, Acunetix 360 reports it on all of those web pages.
  • Groupable: Limits the number of times a vulnerability is reported. The default value is 10. For example, if SQL Injection is set to Groupable, Acunetix 360 reports it only in 10 web pages.
  • Unique: Reports a vulnerability only once. For example, if SQL Injection is set to Unique, Acunetix 360 reports it only one time.
  • Order: This sets the priority for listing vulnerabilities identified by Acunetix 360. The drop-down options are:
  • Confirmed: Acunetix 360 verified the vulnerability with Proof-Based Scanning.
  • Probable: There is a high possibility of a vulnerability. Probable vulnerabilities are very rare in Acunetic 360, applicable mainly to Probable SQLi and Probable LFI vulnerabilities.
  • Possible: The vulnerability was identified but not confirmed. In these cases, Acunetix 360 assigns a certainty value.
  • Inactive 
  • Impacts: This defines the impact of the vulnerability. You can select one or more built-in impacts for the vulnerability identified by Acunetix 360. The impact message is displayed in scan reports.
  • Retestable: This indicates whether the issue is eligible for retesting. For more information, refer to Managing Issues.
  • Show Attack Pattern: This determines if Acunetix 360 displays the attack pattern within the scan reports.
  • Hidden: This determines whether the vulnerability is in your custom report. If selected, Acunetix 360 removes the vulnerability from the custom report policy list. So, Acunetix 360 does not report this vulnerability.
  • Enabled: This determines whether Acunetix 360 performs a security check for a vulnerability. When selected, Acunetix 360 verifies whether a vulnerability exists in your system.
  • Firewall Compatible: This indicates that Acunetix 360 can include this vulnerability in the Web Application Firewall Rules report. For additional details, refer to the ModSecurity WAF Rules Report and F5 BIG-IP ASM WAF Rules Report.

  1. Click Save.

NOTE: Your changes will only apply to new scans. To see these changes in reports, you must run new scans using the custom report policy you edited.

How to assign security standards to vulnerabilities

The column on the right-hand side in the Report Policy Editor allows you to edit or assign OWASP, PCI, CVSS, and other security standards or classifications.

To assign the CVSS 4.0 as an example, follow these steps:

  1. Use the Search field or scroll down to find the vulnerability you want to edit and select it by clicking on it.

  1. In the Classification column, scroll down to find the CVSS 4.0 field.

  1. Into the field below the security standard title, enter the vector string.

  1. Click Save. Your changes will only apply to new scans. To see these changes in reports, you must run new scans using the custom report policy you edited.

 

« Back to the Acunetix Support Page