Viewing vulnerability details
When you select a vulnerability, Acunetix provides comprehensive information, including attack details and potential impact. These vulnerability details help you understand the core cause of the vulnerability, assess the severity of the issue, and determine how urgently it needs to be addressed. This document provides a high-level explanation of the information available on the Vulnerabilities page when viewing the details of a vulnerability.
How to view vulnerability details
Vulnerability details can be accessed from the Vulnerabilities page or the Vulnerabilities section when reviewing scan results. On the Vulnerabilities page, an API tag is shown on findings that we can attribute to API specs. API specs can come from manual uploads to a target/scan configuration, linked to a target/scan configuration, or linked from API Discovery.
When you select a vulnerability from the list, its details appear on the right-hand side. The information provided for each vulnerability is explained in the section below.
What information is provided?
Vulnerability details contain the following sections:
- URL: This is the reference to the resource that contains the issue.
- Parameter: This is the variable used to identify the issue.
- Attack Details: Information about the attack parameters and variables Acunetix used to exploit the vulnerability. For example, a Cross Site Scripting alert will show the name of the exploited input variable and the string it was set to.
- Proof of Exploit (AcuSensor): This is a piece of evidence to show that Acunetix is 100% confident that the vulnerability exists. The proof of exploit confirms the severity of the vulnerability by providing information that is considered confidential and should not be accessible. If you enable AcuSensor, you can have more information about the proof and vulnerability. AcuSensor shows the exact location of the issue and simplifies remediation efforts. For more information, refer to: What is the proof of exploit in the Acunetix vulnerability alert?
- Vulnerability Description: This helps you understand the vulnerability. You’ll also find here the HTTP request sent to the web server and the response sent back by the web server (including the HTML response).
- HTTP Request: This is the whole HTTP request that Acunetix sent in order to detect the issue. This request helps you understand how Acunetix exploited the vulnerability.
- HTTP Response: This is the reply from the system against the payload. Acunetix highlights the vulnerability section in the response.
- The impact of this vulnerability: This shows the effect of the vulnerability on the Target URL if this vulnerability is exploited.
- How to fix this vulnerability: Guidance on how to fix the vulnerability.
- Classification: This shows the Common Weakness Enumeration (CWE) id and Common Vulnerability Scoring System (CVSS) -v2 and v3- scores to provide an idea of how severe the vulnerability is on a global scale. CWE also includes the link to the relevant CWE web page. CVSS provides the Base Score and vector string: Attack Vector, Attack Complexity, Privileges Required, User Interaction, Scope, Confidentiality, Integrity, and Availability.
- Detailed information: Comprehensive information about how the vulnerability occurs in the first place, what an attacker can do with this vulnerability, and how you can prevent it from occurring in the future.
- Web references: A list of web links to external sources providing more information on the vulnerability to help you understand and fix it.