Vulnerability Editor in Acunetix 360

The vulnerability editor in Acunetix 360 lets you modify a vulnerability's details, such as its severity impacts, based on your needs.

When you run a scan, you attach a report policy to it. While the scan policy affects which checks Acunetix 360 runs, the report policy affects your result report. For example, if you changed the severity level of the SQL Injection to the Best Practice severity level, you may miss a critical security issue in your web application.

Thanks to the vulnerability editor, you can do the following:

  • Modify the severity level of a vulnerability
  • Change a vulnerability's order, impact, signature type, etc.

This topic explains the Vulnerability Editor and how to edit it according to your needs.

Information

To edit a vulnerability's details in Acunetix 360, you need to create a new report policy or clone the default report policy. For further information, see Custom Report Policies.

Configuring the Vulnerability Editor

You can customize a vulnerability's description, name, its severity, etc. based on your needs. For example, you may regard a certain vulnerability's severity as Low while others may regard its severity as High.

Vulnerability Editor fields

This table lists and explains the fields in the Vulnerability Editor.

Field

Description

Description

This is the name of the vulnerability.

Type

This is the type of vulnerability. It is read-only.

Severity

This is the importance of vulnerability. The drop-down options are:

  • Critical
  • High
  • Medium
  • Low
  • Best Practice
  • Information

For further information, see Vulnerability Severity Levels.

Signature Type

This determines how Acunetix 360 reports vulnerabilities identified. The drop-down options are:

  • Active: This option is used for active attacks in Acunetix 360. The active attack means that Acunetix 360 sends an attack payload to identify the vulnerability in your web application. When the active is selected, this instructs Acunetix 360 to report a vulnerability whenever it is identified. For example, if a SQL Injection vulnerability is identified in ten different web pages, Acunetix 360 reports the vulnerability for all these pages.
  • Passive: This option is used for passive attacks. The passive attack means that Acunetix 360 analyzes the response to identify the vulnerability. When the passive is selected, this instructs Acunetix 360 to report a vulnerability whenever it is identified. For example, if a Microsoft Outlook Personal Folders File (.pst) Found vulnerability is identified in ten different web pages, Acunetix 360 reports the vulnerability for all these pages.
  • Groupable: This option lets you limit a vulnerability to be reported. The default value is 10. For example, if you change the signature type of SQL Injection to Groupable, Acunetix 360 reports the vulnerability only in 10 web pages.
  • Unique: This option lets you instruct Acunetix 360 to report a vulnerability only once. For example, if you change the signature type of SQL Injection to Unique, Acunetix 360 reports the vulnerability only one time.

Order

This is the priority Acunetix 360 rests on in order to list the vulnerabilities identified. The drop-down options are:

  • Confirmed: This means Acunetix 360 confirmed the vulnerability.
  • Probable: This means there is a "high possibility" that there is a vulnerability. Please note that "probable" vulnerabilities are very rare in Acunetix 360 - only the Probable SQLi and Probable LFI vulnerabilities.
  • Possible: This means Acunetix 360 identified the vulnerability but not confirmed. In those cases, Acunetix 360 assigns a certainty value.
  • Inactive

Impacts

This is the impact of vulnerability. You can choose one or more built-in impacts for the vulnerability identified by Acunetix 360. The message is displayed in scan reports.

Retestable

This indicates whether the issue can be retested. For further information, see Managing Issues.

Show Attack Pattern

This determines whether you want Acunetix 360 to display the attack pattern in the scan reports.

Hidden

This determines whether the vulnerability is in your custom report. If selected, Acunetix 360 removes the vulnerability from the custom report policy list. So, Acunetix 360 does not report this vulnerability.

Enabled

This instructs whether Acunetix 360 runs a security check for a vulnerability. If only selected, Acunetix 360 checks whether a vulnerability exists in your system.

Firewall Compatible

This indicates that Acunetix 360 can add this vulnerability to the Web Application Firewall Rules report. For further information, see ModSecurity WAF Rules Report and F5 BIG-IP ASM WAF Rules Report.

How to edit vulnerability details with the Vulnerability Editor in Acunetix 360
  1. Log in to Acunetix 360.
  2. From the main menu, select Report Policies.
  3. From the Report Policies page, select a custom policy you want to edit.
  4. Select the Editor tab.

  1. Select a vulnerability, then Edit. The Vulnerability Editor dialog is displayed.

  1. From the Vulnerability Editor dialog, make changes as required and select Save.

Information

Please note that your changes apply only to new scans. To see your changes in reports, you need to run new scans with the custom report policy you edited.

 

« Back to the Acunetix Support Page