Reviewing Scan Results
The Scans page provides a list of all scans performed, including a summary of the type of scan, the time and date when the scan was performed, its current status, and the number of each severity level of vulnerability found. This list can be filtered by:
- Archive Status
- Business Criticality
- Scan Profile
- Status
- Target
- Target Group
- Threat (severity level)
Once a scan has finished, Acunetix will send you an email with a summary of the results and a link allowing you to access the scan results directly. The scan results show the start and end date of the scan, the duration of the scan and all the alerts that have been identified during the scan. The Activity panel will show a message when the scan detects and makes use of AcuSensor during a web scan.
The scan results consists of 5 sections:
- Scan Stats & Info - this provides an overview of the Target as detected by the scan, and information about the Scan, such as scan duration, average response time and the number of files scanned.
- Vulnerabilities - This is the list of vulnerabilities detected ordered by severity.
- Site Structure - You can use the site structure to ensure that Acunetix has covered all the site, and to identify vulnerabilities affecting a specific file or folder of the site scanned. Click on the folder icon to expand the site structure tree.
The special node labelled "fragments" will show all the URI fragments identified by Acunetix; you can expand the "fragments" node to see the URLs that were tested.
- Scan Statistics - Two statistical data tables; the Operations table analyses the different scan operation types that were performed, showing the number of times each scan operation was performed, the average duration of each operation, and the total duration of all the operations; the Locations table analyses the different URLs that were scanned, showing the number of times each URL was scanned, the average duration of each scan, and the total duration of all the scans performed on that location. You can sort the tables either by the number of runs/requests, or by the total duration of the operation type or location.
- Events - A list of events related to scan. This will show when the scan started and finished, and if any errors have been encountered during the scan.
Alerts (vulnerabilities) discovered
One of the key components of the scan results is the list of all vulnerabilities found in the scan target during the scan. Depending on the type of scan, these can be either Web Alerts or Network Alerts, and the alerts are categorized according to 4 severity levels:
High Risk Alert Level 3 – Vulnerabilities categorized as the most dangerous, which put the scan target at maximum risk for hacking and data theft.
Medium Risk Alert Level 2 – Vulnerabilities caused by server misconfiguration and site-coding flaws, which facilitate server disruption and intrusion.
Low Risk Alert Level 1 – Vulnerabilities derived from lack of encryption of data traffic or directory path disclosures.
Informational Alert – These are items which have been discovered during a scan and which are deemed to be of interest, e.g. the possible disclosure of an internal IP address or email address, or matching a search string found in the Google Hacking Database, or information on a service that has been discovered during the scan.
Depending on the type of vulnerability, additional information about the vulnerability is shown when you click on an alert category node:
- Vulnerability description - A description of the discovered vulnerability.
- Affected items - The list of files or components which are affected by the alert.
- The impact of this vulnerability – Level of impact on the website, web server or perimeter server if this vulnerability is exploited.
- Attack details - Details about the parameters and variables used to test for this vulnerability. E.g. for a Cross Site Scripting alert, the name of the exploited input variable and the string it was set to will be displayed. You can also find the HTTP request sent to the web server and the response sent back by the web server (including the HTML response).
- How to fix this vulnerability - Guidance on how to fix the vulnerability.
- Classification - Apart from the Acunetix classification, this section provides classification by CVSS (v2 and v3) score and CWE enumeration id.
- Detailed information - More information on what is causing the reported vulnerability, with examples where applicable.
- Web references - A list of web links to external sources providing more information on the vulnerability to help you understand and fix it.
Software Composition Analysis Results
When reviewing the scan results, you can see that the SCA functionality has discovered vulnerable packages being used:
You can also expand the discovered vulnerability to get a detailed description of the vulnerable package:
If multiple vulnerable packages are found in the same severity level, the detailed description will be shown for each vulnerable package:
SCA Remediation hints
The detailed description gives us valuable pointers for eventual remediation. In the first example quoted above, the version reads:
Version: 5.2.26.0
...and the description reads:
Description: PHPMailer before 5.2.27 and 6.x before 6.0.6 is vulnerable to an object injection attack.
This clearly indicates which version numbers of the open-source component in question are vulnerable, as well as the specific version number found in your web application. You can therefore use a version of the component that has resolved the vulnerability. In this case, you would most likely be best served by upgrading the PHPMailer component to at least version 6.0.6 (or version 5.2.27 if you require some legacy functionality of behaviour that is not present in version 6.0.6).
Vulnerabilities Detected by AcuMonitor
An Acunetix scan makes use of AcuMonitor to detect certain vulnerabilities such as Blind XSS, Email Header Injection, and certain types of SSRF, XXE and Host Header Attacks. AcuMonitor can only detect some of these vulnerabilities after the scan has finished. When this happens, AcuMonitor will update the scan results with the new vulnerabilities detected and you will receive an email notifying you that the scan results have been updated. More information on AcuMontor can be found at http://www.acunetix.com/vulnerability-scanner/acumonitor-blind-xss-detection/.