The detection of vulnerabilities is the first step to securing your web applications. The vulnerabilities detected need to be managed and eventually fixed. Acunetix provides the means to help you prioritise and manage vulnerabilities.
The Vulnerabilities page provides a list of all the vulnerabilities detected by Acunetix. By default, the vulnerabilities are grouped by vulnerability type, and then sorted by the severity assigned to the vulnerability by Acunetix. This will help you focus on the most important vulnerabilities, without losing sight of the less important ones.
Drilling Down to the instances in the Vulnerability Type Group
In the example above, the Internal IP Address disclosure vulnerability shows a count of 4.
Click on the Vulnerability Type name to drill down to the list of instances inside the group.
Issue Trackers and Issue IDs
If you have implemented integration with an issue tracker, then you can also customize the columns displayed to include the Issue Id:
This will provide you with an updated vulnerability list including issue id information:
As the number of vulnerabilities detected increases, the list of vulnerabilities can become cumbersome to manage. For this reason, the vulnerabilities can be filtered.
Vulnerabilities can be filtered by Archive Status, Confidence, Business Criticality, FQDN, Target Group, Severity, Status, and Target. The list allows for multiple flexible filters, e.g. show all the high severity Vulnerabilities, identified on a specific Target, which are still open.
Screenshot - Filtered vulnerabilities
Import vulnerabilities into your Web Application Firewall (WAF)
Ideally, vulnerabilities are fixed as soon as possible. Unfortunately, it often takes months to fix a vulnerability. If you make use of a Web Application Firewall (WAF) supported by Acunetix, you can export vulnerabilities from Acunetix and import them into your WAF. Your WAF will be able to provide virtual patching for the vulnerability.
Acunetix supports exporting vulnerabilities for Citrix, F5 BIG-IP ASM, Fortinet FortiWeb, Imperva SecureSphere WAF, and to Generic XML, JSON, and CSV files, as well as to any Custom WAF profiles you may have created.
You can read more information about creating Custom WAF profiles here.
Sending Vulnerabilities to an Issue Tracker
For a developer, vulnerabilities are considered as bugs in the web application. Acunetix provides the means to send the vulnerabilities to the issue tracker used by the organisation, allowing for better tracking of vulnerabilities by the development team.
You will first need to configure the issue tracker in the Acunetix settings, and assign the Issue Tracker to the Target. You will then be able to send vulnerabilities detected for the specific Target to the Issue Tracker.
Acunetix supports GitHub, Gitlab, Jira, Azure Devops (TFS), BugZilla, and Mantis issue trackers.
When a vulnerability has been fixed, you can have Acunetix confirm the fix by selecting the vulnerability and clicking on the Retest option. This will create a new scan using a custom scanning profile restricted to the specific vulnerability.
Vulnerabilities detected by Acunetix remain in the vulnerabilities list until they are marked as not open. You can remove vulnerabilities from the list of open vulnerabilities by marking them as:
Fixed - This status is given to vulnerabilities that are fixed by the developers. If the vulnerability is found again by Acunetix, the vulnerability will be reopened, and marked as Rediscovered.
False Positive - There are situations where a vulnerability is incorrectly detected by Acunetix. The vulnerability will not be reported again in future scans.
Ignored - This status can be used for vulnerabilities which are not False Positives, but which for some reason should be ignored in future scans.
Vulnerabilities marked as False Positives or Ignored can be re-opened manually at any time.