Application Security Platform
Overview

View vulnerability details

This document is for:
Invicti Platform

When you select a vulnerability, Invicti Platform provides comprehensive information, including attack details and potential impact. These vulnerability details help you understand the core cause of the vulnerability, assess the severity of the issue, and determine how urgently it needs to be addressed.

This document provides a high-level explanation of the information available on the Vulnerabilities page when viewing the details of a vulnerability.

View vulnerability details

Vulnerability details can be accessed from the Vulnerabilities page or the Vulnerabilities section when reviewing scan results.

When you select a vulnerability from the list, its details appear on the right-hand side. The information provided for each vulnerability is explained in the section below. 

All Vulnerabilities page, displaying details for an example vulnerability.

What information is provided?

Vulnerability details contain the following sections:

Vulnerability tab

  • Status of the vulnerability: open, fixed, ignored, or false positive.
  • Tags: tags assigned to the vulnerability.
  • Comment: comment related to the vulnerability.
  • Issue URL: link to the vulnerability in the integrated issue tracker.
  • Target: the target where the vulnerability was identified.
  • URL: the reference to the resource that contains the issue.
  • Application: application with the target. For more information on applications refer to the What is an application document.
  • Collection: collection with the target. For more information on collections, refer to the What is a collection document.
  • First seen: the date and time when the vulnerability was first identified by Invicti.
  • Last seen: the date and time when the vulnerability was last identified by Invicti.
  • Confidence: lists the confidence level, showing how certain Invicti is of the vulnerability it identified.
  • Source: displays how the vulnerability was identified - either through DAST, SAST, SCA or Container Security scan results.
  • Attack Details: Information about the attack parameters and variables Invicti used to exploit the vulnerability. For example, a Cross Site Scripting alert will show the name of the exploited input variable and the string it was set to.
  • Proof of Exploit (Invicti IAST): This is a piece of evidence to show that Invicti is 100% confident that the vulnerability exists. The proof of exploit confirms the severity of the vulnerability by providing information that is considered confidential and should not be accessible. If you enable the IAST sensor, you can have more information about the proof and vulnerability. Invicti IAST shows the exact location of the issue and simplifies remediation efforts.
  • Vulnerability Description: This helps you understand the vulnerability. You’ll also find here the HTTP request sent to the web server and the response sent back by the web server (including the HTML response).
  • The impact of this vulnerability: This shows the effect of the vulnerability on the target URL if this vulnerability is exploited.
  • How to fix this vulnerability: Guidance on how to fix the vulnerability.
  • Classification: This shows the Common Weakness Enumeration (CWE) id and Common Vulnerability Scoring System (CVSS) -v2 and v3- scores to provide an idea of how severe the vulnerability is on a global scale. CWE also includes the link to the relevant CWE web page. CVSS provides the Base Score and vector string: Attack Vector, Attack Complexity, Privileges Required, User Interaction, Scope, Confidentiality, Integrity, and Availability.
  • Web references: A list of web links to external sources providing more information on the vulnerability to help you understand and fix it.

Proof of Exploit tab

This section provides detailed evidence information on vulnerabilities that were verified by Invicti Platform.

Proof of Exploit information for Command Injection vulnerability.

Request/Response tab

  • Request: This is the whole HTTP request that Invicti sent in order to detect the issue. This request helps you understand how the scanner exploited the vulnerability.
  • Response: This is the reply from the system against the payload. Invicti highlights the vulnerability section in the response.

Request/Response tab information for a found vulnerability.

Activity tab

This section provides information on the activity related to the vulnerability, e.g. change of the vulnerability’s status.

Activity tab information for a found vulnerability.


Share This Article