Support
Explanations

Vulnerability Editor in Invicti

This document is for:
Invicti Standard, Invicti Enterprise On-Premises, Invicti Enterprise On-Demand

The vulnerability editor in Invicti lets you modify a vulnerability’s details, such as its severity impacts, based on your needs.

When you run a scan, you attach a report policy to it. While the scan policy affects which checks Invicti runs, the report policy affects your result report. For example, if you changed the severity level of the SQL Injection to the Best Practice severity level, you may miss a critical security issue in your web application.

Thanks to the vulnerability editor, you can do the following:

  • Modify the severity level of a vulnerability
  • Change a vulnerability’s order, impact, signature type, etc.

This topic explains the Vulnerability Editor and how to edit it according to your needs.

To edit a vulnerability’s details in Invicti Enterprise, you need to create a new report policy or clone the default report policy. For further information, see Custom Report Policies.

Configuring the Vulnerability Editor

You can customize a vulnerability’s description, name, its severity, etc. based on your needs. For example, you may regard a certain vulnerability’s severity as Low while others may regard its severity as High.

Vulnerability Editor fields

This table lists and explains the fields in the Vulnerability Editor.

Field

Description

Description

This is the name of the vulnerability.

Type

This is the type of vulnerability. It is read-only.

Severity

This is the importance of vulnerability. The drop-down options are:

  • Critical
  • High
  • Medium
  • Low
  • Best Practice
  • Information

For further information, see Vulnerability Severity Levels.

Signature Type

This determines how Invicti reports vulnerabilities identified. The drop-down options are:

  • Active: This option is used for active attacks in Invicti. The active attack means that Invicti sends an attack payload to identify the vulnerability in your web application. When the active is selected, this instructs Invicti to report a vulnerability whenever it is identified. For example, if a SQL Injection vulnerability is identified in ten different web pages, Invicti reports the vulnerability for all these pages.
  • Passive: This option is used for passive attacks. The passive attack means that Invicti analyzes the response to identify the vulnerability. When the passive is selected, this instructs Invicti to report a vulnerability whenever it is identified. For example, if a Microsoft Outlook Personal Folders File (.pst) Found vulnerability is identified in ten different web pages, Invicti reports the vulnerability for all these pages.
  • Groupable: This option lets you limit a vulnerability to be reported. The default value is 10. For example, if you change the signature type of SQL Injection to Groupable, Invicti reports the vulnerability only in 10 web pages.
  • Unique: This option lets you instruct Invicti to report a vulnerability only once. For example, if you change the signature type of SQL Injection to Unique, Invicti reports the vulnerability only one time.

Order

 

This is the priority Invicti rests on in order to list the vulnerabilities identified. The drop-down options are:

  • Confirmed: This means Invicti confirmed the vulnerability. For further information, see Get Results You Can Trust with Proof-Based Scanning.
  • Probable: This means there is a “high possibility” that there is a vulnerability. Please note that “probable” vulnerabilities are very rare in Invicti – only the Probable SQLi and Probable LFI vulnerabilities.
  • Possible: This means Invicti identified the vulnerability but not confirmed. In those cases, Invicti assigns a certainty value.
  • Inactive

Impacts

This is the impact of vulnerability. You can choose one or more built-in impacts for the vulnerability identified by Invicti. The message is displayed in scan reports.

Retestable

This indicates whether the issue can be retested. For further information, see Managing Issues.

Show Attack Pattern

This determines whether you want Invicti to display the attack pattern in the scan reports.

Hidden

This determines whether the vulnerability is in your custom report. If selected, Invicti removes the vulnerability from the custom report policy list. So, Invicti does not report this vulnerability.

Enabled

This instructs whether Invicti runs a security check for a vulnerability. If only selected, Invicti checks whether a vulnerability exists in your system.

Firewall Compatible

This indicates that Invicti can add this vulnerability to the Web Application Firewall Rules report. For further information, see ModSecurity WAF Rules Report and F5 BIG-IP ASM WAF Rules Report.

How to edit a vulnerability details with the Vulnerability Editor in Invicti Enterprise
  1. Log in to Invicti Enterprise.
  2. From the main menu, select Report Policies.
  3. From the Report Policies page, select a custom policy you want to edit.
  4. Select the Editor tab.
  1. Select a vulnerability, then Edit. This opens the Vulnerability Editor.
  1. Change as required and select Save.

Please note that your changes apply only to new scans. To see your changes in reports, you need to run new scans with the custom report policy you edited.

How to edit a vulnerability details with the Vulnerability Editor in Invicti Standard
  1. Open Invicti Standard.
  2. From the ribbon, select the Home tab, then Report Policy Editor.
  3. From the Report Policy Editor window, select a vulnerability, then Edit.
  1. From the Vulnerability Editor window, make changes as required.
  1. From the Vulnerability Editor window, select OK to save your changes.
  2. From the Report Policy Editor window, select OK to save your custom report policy.

Please note that your changes apply only to new scans. To see your changes in reports, you need to run new scans with the custom report policy you edited.

Not found what you're looking for?

Open a ticket and our technical support team will assist you quickly.

Open a ticket This will redirect you to the ticketing system.