AppSpider Pro Reports
Access Your Reports
You can view a scan report in your AppSpider console or as an HTML file in your browser. To view the report:
- Go to your scan in the “Main” tab.
- Right click your scan and select View Report in console or View Report, which will load the HTML report in a browser of your choice.
- To generate a PDF report make sure that the "PDF Reports" option is checked in the "Reporting" tab of your scan config wizard.
View Report Types
You can utilize reporting to understand the vulnerabilities in your app environment.
AppSpider Pro provides different types of reports for you to use, depending on what you need:
- Site structure, which displays all of the crawled links and discovered vulnerabilities
- Site info, which provides metrics about different vulnerable objects discovered in your app
- Findings, which breaks down vulnerability finders per role, such as App Developer or Server Administrator
Understand Scan Report Results
You can utilize the different reports to access the current state of security for your environment and share the recommended remediations with your stakeholders. The first action you should take it to confirm coverage of the scan. Stakeholders should review the Site Structure to identify correct coverage based on constraints defined in crawl restrictions. Then, depending on your role, you can start to dig deeper into individual vulnerabilities or vulnerability categories. The Findings tab specifically categorizes vulnerabilities into the following areas:
- Application Developer
- Database Administrator
- Server Administrator
- Privacy
- Reflection
- Best Practice In the Finding tab, expand each of these areas to see a list of vulnerabilities associated with the role. Expand the vulnerability category another level to see a list of URLs where this vulnerability exists. Understand Vulnerabilities Each vulnerability displays a description, reference, and a recommendation for remediation. You can also identify the request used and response received, including HTML responses. You can find vulnerabilities from the site structure or from the findings tab. The Site Structure tab, or crawl traffic, catalogues all of the different URLs “crawled” by the scan. These URLs are sorted into folders, which then have color indicators. Right click on the vulnerability from the list and then click View Finding. The Findings tab allows you to break down findings by role, severity, or active and passive attacks. Both tabs make use of color for high level information:
- Gray indicates that the link or folder was not scanned.
- Blue indicates informational findings.
- Green indicates the finding is safe.
- Yellow indicates low risk findings.
- Orange indicates medium risk findings.
- Red indicates high risk findings.
Read a Vulnerability Result
Clicking on any vulnerability will display the vulnerability details in a panel on the right side of your screen. The top row in the panel displays general details, such as the name and severity of the underlying attack, the review status of the vulnerability, and the time of its first and last appearance. Each vulnerability will have the following information:
- Attack type:
- Attack Description: Description of the variation of the attack being attempted.
- Original value: The original non malicious value of the parameter, which is used to observe normal behaviour of the app
- Parameter
- Attack value: A specially crafted value which is supposed to make the app behave abnormally
- Vulnerability: the specific string used in the attack.
- Crawl traffic - A snapshot of the HTTP request sent with the attack value in the parameter, and the resulting erroneous response, and of the HTTP request sent to the app and the response received in the normal case
You can also change the severity and status of the vulnerability from this area. For example, if you feel that your industry is prone to attacks due to a certain vulnerability, you can change a low risk vulnerability to be a High Risk.
Validate a Vulnerability
It is important that you validate vulnerabilities to confirm that they are an actual risk to your environment, and not a one-time error in the scan.
You can validate a vulnerability in the AppSpider Console and from the HTML report in your browser. In order to use the Validate feature in your browser, you must install the Rapid7 Appsec plugin from the Chrome store: https://chrome.google.com/webstore/detail/rapid7-appsec-plugin/mnmlipalillmakdiildpclhocfgcddnp
To validate a finding in the console:
- Select the vulnerability from its category in "Findings," or from its location in the "Site Structure."
- If clicking on the vulnerability from Site Structure, right click and select View Finding. Right click on the vulnerability and select Validate. A new window tab will appear.
- The vulnerabilities you want to validate will appear in a list. Select the individual vulnerability.
- In the middle right of the AppSpider console, click the button that says Send to Request Builder. A new tab window will open. Read more about the Request Builder.
In the Request Builder, make desired changes to the Request and Response bodies. Click Send in the top left corner to rerun the vulnerability.
To validate a finding in the HTML report:
- Make sure you have the Rapid7 AppSec Plugin installed in Chrome.
- From the Report drop down menu, select Vulnerabilities from the list of reports.
- Find the vulnerability and expand it by clicking the + icon.
- Click the Validate button. A new window will appear.
- Use the GET and POST attack requests to recreate a vulnerability to ensure that is it a consistent risk from your environment.
Utilize the Global Vulnerability Findings
If vulnerability is a false positive or an acceptable risk, you can chose to “ignore” the vulnerability either for an instance, or for all future instances. Find the vulnerability category, and select Ignore Globally.
All of the findings you mark as a false positive will remain in the Global Repository. You can access the Global Repository by selecting Tools > Global Findings Repository. Use previously marked findings to help you identify other false positives.