Test Vulnerability Remediation

Testing whether a fix works is an integral part of application security. You can try code changes and test whether they fix the vulnerability by replaying the attack from the Vulnerability Details window. To validate whether a remediation worked, you can also re-run the same scan that the vulnerability was found in.

Replay attack

You can replay the attack using the Rapid7 AppSec Plugin for Chrome browsers. Replaying attacks allows you to watch the attack traffic to determine whether a vulnerability is valid. You can also edit the request in the Request Builder to see if a change fixes or further validates a vulnerability.

In InsightAppSec, you can access vulnerabilities and replay attacks from the scan report or vulnerability.

Workflow of validating vulnerabilities using attack replay

After installing the plugin, you can generate a scan report or view vulnerabilities within a scan and replay the attack.

Validate by scan report

  1. On the All Apps page, select the app you want to validate.
  2. On the app details page, select the scan you want to generate a report for.
  3. Click Generate Report
  4. Give the report a name and choose HTML export.
  5. When the report is available, replay the attack.
    1. Select an attack type and then click Replay Attack.
    2. In the Vulnerability Validator window, use the tabs at the top to switch between the steps in the attack traffic that occurred.
    3. On each tab, click Send to validate each attack with the Request Builder. The response headers and response body will return with the attack information.

Validate by vulnerability

  1. On the All Apps page, select the app you want to validate.
  2. On the Vulnerabilities tab, select the vulnerability you want to validate.
  3. When the Vulnerability Validator window opens, replay the attack.
    • Select an attack type and then click Replay Attack.
    • In the Vulnerability Validator window, use the tabs at the top to switch between the steps in the attack traffic that occurred.
    • On each tab, click Send to validate each attack with the Request Builder. The response headers and response body will return with the attack information.

Test remediation by re-running a scan

Validation scans use the scan engine. To test a fix on a single vulnerability without scanning, you can Replay an Attack.

Validation scan

Run a validation scan to see if the previous scan can find the vulnerability again. If the scan doesn't find it, the vulnerability status changes to Remediated.

  1. In your app, select the scan that you want to validate.
  2. Click Validate Scan.
  3. To view scan progress, click Scan Status in the banner notification.
  4. When the scan completes, on the Scan Details page, verify that the remediated vulnerability is listed in the Remediated field.
  5. On the All Vulnerabilities page, verify that the vulnerability is not listed.
Why should I test remediation this way?

Only vulnerabilities that still exist in your app will be listed in the validation scan results. Vulnerabilities that were attacked and not found to be no longer vulnerable will have their status updated to Remediated and will not be included in the validation scan results.

You can see how many vulnerabilities were remediated by checking the Remediated field in the Scan Information drawer. Any vulnerabilities that could not be attacked will not be included in the validation scan results and their status will not be updated.

How do I know if the vulnerability is remediated?

Validation scans automatically change the vulnerability status depending on whether the vulnerability was found, not found, or unknown when run against the parent scan:

  • Found - still vulnerable and will be part of the validation scan results.
  • Not found - no longer vulnerable, status is updated and the vulnerability is not included in the validation scan results.
  • Unknown - engine could not repeat the original attacks, statuses remain the same but the vulnerability is not included in the validation scan results.
Original statusFound vulnNot foundUnknown
UnreviewedUnreviewedRemediatedUnreviewed
IgnoredIgnoredRemediatedIgnored
VerifiedVerifiedRemediatedVerified
RemediatedUnreviewedRemediatedRemediated
False PositiveFalse PositiveFalse PositiveFalse Positive
DuplicateDuplicateDuplicateDuplicate

Scanning recommendation

Use validation scans to test for remediation and full scans for a complete view of your app security. Validation scans run against the attack findings from the parent scan and may find vulnerabilities that were not discovered in the parent scan. Although the All Vulnerabilities page includes new and existing vulnerabilities found by a validation scan, it is not as comprehensive as running a full scan on the parent scan.