Vulnerability description
Locations table
When you select a type of vulnerability in your group's Vulnerabilities section, you will be directed to a subsection with specific information about it. The title is the name of the type of vulnerability preceded by the number we have assigned to it in our list. Below it, is the header with global information about that type of vulnerability. And even further below, you will notice that you are in that type of vulnerability's Locations tab, which shows the locations table. This table shows the following information, from the leftmost to the rightmost column:
- Location: The files where this type of vulnerability has been reported. They can be understood as individual vulnerabilities of that type.
- Specific: In what lines of code, inputs (e.g., password field) or ports each vulnerability was detected.
- Status: Whether each vulnerability has been closed (remediated) or remains open.
- Report date: The dates when vulnerabilities were reported.
- Reattack: Whether a reattack has been requested and is pending, is on hold, has been verified (open) or verified (closed). If this cell is blank, it should be interpreted that a reattack has not been requested.
- Treatment: The defined treatment for each vulnerability, which could be in progress, temporarily accepted, permanently accepted or zero risk.
- Tags: Any tags that you have given each vulnerability to identify it.
Filters
In the Locations subsection for each type of vulnerability, there is a Filters button that offers you six options to filter the information presented in the locations table.
Description tab
Clicking on the Description tab you will see a subsection with concise technical information about the type of vulnerability you are exploring. Among this information, you will find what this type of vulnerability consists of, the security requirements with which you are not complying, the potential dangers this represents, and what actions you can implement for remediating this type of vulnerability or mitigating risk. For more information about this subsection, we recommend you follow this link.
Severity score
For the calculation of the severity of vulnerabilities, we use the Common Vulnerability Scoring System (CVSS) version 3.1. For more information go to the following link
Evidence
The Evidence tab corresponds to a subsection where we provide you with supporting proof of the existence and exploitation of the corresponding type of vulnerability. We present such evidence in pictures, videos or GIFs when we identify this type of vulnerability for the first time in your system. This evidence changes each time we perform a reattack on this type of vulnerability.
Tracking
Here you find the history of each Vulnerability. For more information go to the following link.
Records
Clicking on the Records tab, you can see a section with a table showing the information our ethical hackers obtained after exploiting the specific type of vulnerability in your system that you are exploring. All the information included there, which varies from case to case, we consider to be sensitive and relevant to your organization. You might see financial information (e.g., account numbers, financial movements, credit card numbers), personal information (e.g., phone numbers, contacts, personal IDs, physical addresses), technical information (e.g., roles, keys, access tokens), among others.
Consulting
You can post
any doubt,
comment,
or thought you
want to share with the
Fluid Attacks team or
your team in the
Consulting tab.
This section works like
a forum where anyone
can post and reply.
For more information
go to the following
link.