About this Issue report

The About this Issue dialog summarizes the selected issue in the application, and is identified by the issue's unique Issue ID. It provides details about the issue and offers an advisory for QA and web developers to use during their remediation process. Depending on the type of issue selected, not all information discussed in this topic appear in the user interface.

Advisory

The Advisory contains the following details about the issue:
  • Type of Test (Application or Infrastructure)
  • Web Application Security Consortium (WASC) Threat Classification
  • The security risks (worst case scenarios) to your organization
  • The possible causes of how the vulnerability came to exist in your application
  • Technical Description of the issue
  • Affected Products (product versions affected by this security issue, such as ASP.Net 1.1 Service Pack 1)
  • References and Relevant Links, including CVE, CWE, and IBM Security X-Force

Fix Recommendation

A Fix Recommendation provides developers with code samples specific to certain development environments so the issue can be fixed in the application source code:
  • General
  • .Net
  • J2EE
  • Recommended Java™ Tools
  • References

Glass Box

While regular scanning looks on the application as a "black box", analyzing its output without "looking inside" it; glass box scanning uses an agent installed on the application server to inspect the code itself during the scan. Glass box scanning has the following advantages:
  • During the Explore phase, glass box scanning can reveal HTTP parameters that affect the server-side but which are not found in responses, and which would therefore not be discovered by black box scanning alone.
  • During the Test phase, glass box scanning can verify the success or failure of certain tests, such as Blind SQL Injection, with greater accuracy, resulting in fewer "false positive" results. It can also reveal the existence of certain security issues that cannot be detected by black box techniques.

Code Snippets

Code Snippets provide static analysis of JavaScript source code; the issues found include source-level trace information highlighting the vulnerable source code. Highlighted and numbered lines in the code show, step-by-step, from source to sink, how untrusted data that enters the application gets propagated until it is used in an insecure way.

Trace

Trace information about the imported AppScan® Source vulnerability includes:
  • Classification: indicates the type of finding: Security (Definitive or Suspect) or Configuration.
  • Context: displays the data flow for the method in the output stack, including the line number in the source code where the issue and context appear.
  • Source File: indicates the source files in the workspace project that contain the vulnerabilities.
  • Line number: indicates where in the code the vulnerability was detected.

Test Requests and Responses

The Test Requests and Responses provides information about the tests and their specific variants that were sent to your web application to discover where it has weaknesses. A test might have multiple variants. A variant is a slight difference of the original test request that the scan job sends to your web application server. A request is first sent that is meant to be legal and to follow the business logic of your application. Then it sends the same request, but modified to discover how your application handles incorrect or mistaken requests. Each test request might have a number of variants, as many variants as needed to cover all the security rules in the extensive database. For example, a test is sent to check that you have enforced user input rules for a specific parameter. One variant checks that apostrophes are not valid input; another variant checks that quotation marks are not allowed.

Note:
  • The "About This Issue" page does not show variants that are fixed; it only shows the variants that were not fixed.
  • In previous versions, the original and test traffic was displayed. Starting in v9.0.2.1, only test traffic is displayed and included in the XML export.