Table of Contents
Detect
This section shows the vulnerabilities data that is detected during the process of auto scanning and manual pen-testing.. The severity of the vulnerabilities is categorized into 3 types, namely: Critical, High, and Medium. This page displays the total number of vulnerabilities detected, the top vulnerabilities, and vulnerability protection.
- Select the Detect tab on the left pane.
- Click the website drop-down icon to choose a website from the list. It displays the last scan details of the website.
- Right below the website drop-down icon, another drop-down icon has been given to download the last three scan details of a website.
Scanning Methods
AppTrana has introduced the following two scanning methods to detect the vulnerabilities: Auto Scan and Manual Pen Test.
Auto Scan
The Auto Scan feature helps in discovering the vulnerabilities of web applications and it will show vulnerability-related information such as: Severity, Category, and so on.
- Find the Start Scan button on the right pane and click Start Scan.
- A pop-up will be displayed with the following message -
- By default, the Scan Now option will be selected. Click the Confirm button to proceed with scanning.
- If a customer wants to schedule a time for a scan, select the Schedule Scan option to set a specific time for scanning and then click the Schedule Scan button.
- To undo the action, click the Cancel button.
Selected Scan
When customers perform an Auto-Scan on their website, AppTrana will record the scan details of the website and these details will be displayed on the Selected Scan section.
- Select the website on the detect page and select the scanned date and time from the last three scans.
In the Selected Scan section, customers can find the following details-
Manual Pen Test
The Manual Pen Test determines the presence of vulnerabilities that are not detected during an Auto- Scan.
How does the Manual Pen Test feature work?
- Select the required website from the list.
- Find the Manual Pen Test button on the right pane and click Manual Pen Test.
- A pop-up will be displayed with the following message -
- Click the Confirm button to request a Manual Penetration Test and another pop-up will be displayed that requests for the manual penetration test that has been successfully sent to our AppTrana team.
Manual Pen Test
When customers perform manual pen tests on their website, AppTrana will record the pen testing details of the website and these details will be displayed on the Manual PenTest section.
Note: For a website, AppTrana will record the last three manual pen testing results and it will only display those details.
- Select the website on the detect page and select the scanned date and time from the last three manual pen testing results.
On the Manual Pen Test section, customers can find the following details-
- If the customer has already requested a manual pen test, then, another pop-up will be displayed with the following message.
Scan Report Download
AppTrana has introduced this feature to download all the scan details in PDF format.
- To download the scan report, select the date and time from the last three scans and click the Scan Report Download button.
- Find the Scan Report Download button below the Selected Scan Button.
Vulnerabilities Detected
The vulnerabilities weightage is categorized into the following three types: Critical, High, and Medium. The Vulnerabilities Detected section displays the total count of vulnerabilities detected during the Auto Scan and Manual Pen Test.
Top Vulnerabilities
The frequently observed vulnerabilities are calculated and displayed in a descending order along with the vulnerability category name. This trend changes from time to time.
Vulnerability Protection
The Vulnerability Protection summary displays the count of vulnerabilities protected by the core rules set, protected by the custom rules, the custom rules required, protected by the premium rules, and the fixes required in the web application code.
- The count of vulnerabilities which can be patched by only fixing the web application code from the user-end is displayed in the box Fix required in Web Application Code. This helps the users to work on this action item and fix their code to reduce these vulnerabilities.
- The progress between the two different scans can help users to understand the new vulnerabilities, the closed vulnerabilities, and the count of critical, high, and medium vulnerabilities in both.
- Select a specific scan by date and time, click the scan date and time drop-down and then, click to select a specific scan. The vulnerability details are reloaded as per the selection and the intended details are displayed.
Scan Summary
The Scan Summary feature displays two different tables, the first table shows the details that is related to the vulnerabilities detected and the second is the protection status of a specific website.
Vulnerabilities
The detected scan summary shows the details such as the category of the attack found, the severity of the attack, detected by the scan type, and further information will be shown on the following table.
Parameter | Description |
URL | All the scanned URLs are displayed |
Category | Attack or vulnerability category that is discovered from a specific scan |
Severity | Distinct colors are allotted for severity levels, mouse over the symbol to view the severity level. The most frequently seen colors are: Red (critical), Yellow (high), and Blue (medium). |
Detected By | This option displays the scan type, that is detected by an auto-scan or a manual pen test. It displays symbol A for auto scan and symbol M for manual pentesting respectively. Hover over the icon with your mouse to view the scan type. |
View Details | This option displays detailed information of an attack, solution to the attack, references etc., Attack details like Vector, Injected URL, Request Header, Response Header, Result, and so on are displayed. |
POC Status | If a POC (Proof of Concept) request is made, the status is shown as a POC symbol encircled with R in between. If the request is available, it is displayed as POC symbol encircled with A in between. |
View Details
Click the View Details icon of a specific-scan URL to display the detailed information.
The description of the vulnerability, solution, reference link and attack details like Request Header, Response Header, and Result are displayed.
Request POC
POC means Proof of Concept, it is requested when customer likes to see the proof or valid use cases to validate the feasibility of a concept.
Click the Request POC button of a specific-scan URL. The Confirmation pop-up will appear.
Click the Confirm button to process the request.
Protection
Click the Protection option to display the following protection- specific details for each URL such as severity level, protection type, Protection status, and so on. Further information will be displayed in the following table-
Parameter | Description |
URL | The website's URL is displayed in this column |
Category | The attack category name is displayed in this column |
Severity | Different colors are allotted for severity levels, hover-over the symbol to view the severity level. These frequently seen colors are: Red (critical), Yellow (high), and Blue (medium). |
Protection Type | This column displays the rule type by which the attack can be protected. The information is displayed as AR (Advance Rules) or CR (Custom Rules) respectively. N/A is displayed for the vulnerabilities which can be fixed by the customer's Web Application Code. |
Protection Status | The status of the respective rules is displayed in this column. For example, Applied, Pending, Fix in code etc. The Custom Rule button is displayed for CR that is not yet applied. A cross symbol is displayed for vulnerabilities which can be protected by the custom rules but are unprotected. |
Custom Rule Status | If a POC (Proof of Concept) request is made, the status is shown as POC symbol encircled with R in between. If the request is available, it is displayed as POC symbol encircled with A in between. |
Request Custom Rule
These are customer-created rules unlike the default rules, that are used to protect a website from a specific attack or vulnerability.
Click the Custom Rule button to request protection. Then, the Confirmation pop-up appears.
Click the Confirm button to confirm the request.
