The report provides details about all discovered security vulnerabilities.

Severity levels

The severity level indicates how serious the vulnerability is depending on what an attacker may achieve by exploiting it. There are five types of severity levels: "Informational", "Low", "Medium", "High" and "Critical".

The "Informational" severity level indicates that vulnerabilities cannot be turned into attacks themselves, however, may provide an attacker with some useful information that they can exploit later. Examples include Admin page being discovered and banner disclosing the type of the server.

The "Low" severity level applies to vulnerabilities that pose threat to the security of the application, however, generally do not lead to serious consequences. Examples are autocompleting forms and source code disclosing the IP address of the server.

Vulnerabilities listed as "Medium" are of significant severity and may lead to a number of unwanted consequences. Some examples are lack of encryption and unrestricted file upload.

Vulnerabilities with "High" severity level can lead to the severe consequence. Examples of such vulnerabilities are SQL Injection, Cross-site Scripting and Directory Traversal.

The "Critical" severity level indicates vulnerabilities which require urgent attention. These vulnerabilities can naturally lead to unrepairable damage to the server, including the attacker gaining access to the whole application. Examples include the possibility for remote code execution.

Attack information

Each report vulnerability is made of several sections which provide additional information.

  • Impact - Provides information about how an attacker might exploit the vulnerability.
  • Solution - Suggests the recommended action in order to fix the problem.
  • References - Provides links to additional external resources that provide more in-depth information about the vulnerability and its fixes.
  • Variants - Provides the number of instances of the vulnerability as well as references to the location where the vulnerability was identified.