WAS Severity Levels
Web application vulnerability checks are performed for web application scans only (not vulnerability scans or compliance scans). Every web application vulnerability is assigned a severity level, which is determined by the security risk associated with its exploitation. The following tables describe possible consequences related to each vulnerability and information gathered severity level.
Refer to the KnowledgeBase for a complete list of all web application checks performed by the scanning engine. All web application vulnerabilities are assigned to the Web Application category.
Vulnerabilities
Vulnerabilities are design flaws, programming errors, or mis-configurations that make your web application and web application platform susceptible to malicious attacks. Depending on the level of the security risk, the successful exploitation of a vulnerability can vary from the disclosure of information to a complete compromise of the web application and/or the web application platform. Even if the web application isn't fully compromised, an exploited vulnerability could still lead to the web application being used to launch attacks against users of the site.
|
SEVERITY
|
LEVEL
|
DESCRIPTION
|
|
|
Minimal
|
Basic information disclosure (e.g. web server type, programming language) might enable intruders to discover other vulnerabilities, but lack of this information does not make the vulnerability harder to find.
|
|
|
Medium
|
Intruders may be able to collect sensitive information about the application platform, such as the precise version of software used. With this information, intruders can easily exploit known vulnerabilities specific to software versions. Other types of sensitive information might disclose a few lines of source code or hidden directories.
|
|
|
Serious
|
Vulnerabilities at this level typically disclose security-related information that could result in misuse or an exploit. Examples include source code disclosure or transmitting authentication credentials over non-encrypted channels.
|
|
|
Critical
|
Intruders can exploit the vulnerability to gain highly sensitive content or affect other users of the web application. Examples include certain types of cross-site scripting and SQL injection attacks.
|
|
|
Urgent
|
Intruders can exploit the vulnerability to compromise the web application's data store, obtain information from other users' accounts, or obtain command execution on a host in the web application's architecture.
|
Information Gathered
Information Gathered includes visible information about the web application's platform, code, or architecture. It may also include information about users of the web application.
|
SEVERITY
|
LEVEL
|
DESCRIPTION
|
|
|
Minimal
|
Intruders may be able to retrieve sensitive information related to the web application platform.
|
|
|
Medium
|
Intruders may be able to retrieve sensitive information related to internal functionality or business logic of the web application.
|
|
|
Serious
|
Intruders may be able to detect highly sensitive data, such as personally identifiable information (PII) about other users of the web application.
|