The vulnerability checks (QIDs) performed by the scanning engine for a web application scan allow the user to examine web applications with an eye toward discovering common vulnerability types. Web application vulnerability checks are performed for web application scans only (not vulnerability scans or compliance scans). These include:
• Cross-site Scripting Vulnerabilities: Persistent, Reflected, Header, Browser-specific
• SQL Injection Vulnerabilities: Regular and Blind
Additional web application vulnerabilities identify information gathered about the web application during the scan process, such as links crawled, the external links discovered, external form actions discovered, host information, and scan diagnostics.
Web application vulnerabilities cannot be edited in the KnowledgeBase.
User Permissions: Users have the ability to scan for web application vulnerabilities when the web application scanning (WAS) module is enabled at the subscription level and users have WAS permissions. See Users and WAS Features.
1. Select KnowledgeBase from the left menu, under Tools.
2. Click Search on the top menu bar. The Search pop-up window appears.
3. From the Category menu, select Web Application.
4. Click Search.
Every web application vulnerability is assigned a severity level. See WAS Severity Levels for a description of each severity level.