What is a Report Policy?
A Report Policy is a list of reporting settings for both the web security scan results and reports. For example in a Report Policy you can specify which vulnerabilities should Netsparker report in the scan results should they be identified. You can also change the severity level of a vulnerability, add remedy instructions, modify the vulnerability template text and much more.
Why Do You Need Different Report Policies?
Different environments require different security policies.
Nowadays a typical organization operates multiple websites. Some are used for marketing purposes, some others are used by business partners and customers etc. Considering the different functionality and role of every website, each of them requires a different level of urgency especially when talking about fixing security flaws.
There is a difference between having a cross-site scripting (XSS) vulnerability on a mission-critical web applications, on which customers login, and a cross-site scripting vulnerability on a marketing website which does not require users to authenticate. And this is the scope of Report Policies, to allow you to better prioritize your work for a better security posture of your web assets.
For the example mentioned above you can create two different Report Policies:
Report Policy for mission-critical websites: in this policy the cross-site scripting (XSS) vulnerability should have a severity of Critical, because users login to such website hence there is the potential risk of the attacker hijacking sessions and accessing user accounts should they exploit the vulnerability.
Report Policy for marketing websites: in this policy the cross-site scripting (XSS) vulnerability can have a severity of Medium, because visitors are not required to authenticate hence there is no major risk in exploiting the XSS vulnerability.
This does not mean you do not have to fix all the vulnerabilities, but different severities allow you to prioritize your work, especially when you have to deal with hundreds and thousands of websites and developers.
How Does a Report Policy Work?
It is important to note that a Report Policy only changes how the web security scanner reports its findings in the interface and in reports. To enable or disable specific security checks use a Scan Policy.
When you exclude the SQL Injection vulnerability from a Report Policy, the scanner will still check if the target web application is vulnerable to such vulnerability. Though should it identify one, it won't report it in the scan results. Note that with the Report Policy the SQL Injection is only hidden. Therefore if you generate a report from the same scan with the Default Report Policy, in which the SQL Injection vulnerability is included, the identified SQL Injection vulnerability will be listed in the report.
Continue reading this article for information on how to create your own Custom Report Policy.
Creating a New Custom Report Policy
Netsparker Desktop has a built-in Report Policy called Default Report Policy. It is read-only and it is used to provide the base settings for your custom Report Policies, therefore it can be cloned.
Launch the Report Policy Editor
To create a new Report Policy launch the Report Policy Editor. You can start it by clicking the Options button (three dotted button) on the right side of the Report Policy section in the Start a New Website or Web Service Scan dialog window, as highlighted below.
The Report Policy Editor can also be launched from the Tools drop down menu or by pressing F7.
Create a New or Clone the Default Report Policy
In the Report Policy Editor click the New button to create a new Report Policy or the Clone button to copy the selected Report Policy. Once it is created the report policy will be added to the list and automatically selected as shown in the below screenshot.
At this stage you can browse through the list of vulnerabilities available in the bottom left hand side. You can also use the input field at the top to search for a specific vulnerability and modify any of the following:
Exclude a Vulnerability from the Web Security Scan Report
To exclude a vulnerability from being reported in the web security scan result and reports simply uncheck the checkbox next to the vulnerability name, as shown in the below screenshot.
When a vulnerability is unchecked in a Report Policy, if Netsparker identifies such vulnerability during a scan it will not report it in the scan results and in any of the reports generated with that Report Policy. Though if you generate a report from the same scan with a different Report Policy in which the vulnerability is included, the vulnerability will be listed in the report.
Edit a Vulnerability Template
A vulnerability template is the text Netsparker Desktop uses to report an identified vulnerability. To edit a vulnerability template highlight the vulnerability from the list and click on any section to launch the rich-text editor and edit the text.
Add / Remove Sub Sections from the Vulnerability Template
A vulnerability template has the following sections:
- Vulnerability Details
- Actions to Take
- Required Skills for Successful Exploitation
- External References
- Remedy References
- Proof of Concept Notes
You can enable or disable any of the above mentioned sections by using the toggle next to the section's header.
Save the New Report Policy Changes
Once you are finished editing a vulnerability template click the Save button to save your changes or Discard to undo them. You can use the Restore button to restore the selected vulnerability's template from the Default Report Policy.
Click the OK button at the bottom left of the editor to exit the editor and select the newly created Report Policy for your next web application security scan from the Report Policy drop down menu.
Generate a Scan Report with the New Report Policy
You can also use a Report Policy as a template for a web security scan report by selecting the report template from the Reporting drop down menu and then specify the Report Policy from the report options, as seen in the below screenshot.