Netsparker web application security scanner scans for a wide variety of vulnerabilities in websites, web applications and web services. Each vulnerability has a different impact; some need to be addressed urgently, while others are less of a priority. For example, a SQL Injection vulnerability should definitely be prioritized over an Internal IP address disclosure.
What Are Vulnerability Severities?
To help you better decide which vulnerabilities should be fixed first, Netsparker categorizes them in its scans and reports. This article defines the following types of vulnerabilities:
Critical Severity Web Vulnerabilities
This section explains how we define and identify web vulnerabilities of Critical severity ().
Critical Severity Example
This is what a report of a Critical severity vulnerability looks like in Netsparker web application security scanner.
Impacts of Critical Severity Web Vulnerabilities
The impacts of Critical severity vulnerabilities are as follows:
- These vulnerabilities can allow attackers to take complete control of your web applications and web servers. In exploiting this type of vulnerability, attackers could carry out a range of malicious acts including (but not limited to):
- Stealing information (for example, user data)
- Tricking your users into supplying them with sensitive information (for example, credit card details)
- Defacing your website
- By exploiting a critical severity vulnerability, attackers can access your website's entire server. This allows them to acquire user and administrator information that might allow them to make changes such as delete or modify other user accounts.
- On exploiting such vulnerabilities, attackers can access and control logged-in user or administrator accounts, enabling them to hijack accounts and make changes that typically only those users can.
Suggested Action for Critical Severity Vulnerabilities
A Critical severity vulnerability means that your website can be hacked any time. You should make it your highest priority to fix these vulnerabilities immediately. Once you fix them, rescan the website to make sure they have been eliminated.
High Severity Web Vulnerabilities
This section explains how we define and identify web vulnerabilities of High severity ().
High Severity Example
This is what a report of a High severity vulnerability looks like in Netsparker.
Impacts of High Severity Vulnerabilities
- On exploiting such vulnerabilities, attackers can view information about your system that helps them find or exploit other vulnerabilities that enable them to take control of your website and access sensitive user and administrator information.
Suggested Action for High Severity Vulnerabilities
A High severity vulnerability means that your website can be hacked and hackers can find other vulnerabilities which have a bigger impact. Fix these types of vulnerabilities immediately. Once you fix them, rescan your website to make sure they have been eliminated.
Medium Severity Web Vulnerabilities
This section explains how we define and identify web vulnerabilities of Medium severity ().
Medium Severity Example
This is what a report of a Medium severity vulnerability looks like in Netsparker.
Impacts of Medium Severity Vulnerabilities
- Attackers can access a logged-in user account to view sensitive content.
- By exploiting these security issues, attackers can access to information that helps them exploit other vulnerabilities, or better understand your system so they can refine their attacks.
Suggested Action for Medium Severity Vulnerabilities
Most of the time, since the impact of Medium severity vulnerabilities is not direct, you should first focus on fixing Critical and High severity vulnerabilities. However, Medium severity vulnerabilities should still be addressed at the earliest possible opportunity.
Low Severity Web Vulnerabilities
This section explains how we define and identify web vulnerabilities of Low severity ().
Low Severity Example
This is what a report of a Low severity vulnerability looks like in Netsparker.
Impacts of Low Severity Vulnerabilities
Do not overly concern yourself if your website has low severity vulnerabilities. These types of issues do not have any significant impact and are not exploitable.
Suggested Action For Low Severity Vulnerabilities
If time and budget allows, it is worth investigating and fixing Low severity vulnerabilities .
This section explains how we define and identify Best Practice items ().
Best Practice Example
This is what a report of a Best Practice issue looks like in Netsparker.
Impacts of Best Practice Issues
The Best Practice Severity Level is for detected issues that are recommended practices but are not vulnerabilities and so are not as serious as the preceding severity levels. Depending on the Best Practice suggestions, impacts might include damage to the privacy of the user, detraction from a site’s extra layers of security, or failure to meet with industry standards.
Suggested Action for Best Practice Issues
Usually, the remedy for Best Practice issues is configuring a value, attribute, heading or tag. The Vulnerability tab of the Central Panel provides specific instructions on what the remedy is and how to apply it.
This section explains how we define and use Information alerts ().
Impacts of Information Alerts
We do not even call these alerts vulnerabilities. They are reported simply for your information as a website owner, as they may not have a direct impact but could help an attacked to gain a better understanding of your underlying systems.
Suggested Action for Information Alerts
No action or fix is required. It is sometimes good to know about things that are on your web application such as: NTLM Authorization Required, Database Detected (MySQL), Robots.txt Detected, phpMyAdmin Detected or Out-of-date Version (jQuery). The status of these Issues is set to Accepted Risk. Issues with Accepted Risk status are listed in the Addressed Issues window.