During a scan, the scanner finds vulnerabilities within the target’s URLs. When the scanner finds a vulnerability, a finding is created. These findings are registered at Probely, and there are some actions you can do over them, namely:
Change a finding’s state
Change a finding’s risk
Change a finding’s assignee
Change a finding’s label
Re-test a finding
Add a note to a finding
A finding’s state can change either automatically (by the scanner, as a result of a scan or re-test) or manually (by means of the user’s actions).
Using Probely’s interface, you can define a finding as “Accepted”, if you acknowledge and accept its risk, or as “Invalid”, if you consider it to be a false positive. These actions will be reflected on the STATE field shown below:
To learn more about findings’ states and how they can change, make sure to read this article.
Depending on the type of vulnerability found, its exploitability, impact and scope, a CVSS score and risk/severity classification are attributed to the finding, helping you prioritize the vulnerabilities fixes:
In general terms, findings are classified as such:
High: these findings may have a direct impact in the application security, either clients or service owners, for instance by granting the attacker access to sensitive information.
Medium: medium findings usually don't have immediate impact alone, but combined with other findings may lead to a successful compromise of the application.
Low: Findings where either the exploit is not trivial, the impact is low, or the finding cannot be exploited by itself.
While the CVSS score cannot be manually changed, you can still change the finding’s risk. This can be done directly from the finding’s details page, by clicking on the respective risk dropdown and choosing the intended risk:
Once you change a finding’s risk, Probely will not change it back, so please make sure you really intend to make the change.
After a scan or a re-test, you may want to assign a vulnerability to be taken care of by a certain team member. This can be done either through the finding’s details page, by clicking on the respective dropdown, or through any list in which the finding is visible (target's page, scan results page, or findings list).
To learn more about how to change a finding’s assignee, make sure to read this article.
To help you filter your scan results, you may want to use labels. Once you add finding labels, you can change your finding’s labels through the finding’s details page, or through the findings list.
After fixing vulnerabilities previously reported by Probely, you can re-test them to make sure they can no longer be exploited and are indeed resolved.
In order to start a re-test, just visit the finding’s details and click on the Re-test button, or access any list in which it is displayed (target's page, scan results page, or findings list), select it, and click on the Re-test button. If, during a re-test, the scanner isn’t able to replicate the vulnerability, the finding is marked as Fixed; otherwise, it remains listed as Not Fixed until it can no longer be replicated by the scanner.
Add a note
When viewing a vulnerability’s details, you can add comments or notes for your teammates: just scroll down to the bottom of the page, write the intended note and press the Add Note button. Please bear in mind that these notes are not a way of getting in touch with Probely, and should only be used as a means of leaving contextualized information available for your teammates.