Probely sets a severity level for each finding to sum up its overall risk based on the following:
The likelihood of the vulnerability being found and exploited.
The skills required to exploit the vulnerability.
And the impact of exploiting the vulnerability.
For example, a vulnerability that is easy to find, easy to exploit, and with a high impact will likely be classified with a high severity.
Different findings for the same vulnerability can have different severity levels depending on the context in which Probely finds the vulnerabilities. Multiple factors can influence this context, which Probely takes into consideration to lower or raise the severity level. For example, the severity of a finding can be higher or lower depending on whether the scanned website or application has authentication.
The following table describes the different severity levels:
Severity | Description | Examples |
These findings may have a direct impact on the application security, either clients or service owners, for instance, by granting the attacker access to sensitive information. | - SQL Injection - OS Command Injection | |
Medium findings don't usually have an immediate impact alone, but combined with other findings, may lead to a successful compromise of the application. | - Cross-site Request Forgery - Unencrypted Communications | |
Findings where either the exploit is not trivial, or the finding cannot be exploited by itself. | - Directory Listing - Clickjacking |
To learn more about findings, read this article on how to interpret target scan results.