Inspecting the results

As soon as you start a scan, OpenText DAST begins scanning your web application and displays in the navigation pane an icon depicting each session (using either the Site or Sequence view). It also reports possible vulnerabilities on the Findings tab in the summary pane. For more information, see Navigation pane and Findings tab.

Note: For Web Services and API scans, the Site tree is populated with icons depicting the operations and parameters from the Web Services Definition Language (WSDL) document or the API definition file.

If you click a URL listed in the summary pane, the program highlights the related session in the navigation pane and displays its associated information in the information pane. For more information, see Information pane.

Sometimes the attack that detected a vulnerable session is not listed under attack information. That is, if you select a vulnerable session in the navigation pane and then click Attack Info in the Session Info panel, the attack information does not appear in the information pane. This is because attack information is usually associated with the session in which the attack was created and not with the session in which it was detected. When this occurs, select the parent session and then click Attack Info. For more information, see Session Info panel.

Working with one or more vulnerabilities

If you right-click one or more vulnerabilities in the summary pane, a shortcut menu enables you to:

Copy URL - Copies the URL to the Windows clipboard.
Copy Selected Item(s) - Copies the text of selected items to the Windows clipboard.
Copy All Items - Copies the text of all items to the Windows clipboard.
Export - Copies the item to a CSV file.
View in Browser - Available if one vulnerability is selected; renders the HTTP response in a browser.
Filter by Current Value - Available if one vulnerability is selected; restricts the display of vulnerabilities to those that satisfy the criteria you select. For example, if you right-click on "Post" in the Method column and then select Filter by Current Value, the list displays only those vulnerabilities that were discovered by sending an HTTP request that used the Post method.

Note: The filter criterion is displayed in the combo box in the upper right corner of the summary pane. Alternatively, you can manually enter or select a filtering criterion using this combo box. For additional details and syntax rules, see Using filters and groups in the Summary pane.
Change Severity - Enables you to change the severity level.
Edit Vulnerability - Available if one vulnerability is selected; displays the Edit Vulnerabilities dialog, allowing you to modify various vulnerability characteristics. For more information, see Editing vulnerabilities.
Rollup Vulnerabilities - Available if multiple vulnerabilities are selected; enables you to roll up the selected vulnerabilities into a single instance that is prefixed with the tag “[Rollup]” in OpenText DAST, Fortify WebInspect Enterprise and reports. For more information, see Vulnerability rollup.

Note: If you have selected a rolled up vulnerability, this menu option is Undo Rollup Vulnerabilities.
Retest - Performs a retest of one or more selected findings, all findings, or findings of a specific severity. For more information, see Retesting vulnerabilities.
Mark as - Flags the vulnerability as either a false positive (and enables you to add a description) or as ignored. In both cases, the vulnerability is removed from the list. You can view a list of all false positive and ignored vulnerabilities by selecting Suppressed Findings in the Scan Info panel.

Note: You can change a suppressed finding back to a vulnerability. See Suppressed findings for details.
Send to - Converts the vulnerability to a defect and adds it to the OpenText Application Lifecycle Management (ALM) database.
Remove Location - Removes the selected session from the navigation pane (both Site and Sequence views) and also removes any associated vulnerabilities.

Note: You can recover removed locations (sessions) and their associated vulnerabilities. See Recovering deleted sessions for details.
Crawl - Available if one vulnerability is selected; re-crawls the selected URL.
Tools - Available if one vulnerability is selected; presents a submenu of available tools.
Attachments - Available if one vulnerability is selected; enables you to create a note associated with the selected session, flag the session for follow-up, add a vulnerability note, or add a vulnerability screenshot.

Working with a Group

If you right-click a group, a shortcut menu enables you to:

Collapse/Expand All Groups
Collapse/Expand Group
Copy URL
Copy Selected Item(s)
Copy All Items
Export
Change Severity
Rollup Vulnerabilities
Mark as
Send to
Remove Location

Understanding the Severity

The relative severity of a vulnerability listed in the summary pane is identified by its associated icon, as described in the following table.

Icon	Description
Critical	A vulnerability wherein an attacker might have the ability to execute commands on the server or retrieve and modify private information.
High	Generally, the ability to view source code, files out of the web root, and sensitive error messages.
Medium	Indicates non-HTML errors or issues that could be sensitive.
Low	Interesting issues, or issues that could potentially become higher ones.
Information	An interesting point in the site, or detection of certain applications or web servers.
Best Practice	Issues related to commonly accepted best practices for web development that may indicate overall site quality and site development security practices (or lack thereof).

Working in the Navigation pane

You can also select an object or session in the navigation pane and investigate the session using the options available on the Session Info panel. For more information, see Navigation pane and Session Info panel.

See also

Retesting and rescanning

Auditing web services

Editing vulnerabilities

OpenText DAST user interface

Recovering deleted sessions