The Web Application Security risk vector performs a variety of security assessments on web applications to determine if the best practices are being followed. Only domains that provide an HTTP or HTTPS service are included in these assessments.
Domains that are included are loaded using a standard web browser connection. We then capture the entire response of the page load, including redirects and all dynamic page content, and perform a set of assessments on that response. In case of redirects, all assessments are attributed to the last host in the redirect chain (except for HTTPS to HTTP redirects which, due to their particularity, are attributed to the domain that does the downgrade).
We do not send out specific requests to trigger or identify vulnerabilities that may be present on the web application. We also do not crawl the loaded page for additional responses.
Impact
This risk vector does not currently affect security ratings. It is being evaluated for a period before being factored into security ratings.
Concept | Behavior |
---|---|
A default risk vector grade is assigned. |
Some findings cannot be traced back to specific companies due to the use of third party systems; such as web filters and Content Delivery Networks (CDN), that are capable of redirecting and encapsulating network traffic. Some firewalls might also be detecting and blocking external scanning tools from getting any data. This is set in the center of the grading scale for computing into security ratings. ❖ If there are no findings and we are temporarily unable to collect data, the most recent grade is assigned for up to 400 days before being assigned the default grade. |
The number of days a finding impacts the risk vector grade, assuming nothing changes in the future and the finding is not updated with new information. Learn why findings have a decay and lifetime period. |
Duration: 60 Days |
Percentage (out of 70.5% in Diligence): This risk vector does not currently affect security ratings. |
Evaluation
Web Application Security findings are subjected to different assessments to determine the presence and severity of vulnerabilities. The assessments are defined to target a specific Common Weakness Enumeration (CWE) or a category within the Open Web Application Security Project (OWASP) Top 10.
Each assessment has its own grading mechanism and impacts the risk vector grade differently. See possible finding grades for each assessment, within the following assessments:
Cross-Site Scripting
Validation of security measures such as SRI and CSP to ensure no malicious remote resource is included on a web application.
Categories:
Components with Known Vulnerabilities
Using a library with missing security patches can make your web application exceptionally easy to abuse, making it crucial to ensure that any available security updates are to be applied immediately.
Categories:
Broken Authentication and Access Control
Access control policies ensure that users cannot act outside their intended permissions.
Categories:
Sensitive Data Exposure
Ensuring application design includes controls to reduce the exposure of critical and sensitive information.
Categories:
Security Misconfiguration
Assessment of web application implementations regarding security hardening or unnecessary features and privileges.
Categories:
- December 16, 2024: Moved finding grades to the more detailed assessment articles.
- March 25, 2024: “No findings/low findings” changed to “insufficient data.”
- March 12, 2024: TLS Errors on Page Resource Fetch assessment deprecated.
Feedback
0 comments
Please sign in to leave a comment.