How is the Web Application Security Risk Vector Assessed? Jessica The Web Application Security risk vector performs a variety of security assessments on web applications to determine if the best practices are being followed. Only domains that provide an HTTP or HTTPS service are included in these assessments.Domains that are included are loaded using a standard web browser connection. We then capture the entire response of the page load, including redirects and all dynamic page content, and perform a set of assessments on that response. In case of redirects, all assessments are attributed to the last host in the redirect chain (except for HTTPS to HTTP redirects which, due to their particularity, are attributed to the domain that does the downgrade).We do not send out specific requests to trigger or identify vulnerabilities that may be present on the web application. We also do not crawl the loaded page for additional responses. Impact Evaluation Impact Insufficient Data A default risk vector grade is assigned if there is insufficient or no data. Behavior: Some findings cannot be traced back to specific companies due to the use of third party systems; such as web filters and Content Delivery Networks (CDN), that are capable of redirecting and encapsulating network traffic. Some firewalls might also be detecting and blocking external scanning tools from getting any data. Lifetime Lifetime is the number of days a finding impacts the risk vector grade, assuming nothing changes in the future and the finding is not updated with new information. This is defined by the number of days a finding will impact the risk vector grade. Learn why findings have a decay and lifetime period. Duration: 60 Days Weight The Web Application Security risk vector is part of the Diligence risk category, which aggregates the weights of all risk vectors in the category to 70.5% towards Bitsight Security Ratings. Weight: 5% CriteriaAdditionally, for certain assessments, we check the response code (and exclude certain 3xx and 4xx responses) and the content type (and include only "text/html").EvaluationWeb Application Security findings are subjected to different assessments to determine the presence and severity, which is a static attribute of assessments indicating the maximum impact that a specific finding can have. The assessments are defined to target a specific Common Weakness Enumeration (CWE) or a category within the Open Web Application Security Project (OWASP) Top 10.How is the severity of each assessment determined?We determine the severity of each assessment by evaluating the CWE that each assessment is targeting. The individual severity of each assessment is based on the possible impacts and exploitability of each weakness.Each assessment has its own grading mechanism and impacts the risk vector grade differently. See possible finding grades for each assessment, within the following assessments: Cross-Site Scripting Validation of security measures such as SRI and CSP to ensure no malicious remote resource is included on a web application. Categories: Cross-Domain Subresource Integrity Check Cross-Domain Subresource Integrity Failure Content Security Policy Violations Content Security Policy Configurations Components with Known Vulnerabilities Using a library with missing security patches can make your web application exceptionally easy to abuse, making it crucial to ensure that any available security updates are to be applied immediately. Categories: JavaScript Libraries with Known Vulnerabilities Broken Authentication and Access Control Access control policies ensure that users cannot act outside their intended permissions. Categories: CMS Administration Portal Exposed Cross-Site Request Forgery (CSRF) Mitigations Present Authentication on Insecure Channel Sensitive Data Exposure Ensuring application design includes controls to reduce the exposure of critical and sensitive information. Categories: Secure Cookie Set on an Insecure Channel Session Token in URL Mixed Content HSTS Preload Directive Present Cookie SameSite Attribute Cookie SameSite Blocked Unsafe Referrer Policy Security Misconfiguration Assessment of web application implementations regarding security hardening or unnecessary features and privileges. Categories: Internal Server Error Reverse Tabnabbing Directory Listing Exposure CORS Violation Overly-Permissive CORS Whitelist HTTPS to HTTP Redirects TLS Errors on Page Resource Fetch (deprecated) December 23, 2025: The default grade for WAS is N/A. Added Criteria section. July 10, 2025: The weight is 5% for the 2025 Ratings Algorithm Update. March 28, 2025: How severity is determined. December 16, 2024: Moved finding grades to the more detailed assessment articles. Related articles Web Application Security Assessment: Cross-Site Scripting Web Application Security Risk Vector Web Application Security Assessment: Security Misconfiguration How is the Web Application Headers Risk Vector Assessed? Web Application Header Finding Grades Feedback 0 comments Please sign in to leave a comment.