Reviewing DynamicDS Flaws

Results and Reports

The Triage Flaws page presents DynamicDS flaws differently than static flaws. This section describes the different types of DynamicDS vulnerabilities, explains how to access DynamicDS flaw information, and provides guidance on how to interpret detailed dynamic results and request a readout call with Veracode Support.

About DynamicDS Flaws

DynamicDS scans detect two main types of vulnerabilities: application flaws and configuration flaws. These types of flaws display differently in the Triage Flaws page.

Flaws in the application code cause application vulnerabilities, which are triggered by injecting malicious values into the various input fields of the application. Some examples of application vulnerabilities include cross-site scripting, SQL injection, and command injection.

Insecurities in the server on which the application resides cause configuration vulnerabilities. While the application does not cause these vulnerabilities, they still present a risk to the application's overall security posture. Some examples of configuration vulnerabilities include source code disclosure via backup files, information leaks through directory listings, and unnecessary HTTP methods enabled on the web server.

These two types of vulnerabilities also differ in the approach required to fix them. A developer can correct application vulnerabilities, but configuration vulnerabilities usually require assistance from the system administrator or operations staff, particularly in production environments.

Note: Veracode validates flaws by using injection plugins that contain a variety of attack strings. One of the attack strings is focused on PHP injections that uses a callback host to execute this attack. You will notice a small amount of traffic generated from when a successful remote file inclusion (RFI) attack occurs.

Viewing DynamicDS Scan Results for an Application

To access DynamicDS scan results in the Triage Flaws page:

  1. In the Applications page, click View in the Results column of the desired application row.
  2. Click Triage Flaws in the Results section of the left navigation menu of the application.
  3. Click scan type Dynamic at the top of the page if it is not already selected.

The list of flaws for that application appears. As with static scan results, you can sort the information in the flaws table at the bottom of the page. The table lists information for the flaw ID, severity, parameter, CWE, URL, status, and mitigation status.

To view a high-level overview of results, click Results from the left navigation menu.

Interpreting Detailed Dynamic Findings

Veracode provides details for application vulnerabilities to enable you to reproduce the finding. Click a specific flaw in the flaws table to display in the top pane additional information about the findings, divided into two tabs, Details and Request/Response.

The Triage Flaws page shows the specific details and request/response information.

The Details tab provides information indicating why the scan engine determined that the attack was successful. It also lists any other resources to consult and recommendations for remediation.

The Request/Response tab lists the details of the scan request and the scan response, highlighting the injected value. These details include the HTTP method, full URL, and the vulnerable parameter, as well as the values of any other parameters or form values that comprised the HTTP request, where applicable.