In a few cases (on a few different apps), I've seen cases where AppScan Enterprise will show XSS in the status log (message is in red, identifying a discovered vulnerability). When the scan completes, the reports are empty. Can someone provide some background on this behavior?
Does it take a certain threshold for AppScan to report on a vulnerability (e.g. 3 variations of XSS)? Do the reports and the status log have potentially different thresholds?
NOTICE: developerWorks Community will be offline May 29-30, 2015 while we upgrade to the latest version of IBM Connections. For more information, read our upgrade FAQ.
This topic has been locked.
1 reply Latest Post - 2013-02-19T21:48:13Z by warrenm1
Pinned topic XSS in status log but not in report?
Answered question This question has been answered.
Unanswered question This question has not been answered yet.
Updated on 2013-02-19T21:48:13Z at 2013-02-19T21:48:13Z by warrenm1
warrenm1 270001F39C224 PostsACCEPTED ANSWER
Re: XSS in status log but not in report?2013-02-19T21:48:13Z in response to SystemAdminHi,
This is a defect in the scan log of ase 8.6x, they aren't real vulnerabilities just bogus entries in the log. If you contact appscan support they can provide a testfix for the issue, it will also be fixed in the next version