Skip to main content

Viewing Scan Results

In this scan results example, we use the Cross-Site Scripting (XSS) vulnerability in WebGoat.


Once the XSS vulnerability is detected, the IAST web interface is updated accordingly. The All Projects view includes the following vulnerability information:

  • Vulnerabilities Status – Additional high vulnerabilities added to graph.

  • Latest Activity – XSS vulnerability is detected.

  • Scans In-progress – New XSS vulnerability detected. Mouse-over the widget for more information.

Click the Project name, for example WebGoat. The Project View is displayed for the last completed scan.


Review the vulnerability flow (code and data) using the following vulnerability flow information:

  • Vulnerabilities List – New XXS vulnerability is added.

  • Attack Vector – Review the vulnerable code flow. The attack vector represents the flow of data from input to sink. Clicking on a node presents the relevant line of code.

  • Request – Review the request where the vulnerability was found. This represents the actual HTTP request used in the test.

  • Response – Review the response where the vulnerability was found. This represents the actual HTTP response used in the test. In some cases, if the vulnerability is reflected, there will be evidence of the vulnerability in the response itself.

  • Source Code Snippets – Review the available source code snippets. These code snippets represent the code as IAST interprets it during execution time. Watch represents the problematic vulnerable input before and after the execution of each step in the Attack Vector. If the vulnerable input reflected in the HTTP Request (marked red) is also reflected in the HTTP Response, it is marked red.