Ideagen Luminate logo Ideagen Luminate logo
Navigation
Need help?
Send feedback
Sign in
This page does not meet FedRAMP security standards. Please avoid entering sensitive or classified information. Learn more
Learn more
Learn more

Looking for help?

Common queries

View all

Send us feedback

Megaphone illustration

Before you start

This form is for Ideagen Luminate feedback only. Your submission will not receive a response.

Looking for support? Select the solution you need help with and open a ticket with us.
New article Recently updated

Handling vulnerability scanning reports

By Karl Newstead
  • Last updated
⌘ K
Search this article
Print this article

Who is this article for?

IT/Security/Support Staff reviewing vulnerability reports.

No special access or permissions are required.

Vulnerability scanning is an important part of system security. Often, a customer will scan their system with a software tool such as Acunetix and let it see what it can find.

The result will be a report containing High, Medium and Low severity issues, and often this report will be presented to us as a list of things to ‘fix’.

The important thing to consider is that these scans run against the system as a whole, not just the application. This means:

  • Application code
  • Application configuration
  • Server configuration
  • Server OS
  • Other parts of the platform

Before our Support team raises issues with Development, we need to consider whether a reported issue is a problem with the application, or if it is somewhere in the environment that's outside the scope of our support.

This article describes considerations for working with vulnerability assessment reports (often called pen test/penetration test/VAPT reports).

1. Out-of-scope problems

An example of an information disclosure vulnerability that is outside the scope of our application support is the Web server default welcome page.  With this, someone visiting the root of the web site might see the IIS banner page:

mceclip1.png

This is a default page that is installed with IIS, and isn't required by our application. But as the scanning tool does not distinguish between our application and the server, this issue is often reported to us as being a vulnerability in Ideagen Internal Audit. 

2. Versions

Something else we have to consider is the version of the application being scanned.

We run these tests ourselves as part of the development lifecycle and address vulnerabilities as they are found.  Therefore, it is common that a vulnerability is already fixed in a later release, or is fixed in updated configuration.

3. Handling security scans

When receiving a security report then, we will:

  1. Review to see whether issues relate to the application or to the platform.
    Issues relating to the platform will be referred back to the customer's IT team.
  2. Where issues relate to the application, we will review to see whether they are fixed in later versions or alternative configurations.
  3. Escalate within Support as necessary.
  4. Escalate to Development as necessary.

4. Troubleshooting common issues

Below is a list of common issues that are out of scope or mitigated issues.

Issue Description Comment
Directory listing is enabled Directory listing is enabled Directory listing can be disabled by server administrator.
Risky HTTP Methods Allowed Unneeded verbs are allowed on server OPTIONS and TRACE can be disabled by the server administrator.
Misconfigured Access-Control-Allow-Origin Header Access-Control-Allow-Origin is configured This is required to enable the correct connection between the WebUI and WebService.
Improper Session Termination Tester reports being able to log out of the WebUI, then use the browser’s [back] button to return to the application

It's important to clarify whether the tester uses Forms-based authentication (FBA) or Windows authentication in the WebUI.

With the latest Pentana versions and FBA, the authentication cookie clears on logout, prompting a login if the user clicks [back].

With Windows authentication, the session clears on logout, but clicking [back] logs the user in again automatically.
Improper Error Handling

The tester reports that accessing an invalid path (e.g., “https://server.domain.com/[Pentana instance name]/WebUI/<>”) triggers the error message:

Server Error in '/' Application.
Runtime error

 This generic .NET error masks the actual issue, which is only visible on the server: “A potentially dangerous Request.Path value was detected from the client (
This is not an Ideagen Internal Audit • Aura problem; it returns a generic error and logs details on the server.
IIS Version disclosure The HTTP response contains the Server header This can be removed by the IIS server administrator.
Etag vulnerability Server returns ETag header This is outside the scope of Ideagen Internal Audit • Aura support.
X-Frame-Options header is missing The server response does not contain an X-Frame-Options header This header can be set at site level by the IIS Administrator.
Cookie without secure flag The session cookie is not marked as 'secure'

FBA authentication
Since v6.0.1.5, the FBA session cookie is marked as secure.

If upgrading from an earlier version, ensure the following is in WebUI\Web.config within the <system.web> section:

<httpCookies httpOnlyCookies="true"/>

Windows authentication

Accessing WebUI via Windows Authentication currently creates a non-secure session cookie. This issue is logged for development (ref: VIS_WEB-1739).
Code obfuscation Application code is not obfuscated

We do not use code obfuscation.

Our application design keeps security on the server side, where sensitive operations and secrets like API keys remain hidden from clients.

Readable code helps us diagnose and fix issues faster with clear error messages and stack traces.

What do you think about this article?

Your feedback helps us improve

More articles in this section

Looking for more help? Ask the Community

On this page