Verify whether a fix was successful | Fluid Attacks Help

Verify whether a fix was successful

As part of the vulnerability management, you should reassess the code after a fix attempt. This is because a fix can introduce further vulnerabilities or be no fix at all for the original vulnerability.

Read the section Fix your code to understand how Fluid Attacks can help you successfully address vulnerabilities. When you have applied your fix, follow the steps on this page.

At Fluid Attacks, reassessments are called "reattacks." Do the following to request automated reattacks by the tool or manual reattacks by Fluid Attacks' team of pentesters:

  1. Enter the group where the vulnerability you want to reattack was reported and go to the Scope section.

    Open the Scope section in the Fluid Attacks platform

  2. Click on the Update button to clone the latest version of the repository. This is to submit the version that contains the fixed code for testing.

    Clone updated version of a repository on the Fluid Attacks platform

    Check the Status value of the repository. When the status is Cloned, you can move on to step 3.

  3. In the Vulnerabilities section, click on the name of the type of vulnerability you wish to reattack.

    Select type of vulnerability to reattack on the Fluid Attacks platform

  4. Select the path where you have already effectuated a fix and click Reattack.

    Request a reattack on the Fluid Attacks platform

  5. In the pop-up window, click Confirm, acknowledging that you have synced the fixed version to the platform.

    Reattack a finding by the Fluid Attacks scanner

    If you have the Advanced plan, and the vulnerability was reported by the team of pentesters, you instead have to describe the applied fix and click Confirm.

    Fill out the reattack request form on the Fluid Attacks platform

  6. When you select multiple vulnerabilities and some of them cannot be reattacked, the reason is shown to you in the pop-up window before you proceed. The reason may be that the request has already been made, the location is already marked 'Safe', reattacks are on hold, or the reattack requires a plan upgrade.

    See unavailable reattacks on the Fluid Attacks platform

If the vulnerability is still present, you will get a comment informing you of this in the Consulting section of the type of vulnerability. In the Locations table, the reattacked vulnerability will show the value Verified (vulnerable) in the Reattack column.

As a security measure, you can use Fluid Attacks' CI Agent to break the build if vulnerabilities with specific attributes are present in it.