Verify whether a fix was successful | Fluid Attacks Help

Verify whether a fix was successful

As part of the vulnerability management, you should reassess the code after a fix attempt. This is because a fix can introduce further vulnerabilities or be no fix at all for the original vulnerability.

Read the section Fix your code to understand how Fluid Attacks can help you successfully address vulnerabilities. When you have applied your fix, follow the steps on this page.

At Fluid Attacks, reassessments are called "reattacks." Do the following to request automated reattacks by the tool or manual reattacks by Fluid Attacks' hacking team:

  1. Enter the group where the vulnerability you want to reattack was reported and go to the Scope section.

    Open the Scope section in the Fluid Attacks platform

  2. Click on the Update button to clone the latest version of the repository. This is to submit the version that contains the fixed code for testing.

    Clone updated version of a repository on the Fluid Attacks platform

    Check the Status value of the repository. When the status is Cloned, you can move on to step 3.

  3. In the Vulnerabilities section, click on the name of the type of vulnerability you wish to reattack.

    Select type of vulnerability to reattack on the Fluid Attacks platform

  4. Click on Select locations to reattack.

    Select location to reattack on the Fluid Attacks platform
  5. Select the location where you have already effectuated a fix and click Reattack.

    Request a reattack on the Fluid Attacks platform

  6. In the pop-up window, describe the fix you applied and click Confirm.

    Fill out the reattack request form on the Fluid Attacks platform

If the vulnerability is still present, you will get a comment informing you of this in the Consulting section of the type of vulnerability. In the Locations table, the reattacked vulnerability will show the value Verified (vulnerable) in the Reattack column.

As a security measure, you can use Fluid Attacks' CI Agent to break the build if vulnerabilities with specific attributes are present in it.