Results
After an API security scan completes, Detectify presents your findings in a structured format. This page explains how to interpret scan results, understand severity levels, and take action on findings.
Viewing Results
Navigate to API Security Testing > Scan Profiles, select the profile for the completed scan, and open the Results tab. Findings are listed in order of severity, with the most critical issues at the top.
Each finding includes:
- Vulnerability type — The category of vulnerability detected (for example, SQL Injection, BOLA, or Prompt Injection)
- Affected endpoint — The specific path and HTTP method where the vulnerability was found
- Affected parameter — The query parameter, header, or request body field that was exploited
- Severity — The risk level assigned to the finding
- Request and response — The exact HTTP request sent by the scanner and the response received, allowing you to reproduce the issue
Severity Levels
| Severity | Description |
|---|---|
| Critical | Vulnerabilities that can be exploited immediately with significant impact. Examples include remote code execution via command injection or direct data access via SQL injection. |
| High | Serious issues that could lead to data exposure or unauthorized access. Examples include BOLA or SSRF with access to internal services. |
| Medium | Vulnerabilities that pose moderate risk, often requiring specific conditions or additional steps to exploit. Examples include reflected XSS or SSTI with limited impact. |
| Low | Minor issues or informational findings. Examples include SSL/TLS configuration weaknesses or verbose error messages that disclose implementation details. |
Understanding a Finding
Reproduction
Each finding includes the full HTTP request that triggered the vulnerability. You can use this to manually verify the issue using tools like curl or Postman:
- Review the Request section to see the exact payload, headers, and parameters
- Review the Response section to see how the API responded
- Copy the request and replay it against your API to confirm the behavior
Remediation Guidance
For every finding, Detectify provides remediation guidance tailored to the vulnerability type. This typically includes:
- A description of why the vulnerability is dangerous
- Specific coding practices to fix the issue (for example, parameterized queries for SQL injection)
- Configuration changes where applicable (for example, disabling external entity processing for XXE)
- Links to relevant security references such as OWASP
Managing Findings
Status Workflow
You can update the status of each finding as you work through remediation:
| Status | Meaning |
|---|---|
| Open | The vulnerability has been detected and not yet addressed |
| Accepted | The finding has been acknowledged and is scheduled for remediation |
| Resolved | The vulnerability has been fixed |
| False positive | The finding has been reviewed and determined to not be a real vulnerability |
Exporting Results
Scan results can be exported for reporting or integration with other tools. Export options include structured data formats that can be imported into vulnerability management platforms.
Rescanning
After applying fixes, run a follow-up scan to verify that vulnerabilities have been resolved. Detectify will update the status of previously detected findings based on the new scan results.