Remediation Overview
When Detectify identifies a vulnerability, each finding includes specific remediation guidance. This page provides general remediation principles and links to detailed guidance for each vulnerability type.
General Remediation Principles
Prioritize by Severity and Context
Not all vulnerabilities carry the same risk. Prioritize remediation based on:
- Severity level — Critical and High findings should be addressed first
- Exposure — Vulnerabilities on public-facing endpoints are higher priority than those on internal services
- Exploitability — Issues that are easy to exploit with readily available tools should be fixed before those requiring specialized knowledge
- Data sensitivity — Vulnerabilities affecting endpoints that handle sensitive data (authentication, payment, personal information) take priority
Validate Fixes with Rescanning
After applying a fix, run a follow-up scan to confirm the vulnerability has been resolved. Detectify automatically updates the finding status when a rescan confirms the fix.
Address Root Causes
Where possible, fix the underlying root cause rather than applying a point fix:
- If you find SQL injection in one endpoint, check all endpoints that construct SQL queries
- If you find XSS in one parameter, review your output encoding practices across the application
- If you find an authorization flaw in one resource, audit authorization checks across all resources
Remediation by Vulnerability Type
Injection Vulnerabilities
| Vulnerability | Key remediation |
|---|---|
| SQL Injection | Use parameterized queries or prepared statements. Never concatenate user input into SQL strings. |
| XSS | Encode output based on context (HTML, JavaScript, URL, CSS). Use Content Security Policy (CSP) as a defense-in-depth measure. |
| Command Injection | Avoid passing user input to system commands. If unavoidable, use allowlists for acceptable values rather than blocklists. |
| SSRF | Validate and restrict outbound request destinations. Block requests to private IP ranges and cloud metadata endpoints. |
| Path Traversal | Validate file paths against an allowlist of permitted directories. Do not rely on stripping ../ sequences, as there are many bypass techniques. |
| XXE | Disable external entity processing in your XML parser configuration. |
| SSTI | Avoid passing user input directly into template rendering. Use sandboxed template engines where possible. |
| Prompt Injection | Implement input validation, output filtering, and system prompt protection. Separate user input from system instructions in LLM calls. |
Authorization Vulnerabilities
| Vulnerability | Key remediation |
|---|---|
| BOLA / IDOR | Implement proper authorization checks on every resource access. Verify that the authenticated user is authorized to access the specific requested resource. |
Infrastructure Vulnerabilities
| Vulnerability | Key remediation |
|---|---|
| Subdomain Takeover | Remove DNS records pointing to deprovisioned services. Monitor for dangling records as part of your asset management process. |
| SSL/TLS Issues | Renew expired certificates, disable weak cipher suites and outdated protocols, configure HSTS with appropriate max-age. |
| Certificate Issues | Ensure certificates match the served domain, use certificates from trusted CAs, and monitor expiration dates. |
Integrating Remediation into Your Workflow
- Use Jira integration to automatically create tickets for new findings and track remediation progress
- Set up Slack or Teams notifications to alert your team when critical findings are detected
- Schedule regular scans to catch regressions when previously fixed vulnerabilities are reintroduced
Last updated on