How to check a re-test result
When you re-test a finding, ensure that the re-test is executing and wait for it to finish to determine whether the vulnerability is fixed.
Step 1: Validate the re-test is executing
After starting a re-test, use the same finding and target identifiers in this step to retrieve the finding being re-tested.
In this request, the finding identifier is 1 and the target identifier is 2oir9t8RKxdr.
curl https://api.probely.com/targets/2oir9t8RKxdr/findings/1 \
-X GET \
-H 'Authorization: JWT <YOUR_API_TOKEN>' \
-H 'Content-Type: application/json
The response will return the finding and it must have the retesting property set as true, meaning that the re-test is executing. If it is false, you missed the re-test.
Please note that you will find some values truncated (ending with ...) to facilitate reading because they were too long. However, the values will be complete in the response you will get.
{
"id": 1,
"target": {
"id": "2oir9t8RKxdr",
"name": "",
"site": {
"id": "UYzh6mLxffx9",
"name": "My target",
"desc": "",
"url": "http://example.com",
"host": "example.com",
...
},
...
},
"scans": [
"1WUWTpK9zZmQ",
"2Mkr8fzTZqUf",
"3d7BuuDmTurH",
"3yxFhVNbF9N9",
"49v8fkNSnLtz",
"HCk5RHWDESYz",
"LU7aqVDVcygF",
"M6BqwS5ra8AH",
"p2PaP4HYq9ih",
"w2gDDvPoP7ga"
],
"labels": [],
"fix": "This problem can be fixed by sending...",
"requests": [
{
"request": "```\nGET...```",
"response": "```\nHTTP/1.1 200 OK...```"
}
],
"evidence": "Response headers, missing ...",
"extra": "",
"definition": {
"id": "qXu26S0jS04A",
"name": "Referrer policy not defined",
"desc": "The application does not prevent..."
},
"url": "http://example.com/",
"path": "http://example.com/",
"method": "get",
"insertion_point": "",
"parameter": "",
"value": "",
"params": {},
"assignee": null,
"state": "notfixed",
"severity": 10,
"cvss_score": 3.1,
"cvss_vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
"last_found": "2024-06-04T16:29:55.858900Z",
"retesting": true,
"new": false,
...
}
Step 2: Check the re-test result
Repeat the request regularly until retesting becomes false, meaning the re-test is finished.
curl https://api.probely.com/targets/2oir9t8RKxdr/findings/1 \
-X GET \
-H 'Authorization: JWT <YOUR_API_TOKEN>' \
-H 'Content-Type: application/json
The response will return the finding with the result in the state property:
fixed- The vulnerability is fixed.notfixed- The vulnerability is not fixed.
Please note that you will find some values truncated (ending with ...) to facilitate reading because they were too long. However, the values will be complete in the response you will get.
{
"id": 1,
"target": {
"id": "2oir9t8RKxdr",
"name": "",
"site": {
"id": "UYzh6mLxffx9",
"name": "My target",
"desc": "",
"url": "http://example.com",
"host": "example.com",
...
},
...
},
"scans": [
"1WUWTpK9zZmQ",
"2Mkr8fzTZqUf",
"3d7BuuDmTurH",
"3yxFhVNbF9N9",
"49v8fkNSnLtz",
"HCk5RHWDESYz",
"LU7aqVDVcygF",
"M6BqwS5ra8AH",
"p2PaP4HYq9ih",
"w2gDDvPoP7ga"
],
"labels": [],
"fix": "This problem can be fixed by sending...",
"requests": [
{
"request": "```\nGET...```",
"response": "```\nHTTP/1.1 200 OK...```"
}
],
"evidence": "Response headers, missing ...",
"extra": "",
"definition": {
"id": "qXu26S0jS04A",
"name": "Referrer policy not defined",
"desc": "The application does not prevent..."
},
"url": "http://example.com/",
"path": "http://example.com/",
"method": "get",
"insertion_point": "",
"parameter": "",
"value": "",
"params": {},
"assignee": null,
"state": "fixed",
"severity": 10,
"cvss_score": 3.1,
"cvss_vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
"last_found": "2024-06-04T16:29:55.858900Z",
"retesting": false,
"new": false,
...
}
If the vulnerability is not fixed, you can review your implementation and, when done, start another re-test and check the results again like what is explained here in this tutorial.