Typically at this stage the penetration tester would have already lost trust in the security scanner he is using and start omitting manual verification of vulnerability checks. By taking such an approach the risks of leaving exploitable vulnerabilities undetected and not remediated are very high. In web application security it is important to identify every web application vulnerability and security issue because a malicious attacker only needs to exploit one vulnerability to finish the job.
However the situation is even worse if the user is not an experienced web application security tester. Vulnerability scanners employ very advanced checks, send complicated attacks with different encodings to bypass blacklisting protection etc. So when inexperienced users try to reproduce the identified vulnerability they might fail to replay the exact same attack, or simply cannot manually exploit the identified vulnerability. Since half of the issues reported by the scanner were false positives, when a non seasoned user cannot manually confirm a vulnerability he or she tends to ignore it and mark it as false positive. This obviously diminishes the value of the scanner, and this is the big part of the web application security scanners who cried wolf too often.
What are you doing in Netsparker to eradicate false positives?
When we started designing Netsparker Web Application Security Scanner we wanted to build a tool that helps penetration testers find vulnerabilities without the need to verify detected vulnerabilities, by guaranteeing a false positive free scan.
How do we guarantee false positive free scans? It is the same with what penetration testers are doing manually. Try to exploit the identified vulnerability and if the exploitation is successful, then it is not a false positive. So we included an exploitation engine in Netsparker that automatically exploits detected vulnerabilities in a safe and read only way. If the vulnerability is exploitable Netsparker flags the vulnerability as a real vulnerability therefore penetration testers do not have to manually verify it.
And we didn’t stop there. To confirm that we are on the right track, and that the Netsparker exploitation engine works as advertised we made plenty of tests, i.e. security scans of live web applications and compared the findings to that of other well known scanners. We are proud to say that Netsparker was the only scanner that did not report any false positives, not to mention that it was also the scanner that detected most exploitable vulnerabilities. In fact the team reported several zero day vulnerabilities in open source web applications such as Joomla, MediaWiki and Twiki.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.