Reduce time-wasting false positives with Proof-Based Scanning™ that eliminates the need for manual verification. Netsparker pioneered this approach based on the understanding that “if a vulnerability can be exploited, it cannot be a false positive”.
Proof-based Scanning automatically verifies direct-impact vulnerabilities and includes safely extracted payloads in the scan results as proof that the issue is not a false positive. These confirmed vulnerabilities can be sent directly to development without the need for manual re-tests. This approach to confident automation enables even the largest organizations to scale AST to all web assets without overwhelming the security team with manual validation tasks.
Many web application security scanners are prone to false alarms, also called false positive results. In other words, they can indicate that your website is vulnerable when it isn’t. False positives are a major problem in web application security, as they make security testing slower, less accurate, and much more frustrating.
No matter how many vulnerabilities a scanner reports, you can’t start addressing them until you are sure that they are real and exploitable issues. If each result requires manual checking, the performance benefits of using an automated scanner are greatly reduced because security professionals still have to spend time on manually weeding out false positives.
The ultimate goal of scanning technology is to automate repetitive and time-consuming tasks and assist developers and security teams in fixing vulnerabilities. Netsparker achieves this by actively investigating each of the identified web vulnerabilities, in effect simulating the actions of a penetration tester.
To confirm a vulnerability, Netsparker attempts to safely exploit it in a read-only manner and extract sample data. When successful, this provides conclusive proof that an identified web application vulnerability is genuine and not a false positive. Each verified result is accompanied by detailed information on how the vulnerability was discovered, how it can be exploited, and often also how it can be fixed.
If Netsparker marks a vulnerability as confirmed, you know it is real and exploitable – and this covers the majority of direct-impact vulnerabilities. Any vulnerabilities that Netsparker is unable to confirm automatically are marked for manual verification. This is a real game-changer because now you can plan your actions based on solid proof.