Netsparker does not report false positives.
How? It is the only scanner that automatically exploits identified vulnerabilities in a read-only and safe way – to confirm and prove that they are not false positives. If Netsparker cannot automatically confirm a vulnerability it will inform you about it by prefixing it as [Possible].
- Netsparker uses a combination of its False Positive-Free Web Application Security Scanner and its integrated Exploitation Engine to offer the whole package: crawling, detecting, confirming and exploiting.
- This means that if Netsparker confirms the vulnerability (marked as 'Confirmed'), you do not need to waste time manually verifying it. All serious issues can be exploited and show a clear impact. You can use also the integrated exploitation panels to exploit the vulnerability yourself, for further proof (Netsparker Standard only). For example:
- You can exploit an SQL Injection and confirm that it's actually an SQL Injection and not just an error page
- You can confirm LFI by extracting files from the system
- You can confirm a Command Injection by executing code in the system
- Not every single issue we report is false positive-free. What we can guaranteed is that if we confirm an issue, then it's not a false positive. And, we confirm 80% or more of identified issues. And the rest? If we can't exploit it, it will still be reported as 'Possible' and 'High' or 'Low', depending on other factors.
- If you encounter a real vulnerability and Netsparker was unable to confirm it, contact us and we'll fix it.
Netsparker is designed to help you secure web applications easily without any fuss, so you can focus on fixing reported vulnerabilities.
For further information on the technical details of the technology used by the Netsparker scanning engine, see False Positive-Free Scanning.