Vulnerability scans have the potential to produce large amounts of false positives. There are numerous reasons that the scanner may trigger a false positive, including:
- The scanner vendor may be trying to make their product look good by programming the scanner to report more vulnerabilities than there truly are.
- The scanner is unable to recognize that another control is compensating for some identified deficiency.
- The scanner is using a vulnerability database with outdated definitions.
- The scanner incorrectly scores a vulnerability as more severe or easily exploited than it actually is.
- Customizations in the target environment are inadvertently triggering the scanner to identify a vulnerability.
- The scanner is not properly configured; e.g., it has been supplied with an incorrect target or credentials.
As a pen tester, you must be able to identify when results indicate a false lead on a vulnerability. Doing so will help you avoid wasting time chasing a lead that takes you to a dead end. There are several tactics you can employ to identify false positives; one of the most effective is results validation. Through a validation process, you compare what you've learned about the target environment to individual scan results and identify whether or not the results are truly applicable and accurate. For example, your scanner may indicate that a target Windows Server is susceptible to weaknesses in Server Message Block (SMBv1). However, a past service scan indicates that the SMB service running on the server is patched and running version 3, the latest. You might therefore conclude that the scanner is in error.
If you were playing the defensive blue team, you'd have an easier time identifying false positives because your understanding of the target environment would be complete. As a pen tester, there may be gaps in your knowledge, especially if you're conducting a black box test. In this case, you'll need to try your best with what you have and concede that you won't necessarily be able to avoid false positives entirely. You may choose to conduct more reconnaissance on the target environment if you are intent on avoiding as many false positives as possible.