What are false positives in web application security?
False positives are like false alarms; they occur when security software reports a vulnerability or security issue that in reality does not exist. In the web application industry false positives are frequently associated with web application security scanners, which are also known as web security scanners or web vulnerability scanners. False positives are also common in several other IT industries and they are always associated with automated tools.
Why web application security scanners typically generate false positives?
False positives in web application security scanners are typically caused by weak signature patterns used in the scanner’s vulnerability checks. For example when the web vulnerability scanner is analyzing the HTTP response and trying to determine if a vulnerability exists or not, it tries to match the content of the HTTP response to the predefined signature pattern. If some text in the HTTP response matches the signature pattern it means that the page in question is vulnerable.
If the web security scanner’s predefined signature pattern is weak, some legitimate text patterns in the HTTP response might trigger the web vulnerability check and the scanner will report a false positive.
What is the impact of false positives in a web application security scan?
The impact that false positives have on web security scans and penetration tests is very negative. To start off with, automated tools such as web application security scanners are used to eliminate the repetitive processes during a penetration test to leave the tester or penetration tester enough free time to concentrate on other tasks, such as identifying logical vulnerabilities. If the security scanner used is known to report a lot of false positives, the tester will be wasting his time manually verifying the scanner findings.
But it is not just about wasting time and slowing down productivity. A lot of false positives can also deter penetration testers which as a result might leave exploitable vulnerabilities undetected. For example the web vulnerability scanner you are using reported 100 SQL injection vulnerabilities on a particular target. You manually checked 55 of them and confirmed they are false positives. In an effort to improve productivity, save time and money and avoid repetitive drudgery work, at this stage you start taking more risks and questioning “What are the probabilities that the remaining 45 SQL injections are false positives?”
Typically at this stage the penetration tester would have already lost trust in the security scanner he is using and start omitting manual verification of vulnerability checks. By taking such an approach the risks of leaving exploitable vulnerabilities undetected and not remediated are very high. In web application security it is important to identify every web application vulnerability and security issue because a malicious attacker only needs to exploit one vulnerability to finish the job.