Interpreting Active Scan Results

Active scan alerts require careful interpretation to distinguish real vulnerabilities from false positives. High confidence alerts with specific evidence generally indicate real issues. Low confidence alerts often require manual verification. Understanding how each scan rule determines vulnerabilities helps assess accuracy. SQL injection alerts showing database errors provide strong evidence, while time-based detection might produce false positives.

Response analysis reveals vulnerability details crucial for remediation. Examine the request ZAP sent and the application's response. Look for error messages, unexpected behavior, or successful payload execution. Database errors in SQL injection attempts confirm vulnerability. Reflected payloads in XSS tests demonstrate lack of output encoding. Understanding these indicators helps communicate findings effectively to development teams.

Attack replication validates findings and builds security expertise. Use ZAP's Request Editor to manually send the attack payload that triggered an alert. Observe the response to confirm vulnerability. Modify payloads to understand vulnerability boundaries—what works and what doesn't. This manual validation process transforms automated findings into actionable security knowledge.