Vulnerability Scanning & Discovery Validating Scanner Results

Automated vulnerability scanners are incredibly powerful tools for discovering potential security flaws, but they aren't perfect. To ensure your security assessments are accurate and actionable, you must manually validate automated findings to eliminate false positives and uncover complex vulnerabilities that scanners might misinterpret.

This guide covers the best practices for correlating, researching, and manually verifying the results from your vulnerability scans.

The Validation Workflow

Validating scanner results is a systematic process. Before diving into manual testing, it helps to understand the lifecycle of a vulnerability finding from discovery to confirmation.

flowchart TD
    A["Automated Scan Results"] --> B{"Correlate Data"}
    B --> C["Specific (e.g., CVE, IP)"]
    B --> D["Categorical (e.g., OWASP, PCI)"]
    C --> E["Research Vulnerability"]
    D --> E
    E --> F{"Manual Validation"}
    F --> G["Direct Connection / Visual"]
    F --> H["Isolated Lab Testing"]
    G --> I{"Is it a False Positive?"}
    H --> I
    I -- "Yes" --> J["Discard Finding"]
    I -- "No" --> K["Confirmed Vulnerability"]

Correlating Tool Output

When using multiple automated tools, you will often end up with overlapping data. Redundant findings can skew your statistical results, leading to an artificially inflated risk profile. To prevent this, group your findings using two primary correlation methods:

Correlation TypeDescriptionExample Use Case
SpecificGrouping definable issues by micro-factors like CVE, OSVDB, vendor index numbers, IP, or MAC address.Combining three different scanner alerts for the same Apache vulnerability on Host X into a single finding.
CategoricalGrouping issues by macro-factors or compliance frameworks (e.g., NIST, PCI, HIPAA, OWASP).Grouping all "default password" findings across 50 hosts into a single NIST 800-53 (IA-5) compliance failure.

Focus on specific correlation first to clean up duplicate alerts on individual hosts. Once your host-level data is accurate, use categorical correlation to identify broader systemic issues across your network.

Researching Vulnerabilities

Before attempting to manually exploit or verify a flaw, thoroughly research the scanner's claim. Automated tools often flag a version number as vulnerable without checking if a vendor backported a patch.

  1. 1

    Check vulnerability databases

    Cross-reference the provided CVE identifier with databases like the National Vulnerability Database (NVD), OSVDB, or Bugtraq. Verify if the vulnerability actually applies to your specific OS and environment (e.g., an Apache flaw might affect Windows but not Linux).

  2. 2

    Review vendor advisories and changelogs

    Vendors often release security advisories that contain nuances automated tools miss. Reviewing changelogs—especially for open-source products—can reveal if a vulnerability was patched in a non-standard way.

  3. 3

    Search for exploit availability

    Check exploit databases and commercial frameworks to see if functional exploit code exists. This helps determine the actual risk and exploitability of the issue.

  4. 4

    Consult hardening guides

    Compare the system's configuration against official hardening guides. This not only helps validate the specific finding but often reveals other misconfigurations the administrator may have left in place.

Manual Validation Techniques

There is no substitute for visually inspecting a target system and manually interacting with it. Scanners rely on signatures and basic responses, which can be easily fooled by custom logic, firewalls, or non-standard ports.

Direct Connections and Visual Confirmation

Always attempt to connect directly to the service in question. For example, if a scanner claims a web server is running an outdated version based on a banner, connect to it manually:

# Manually grab the banner to verify the scanner's claim
curl -I http://target-server.com

Visually reviewing the application in a browser or interacting with a service via command-line tools ensures that the service is actually accessible and functioning as the scanner reported.

Protocol-Specific Verification

Different services require different manual validation approaches. Expand the sections below to learn what to look for when verifying specific protocols:

Web Services

Web services are frequently found on non-standard ports. Verify HTTP methods manually. For instance, if a scanner flags insecure methods, check if PUT, DELETE, or TRACE are actually enabled and actionable, rather than just listed in an OPTIONS response. Also, verify if WebDAV extensions (like PROPFIND or MKCOL) are exposed.

VPNs (Virtual Private Networks)

Conventional scanners often fail to perform correct protocol negotiations with VPN devices using Internet Key Exchange (IKE). Use specialized VPN toolkits to accurately fingerprint the device, check back-off patterns, and identify weak authentication mechanisms like static pre-shared keys.

Mail Servers

Mail servers can leak an abundance of information. Manually verify if the server allows open mail relaying (which can be leveraged for phishing). Use inherent server functions to confirm if valid user accounts can be enumerated.

DNS (Domain Name Systems)

If a scanner flags a DNS misconfiguration, manually attempt a zone transfer to see if the server actually leaks internal network maps. Verify the exposed version information to ensure it isn't a false positive caused by a generic banner.

Safe Testing in Isolated Labs

When a vulnerability is complex or potentially destructive (like a buffer overflow or a denial-of-service condition), do not validate it directly on a production system.

Instead, set up a replica environment.

  1. Create Virtual Machines (VMs): Build a VM that mimics the target operating system, service pack level, and application version.

  2. Apply Target Configurations: Configure the lab application exactly as it is set up in the target environment.

  3. Test the Exploit: Run your manual tests or fuzzing routines against the isolated lab.

Directory brute-forcing and automated fuzzing can inundate a server with requests, causing an accidental Denial-of-Service (DoS). Always monitor production system health closely if you must perform these actions outside of a lab.

Need to track your validation progress?

Learn how to build and maintain Attack Trees to map out confirmed vulnerabilities and track potential entry points throughout your assessment.