Acunetix is a heuristic scanner and not a signature based scanner, which by design is an efficient way of reducing false positives.
With the introduction of AcuSensor Technology, false positive reporting has been drastically reduced because vulnerability detection is no longer based on just the error messages returned from the server or web application, but also from information sent back to the scanner from the sensors installed on the web server.
Still, if a reported vulnerability happens to be a false positive one can mark it as ‘false positive’ from the vulnerability description, so next time a scan is launched against the same website or web application, the vulnerability will not show up again.
For a complete security assessment of a web application we always recommend automated scans to be supplemented with manual tests so one can verify and understand the automated scan results, which is why Acunetix WVS is also shipped with a set of advanced manual penetration testing tools.
You can also report a false positive by sending all the vulnerability technical details to firstname.lastname@example.org.
Get the latest content on web security
in your inbox each week.