Web Application Security scanners, especially the commercial ones, behave almost as if they are some kind of magical block-box which will solve all of your security problems if you decide to use them. There is no way of knowing what they are doing, just an indication that something is happening in the background, which needless to say puts the users of such software products in a state of anxiety and mistrust towards the product.
Why is this the norm today? Perhaps you may disagree but I think the reason for hiding away the juicy details is partially due to the proprietary nature of some of these tools. In other words, the companies and individuals behind the products are afraid of being copied by competitors. It may also be the case that the people behind such products do not want you to know what their expensive tool is actually doing because they are afraid that you may not agree on the price and return on investment for purchasing their product.
Well, we are different. At least we are trying to be and one of the things we want to do is to lift the curtain so that you can peek inside our security tools. Starting from today you can see what our scanner is doing at the most granular level with details of what kind of payloads it has been sending, what it has been spidering and everything else that is part of the process of discovering vulnerabilities in an automated fashion.
Exposing such information is of a great value to our users, especially to professionals, who need the inside details of what happened and when so that problems with the scanning process or vulnerabilities that were completely missed, can be easy identified. At the end of the day, the aim is not to create a sense of security with our tools but to make our users confident that the systems they are testing are in fact secure and they have the tools to prove it.
To access the feature you need to select the transactions tab and have a look through the list of requests and responses generated by the tool. You can use filters for quickly finding the right information. You can even produce code in your favourite programming language to repeat the request that caused the problem in whichever way you want to.
It is still early days although this feature is working as advertised. However, we always aspire to do better so the next step is to improve our entire Suite of tools with a feature to help you extract, process and download these transactions (not just preview them), including the ones from the scanner, so that you can use them to the best of your experience and abilities.
As usual, feel free to reach to us with your suggestions and recommendations because that feedback helps us shape our tools so that they are even more useful to you and that is the only way can do it.