In Burp Professional, as scanner discovers a vulnerability, it will be added to a list of issues found on the Target tab, in the right-hand side of the UI. Issues are color-coded to indicate the severity and confidence level. An issue with a red exclamation point means it is a high severity and the confidence level is certain. For example, the SQL Injection issue shown here contains both of these attributes.

Items with a lower severity or confidence level will be low, informational, and yellow, gray, or black in color. These items require manual penetration testing to validate whether the vulnerability is present. For example, Input returned in response is a potential vulnerability identified by scanner and shown in the following screenshot. This could be an attack vector for cross-site scripting (XSS) or it could be a false positive. It is up to the penetration tester and their level of experience to validate such an issue:

• Severity levels: The severity levels available include high, medium, low, information, and false positive. Any findings marked as false positive will not appear on the generated report. False positive is a severity level that must be manually set by the penetration tester on an issue.
• Confidence levels: The confidence levels available include certain, firm, and tentative.