Once we have identified an attack vector, we need to perform vulnerability scanning, which occurs in this stage of penetration testing. A vulnerability assessment is done on the web application to identify vulnerabilities on a web page, directory, HTTP protocol method, HTTP headers, and so on. The Scanning can be done using publicly available tools or paid-for licensed tools. All types of testing—white box, black box, and gray box— rely heavily on this stage. 

Once a vulnerability scan has been done, we need to assess and analyze each vulnerability that is found and then filter out the false positives. Filtering out the false positives helps the pen tester to work on the vulnerabilities that actually exist and not the ones that were found because of time delay or the scanner's error. All the vulnerability filtration happens at this stage.

The following is the list of tools that can be used to perform vulnerability assessment and scanning on a web application:

• System and network vulnerability assessment: Nessus, OpenVAS, and so on
• Web application vulnerability assessment: Nikto, Acunetix, BurpSuite, Nessus, and so on