All the fanfare, big talk and cool features in combination with the work, research and technology that powers Arachni cannot compensate for every challenge, naturally, there are a few limitations. This page is here to cut through the BS and let you know what you can realistically expect from the system.
However, you can improve the situation by using the Proxy plug-in and teach Arachni of vectors it can’t parse via your browser. The system will sit between your browser and the webapp and monitor the exchanged traffic — this way JS execution is delegated to the browser.
A word of encouragement
Even though this is a huge undertaking, initial research into this field has started and will definitely be supported in the future.
Arachni invests a lot of effort into diminishing false-positive results but the truth is that they are just a fact of life. FPs are usually caused by erratic webapp or server behavior like fragile/unreliable network conditions or non-standard/broken HTTP responses.
One thing to keep in mind
Even though you may see false positive results during run-time do not despair, it is only until the scan has finished (and meta-analysis has been performed) that you should invest in the results’ accuracy.
If you do come across a FP the best thing to do is report it so that it can be fixed.
The role of scanners in the audit process
Automated scanners are NOT panacea — treat this as your creed.
Systems like Arachni are complementary to a manual audit and verification and further investigation of results will always be necessary. Automated audits have come a long way but cannot replace a human.