This might be a stupid question so I apologize in advance. When it comes to a WAS vulnerability scan does WAS actually exploit the site? For example if it finds a XSS flaw does it actually inject the script into the site to successfully determine if the vulnerability exists and if I view the site from my own browser will I see the exploit that qualys used?
My query is for websites that I test I need to know what the system owners impact will be and whether or not they'll need to refresh the data once I've completed with my tests.
Appreciate the assistance.