We conducted an authenticated scan using an admin account. If an admin account with full permission was used, will using this account modify the database of an application?
You should never, ever run an authenticated web app scan using administrator credentials on a production application. This will obviously cause issues. The scanner will exercise any functionality it finds. i.e., if there is a button called "Delete all records" in the application, then the scanner will click that button and delete your production data.
TBH running any kind of authenticated web app scan in production is risky. Unauthenticated scans in production are fine. Authenticated scanning against non-production apps is fine.
Hate to say it but "depends". What the admin account was allowed to do and what the scan triggered. I normally try not to run vulnerability scans on production applications the first time until we at least check to see if there is an issue.
Here is one I typically see
scanner logs into the application
Application at some point has a lot of rows of data to display with links for actions
one of the actions is delete
Scanner crawls each link effectively deleting all data in the system.
My suggestion, scan with a read only user first. Once issues are addressed you may change to a user to a role with the next largest set of users. My thought on this is that an attacker hopefully does not have credentials into your system so when they first do get in they are going to elevate. So take care of the vulnerabilities at each level; you should be getting fewer every time.
Many times we will have a READ ONLY, normal user, elevated and admin. if you run the scan at admin you may find a lot more but maybe a disruption. If you find a vulnerability as a read only user it is very likely it is at every level.
Retrieving data ...