Scanner | Version | Vendor |
ProxyStrike | 2.2 | Edge Security |
Tested Against WAVSEP Version: |
Detection Accuracy | Chart | ||||
52.21% Detection Rate 0.00% False Positives | (71/136) (0/10) |
Response Type | Input Vector | Detection Rate | Details |
Errorneous 500 Responses | HTTP GET (Query String Parameters) | 13 out of 20 | Cases Detected: 1(2nd),2,3,6,8-13,16-18 Cases Missed: 1(1st),4,5,7,14,15,19 |
Errorneous 500 Responses | HTTP POST (Body Parameters) | 11 out of 20 | Cases Detected: 2,3,6-13,18 Cases Missed: 1(1st&2nd),4,5,14-17,19 |
Errorneous 200 Responses | HTTP GET (Query String Parameters) | 14 out of 20 | Cases Detected: 1(2nd),2,3,6-13,16-18 Cases Missed: 1(1st),4,5,14,15,19 |
Errorneous 200 Responses | HTTP POST (Body Parameters) | 13 out of 20 | Cases Detected: 2,3,5-13,17,18 Cases Missed:1(1st&2nd),4,14-16,19 |
Valid 200 Responses | HTTP GET (Query String Parameters) | 11 out of 20 | Cases Detected: 1(2nd),2,3,6-8,11-13,16,18 Cases Missed: 1(1st),4,5,9,10,14,15,19 |
Valid 200 Responses | HTTP POST (Body Parameters) | 9 out of 20 | Cases Detected: 2,3,7,8,11-13,17,18 Cases Missed: 1(1st&2nd),4-6,9,10,14-16,19 |
Identical 200 Responses | HTTP GET (Query String Parameters) | 0 out of 8 | Cases Missed: 1(1st&2nd)-19 |
Identical 200 Responses | HTTP POST (Body Parameters) | 0 out of 8 | Cases Missed: 1(1st&2nd)-19 |
False Positive SQLi Test Cases | HTTP GET (Query String Parameters) | 0 out of 10 | None |
Detection Accuracy | Chart | ||||
93.94% Detection Rate 85.71% False Positives | (62/66) (6/7) |
Response Type | Input Vector | Detection Rate | Details |
Reflected XSS | HTTP GET (Query String Parameters) | 31 out of 33 | Cases Detected: 1-15,17-29,30(1st&2nd),32 Cases Missed: 16,31 |
Reflected XSS | HTTP POST (Body Parameters) | 31 out of 33 | Cases Detected: 1-15,17-29,30(1st&2nd),32 Cases Missed: 16,31 |
False Positive RXSS Test Cases | HTTP GET (Query String Parameters) | 6 out of 7 | 1,2,3,4,6,7 |
I initially crawled the main XSS url (http://localhost:8080/wavsep/index-xss.jsp), after enabling all the scan plugins, increasing the scan threads to 7 (for each plugin), and enabling the "crawl using plugins" feature, but for some reason, the tool only crawled the POST URLs, and when I performed another crawling process on the GET directory, I only discovered that the bug persists.
I eventually used Paros as an external spider the uses ProxyStrike as an outgoing proxy, and that solved my problem. Overall, the following URLs were crawled and scanned: http://localhost:8080/wavsep/index-xss.jsp http://localhost:8080/wavsep/index-sql.jsp http://localhost:8080/wavsep/RXSS-FalsePositives-GET/index.jsp http://localhost:8080/wavsep/SInjection-FalsePositives-GET/index.jsp The SQL injection included injection classification and database identification. The XSS results did not include any proof of concept, but the XML report generated stated which special characters the tool managed to use in the context of each field. The tool did not validate that the characters returned are sufficient to construct an exploit in the given HTML scope, and thus, requires the tester to perform manual validation. The XSS feature can be very useful as a complementary tool (similar to using Watcher and X5s), but not as the main tool (due to the large amount of false positives). On the other hand, the SQL injection feature is amazing (0 false positives! good detection rates in cases where error messages and exceptions are not presented), and should be used whenever possible (preferably with an external crawler, or while manually crawling). There is however a scoping problem that should be addressed here, since any request to any server will be scanned using this tool (there is no feature that enables defining domain restrictions), and as a result, the proxy may attack external web sites (when safebrowsing requests are performed by the browser, plugin update, etc). Therefore, this tool should be used with care (when burp is used as the external spider, the tester can configure it to transfer to the outgoing proxy only requests to specific domain, a feature that can mitigate this problem). |
Detection Accuracy | Chart | ||
39.0% Detection Rate |
Initialized WIVET's session, the spider threads were fixed to 2 threads, defined fiddler as an upstream proxy, used fiddler filter features to define a valid session identifier, and finally, I edited menu.php in WIVET and excluded the logout URL (100.php).
In addition, also defined the valid session identifer within proxy strike. I used the crawler on both the menu.php and the index.php pages, and crawled while the XSS plugin was enabled I verified the results twice, and they came out the same. |