ScannerVersionVendor
ProxyStrike2.2Edge Security

Tested Against WAVSEP Version:
1.0

The SQL Injection Detection Accuracy of the Scanner:
Detection AccuracyChart
52.21% Detection Rate
0.00% False Positives
(71/136)
(0/10)
Response TypeInput VectorDetection RateDetails
Errorneous 500 ResponsesHTTP GET (Query String Parameters)13 out of 20Cases Detected: 1(2nd),2,3,6,8-13,16-18 Cases Missed: 1(1st),4,5,7,14,15,19
Errorneous 500 ResponsesHTTP POST (Body Parameters)11 out of 20Cases Detected: 2,3,6-13,18 Cases Missed: 1(1st&2nd),4,5,14-17,19
Errorneous 200 ResponsesHTTP GET (Query String Parameters)14 out of 20Cases Detected: 1(2nd),2,3,6-13,16-18 Cases Missed: 1(1st),4,5,14,15,19
Errorneous 200 ResponsesHTTP POST (Body Parameters)13 out of 20Cases Detected: 2,3,5-13,17,18 Cases Missed:1(1st&2nd),4,14-16,19
Valid 200 ResponsesHTTP GET (Query String Parameters)11 out of 20Cases Detected: 1(2nd),2,3,6-8,11-13,16,18 Cases Missed: 1(1st),4,5,9,10,14,15,19
Valid 200 ResponsesHTTP POST (Body Parameters)9 out of 20Cases Detected: 2,3,7,8,11-13,17,18 Cases Missed: 1(1st&2nd),4-6,9,10,14-16,19
Identical 200 ResponsesHTTP GET (Query String Parameters)0 out of 8Cases Missed: 1(1st&2nd)-19
Identical 200 ResponsesHTTP POST (Body Parameters)0 out of 8Cases Missed: 1(1st&2nd)-19
False Positive SQLi Test CasesHTTP GET (Query String Parameters)0 out of 10None

The Reflected XSS Detection Accuracy of the Scanner:
Detection AccuracyChart
93.94% Detection Rate
85.71% False Positives
(62/66)
(6/7)
Response TypeInput VectorDetection RateDetails
Reflected XSSHTTP GET (Query String Parameters)31 out of 33Cases Detected: 1-15,17-29,30(1st&2nd),32 Cases Missed: 16,31
Reflected XSSHTTP POST (Body Parameters)31 out of 33Cases Detected: 1-15,17-29,30(1st&2nd),32 Cases Missed: 16,31
False Positive RXSS Test CasesHTTP GET (Query String Parameters)6 out of 71,2,3,4,6,7

WAVSEP Scan Log:
I initially crawled the main XSS url (http://localhost:8080/wavsep/index-xss.jsp), after enabling all the scan plugins, increasing the scan threads to 7 (for each plugin), and enabling the "crawl using plugins" feature, but for some reason, the tool only crawled the POST URLs, and when I performed another crawling process on the GET directory, I only discovered that the bug persists.
I eventually used Paros as an external spider the uses ProxyStrike as an outgoing proxy, and that solved my problem.
Overall, the following URLs were crawled and scanned:
http://localhost:8080/wavsep/index-xss.jsp
http://localhost:8080/wavsep/index-sql.jsp
http://localhost:8080/wavsep/RXSS-FalsePositives-GET/index.jsp
http://localhost:8080/wavsep/SInjection-FalsePositives-GET/index.jsp
The SQL injection included injection classification and database identification.
The XSS results did not include any proof of concept, but the XML report generated stated which special characters the tool managed to use in the context of each field. The tool did not validate that the characters returned are sufficient to construct an exploit in the given HTML scope, and thus, requires the tester to perform manual validation.
The XSS feature can be very useful as a complementary tool (similar to using Watcher and X5s), but not as the main tool (due to the large amount of false positives). On the other hand, the SQL injection feature is amazing (0 false positives! good detection rates in cases where error messages and exceptions are not presented), and should be used whenever possible (preferably with an external crawler, or while manually crawling).
There is however a scoping problem that should be addressed here, since any request to any server will be scanned using this tool (there is no feature that enables defining domain restrictions), and as a result, the proxy may attack external web sites (when safebrowsing requests are performed by the browser, plugin update, etc). Therefore, this tool should be used with care (when burp is used as the external spider, the tester can configure it to transfer to the outgoing proxy only requests to specific domain, a feature that can mitigate this problem).

The WIVET Score of the Scanner:
Detection AccuracyChart
39.0% Detection Rate

WIVET Scan Log:
Initialized WIVET's session, the spider threads were fixed to 2 threads, defined fiddler as an upstream proxy, used fiddler filter features to define a valid session identifier, and finally, I edited menu.php in WIVET and excluded the logout URL (100.php).
In addition, also defined the valid session identifer within proxy strike.
I used the crawler on both the menu.php and the index.php pages,
and crawled while the XSS plugin was enabled
I verified the results twice, and they came out the same.

Copyright © 2010-2016 by Shay Chen. All rights reserved.
Click here to learn how this information may be published or reused.