| Scanner | Version | Vendor |
| Grendel Scan | 1.0 | David Byrne |
| Tested Against WAVSEP Version: |
| Detection Accuracy | Chart | ||||
| 42.65% Detection Rate 50.00% False Positives | (58/136) (5/10) |
| Response Type | Input Vector | Detection Rate | Details |
| Errorneous 500 Responses | HTTP GET (Query String Parameters) | 15 out of 20 | Cases Detected: 1(1st&2nd)-14 Cases Missed: 15-19 (detected as errors) |
| Errorneous 500 Responses | HTTP POST (Body Parameters) | 14 out of 20 | Cases Detected: 1(1st&2nd)-5,7-14 Cases Missed: 6,15-19 (detected as errors) |
| Errorneous 200 Responses | HTTP GET (Query String Parameters) | 15 out of 20 | Cases Detected: 1(1st&2nd)-14 Cases Missed: 15-19 (detected as errors) |
| Errorneous 200 Responses | HTTP POST (Body Parameters) | 14 out of 20 | Cases Detected: 1(1st&2nd)-5,7-14 Cases Missed: 6,15-19 (detected as errors) |
| Valid 200 Responses | HTTP GET (Query String Parameters) | 0 out of 20 | Cases Missed: 1-19 |
| Valid 200 Responses | HTTP POST (Body Parameters) | 0 out of 20 | Cases Missed: 1-19 |
| Identical 200 Responses | HTTP GET (Query String Parameters) | 0 out of 8 | Cases Missed: 1-8 |
| Identical 200 Responses | HTTP POST (Body Parameters) | 0 out of 8 | Cases Missed: 1-8 |
| False Positive SQLi Test Cases | HTTP GET (Query String Parameters) | 5 out of 10 | 2,4,6,7,8 |
| Detection Accuracy | Chart | ||||
| 12.12% Detection Rate 0.00% False Positives | (8/66) (0/7) |
| Response Type | Input Vector | Detection Rate | Details |
| Reflected XSS | HTTP GET (Query String Parameters) | 8 out of 33 | Cases Detected: 1-5,30(1st&2nd),32 Cases Missed: 6-29,31 |
| Reflected XSS | HTTP POST (Body Parameters) | 0 out of 33 | Cases Missed: 1-32 |
| False Positive RXSS Test Cases | HTTP GET (Query String Parameters) | 0 out of 7 | None |
| The test was executed with the following configuration:
In the test module selection I enabled both the GET and POST checkboxes in the Spider Form Baseline configuration, checked almost all the other features (except the spider URL regex and the search engine recon), and went over and configured each one (GET and POST enabled). I enabled all the Information disclosure Plugins, CRLF Injection, Directory Traversal, Generic Fuzzing and all XSS & SQLI plugins. I set the XSS testing aggression to High in the ?XSS - query? and the ?ErrorXSS? plugins, I enabled ?SQL Tautologies? optional plugin. I defined burp-proxy as an outgoing proxy to make sure that the tool is working properly. The following URLs were scanned: http://localhost:8080/wavsep/index-xss.jsp http://localhost:8080/wavsep/index-sql.jsp http://localhost:8080/wavsep/index-false.jsp The tool successfully crawled all URLS, and even submitted values in POST parameters (something that came as a surprise to me since previous checks I performed showed that POST parameters were ignored by this tool). The initial scan discovered SQL injection vulnerabilities, but did not locate any XSS vulnerabilities, so I performed another scan in which the fuzzing and SQL injection plugins were disabled; that still didn?t solve the problem, so I disabled all plugins except the XSS and spider plugins (and defined the XSS plugins with Medium aggression levels), and finally obtained the relevant missing results. |
| Detection Accuracy | Chart | ||
| 14.0% Detection Rate |
| I defined both index.php and menu.php as the initial entry points, enabled the URL-Gegex, Form-baseline and HTML tag requester spider plugins (and enabled every sub-feature that they had), and in addition, enabled the directory listing, robots.txt and XSS plugins.
I initialized WIVET's session, defined fiddler as an upstream proxy and used it's filter features to define a valid session identifier. Since I already removed the logout page (100.php) from the menu page, I did not need to exclude any URLs. |