ScannerVersionVendor
JSky Free Edition1.0.0NoSec

Tested Against WAVSEP Version:
1.0

The SQL Injection Detection Accuracy of the Scanner:
Detection AccuracyChart
38.24% Detection Rate
20.00% False Positives		(52/136)
(2/10)
Response TypeInput VectorDetection RateDetails
Errorneous 500 ResponsesHTTP GET (Query String Parameters)20 out of 20Cases Detected: 1(1st&2nd)-19
Errorneous 500 ResponsesHTTP POST (Body Parameters)0 out of 20POST values are not covered by this tool
Errorneous 200 ResponsesHTTP GET (Query String Parameters)20 out of 20Cases Detected: 1(1st&2nd)-19
Errorneous 200 ResponsesHTTP POST (Body Parameters)0 out of 20POST values are not covered by this tool
Valid 200 ResponsesHTTP GET (Query String Parameters)9 out of 20Cases Detected: 6-8,11-13,16-18 Cases Missed: 1-5,9,10,14,15,19
Valid 200 ResponsesHTTP POST (Body Parameters)0 out of 20POST values are not covered by this tool
Identical 200 ResponsesHTTP GET (Query String Parameters)3 out of 8Cases Detected: 1-3 Cases Missed: 5-8
Identical 200 ResponsesHTTP POST (Body Parameters)0 out of 8POST values are not covered by this tool
False Positive SQLi Test CasesHTTP GET (Query String Parameters)2 out of 107,8
The Reflected XSS Detection Accuracy of the Scanner:
Detection AccuracyChart
12.12% Detection Rate
42.86% False Positives		(8/66)
(3/7)
Response TypeInput VectorDetection RateDetails
Reflected XSSHTTP GET (Query String Parameters)8 out of 33Cases Detected: 1-5, 30(1st&2nd),32 Cases Missed: 6-29,31
Reflected XSSHTTP POST (Body Parameters)0 out of 33POST values are not covered by this tool
False Positive RXSS Test CasesHTTP GET (Query String Parameters)3 out of 71,2,6
WAVSEP Scan Log:
I enabled all the XSS, SQLi and LFI/RFI plugins, marked the ?URLs are case sensitive? checkbox in the scan wizard and did not configure exclusions (the entire site is public).
The scan was executed in front of the following URLs:
http://192.168.1.100:8080/wavsep/index-xss.jsp
http://192.168.1.100:8080/wavsep/index-sql.jsp
http://192.168.1.100:8080/wavsep/index-false.jsp
The tool managed to crawl all the URLs, detected vulnerabilities in GET parameters, but did not detect vulnerabilities in POST parameters.


Copyright © 2010-2016 by Shay Chen. All rights reserved.
Click here to learn how this information may be published or reused.