| Logo | Scanner | Version | Vendor |
 | ZAP | 2.2.2 | OWASP |
| Tested Against WAVSEP Version: |
| Detection Accuracy | Chart | ||||
| 100.00% Detection Rate 30.00% False Positives | (136/136) (3/10) |
| Response Type | Input Vector | Detection Rate | Details |
| Errorneous 500 Responses | HTTP GET (Query String Parameters) | 20 out of 20 | Detected: 1(1st&2nd)-19 |
| Errorneous 500 Responses | HTTP POST (Body Parameters) | 20 out of 20 | Detected: 1(1st&2nd)-19 |
| Errorneous 200 Responses | HTTP GET (Query String Parameters) | 20 out of 20 | Detected: 1(1st&2nd)-19 Experimental-GET: 1 (1st & 2nd) |
| Errorneous 200 Responses | HTTP POST (Body Parameters) | 20 out of 20 | Detected: 1(1st&2nd)-19 Experimental-POST: 1 (1st & 2nd) |
| Valid 200 Responses | HTTP GET (Query String Parameters) | 20 out of 20 | Detected (MySQL plugin - beta): 1(1st&2nd)-19 Detected (Generic SQL plugin): 1(1st&2nd),2,3,5-8,10-13,15-18 (Previously Detected: 1(1st),3,6-8,11-13,15-18) |
| Valid 200 Responses | HTTP POST (Body Parameters) | 20 out of 20 | Detected (MySQL plugin - beta): 1(1st&2nd)-19 Detected (Generic SQL plugin): 1(1st&2nd),2,3,5-8,10-13,15-18 (Previously Detected: 3,6-8,11-13,15-18) |
| Identical 200 Responses | HTTP GET (Query String Parameters) | 8 out of 8 | Detected (MySQL plugin - beta): 1-8 Detected (Generic SQL plugin): 1,2,3 |
| Identical 200 Responses | HTTP POST (Body Parameters) | 8 out of 8 | Detected (MySQL plugin - beta): 1-8 Detected (Generic SQL plugin): 1,2,3 |
| False Positive SQLi Test Cases | HTTP GET (Query String Parameters) | 3 out of 10 | 2,4,6 (Previously 2,4,6,7,8) |
| Detection Accuracy | Chart | ||||
| 100.00% Detection Rate 0.00% False Positives | (66/66) (0/7) |
| Response Type | Input Vector | Detection Rate | Details |
| Reflected XSS | HTTP GET (Query String Parameters) | 33 out of 33 | Detected: 1-30(1st&2nd),31,32 Missed: None (Except Experimental) |
| Reflected XSS | HTTP POST (Body Parameters) | 33 out of 33 | Detected: 1-30(1st&2nd),31,32 Missed: None (Except Experimental) |
| False Positive RXSS Test Cases | HTTP GET (Query String Parameters) | 0 out of 7 | None |
| Detection Accuracy | Chart | ||||
| 75.00% Detection Rate 0.00% False Positives | (612/816) (0/8) |
| Response Type | Input Vector | Detection Rate | Details |
| Errorneous 500 Responses | HTTP GET (Query String Parameters) | 51 out of 68 | Detected (VERY INCOSISTENT DETECTION): 1,5,7,11-38,42-46,49-51,53,54,57-62,65-68 (Previously Detected (50): 1,3,5,7,9-26,31,32,34,35,37,39,41-46,49-53,55,57-62,65-68) |
| Errorneous 500 Responses | HTTP POST (Body Parameters) | 41 out of 68 | Detected (VERY INCOSISTENT DETECTION): 1,3,9,10,13,27,28,35-68 (Previously Detected (7): 10,12,14,16,18,20,24) |
| Errorneous 200 Responses | HTTP GET (Query String Parameters) | 64 out of 68 | Detected: 1,3,5,7,9-68 (Previously Detected (50): 1,3,5,7,9-26,31,32,34,35,37,39,41-46,49-53,55,57-62,65-68) |
| Errorneous 200 Responses | HTTP POST (Body Parameters) | 64 out of 68 | Detected: 1,3,5,7,9-68 (Previously Detected (7): 10,12,14,16,18,20,24) |
| Valid 200 Responses | HTTP GET (Query String Parameters) | 44 out of 68 | Detected: 1,3,5,7,9-27,37-46,53-62 (Previously Detected (50): 1,3,5,7,9-26,31,32,34,35,37,39,41-46,49-53,55,57-62,65-68) |
| Valid 200 Responses | HTTP POST (Body Parameters) | 44 out of 68 | Detected: 1,3,5,7,9-27,37-46,53-62 (Previously Detected (7): 10,12,14,16,18,20,24) |
| Identical 200 Responses | HTTP GET (Query String Parameters) | 44 out of 68 | Detected: 1,3,5,7,9-27,37-46,53-62 (Previously Detected (50): 1,3,5,7,9-26,31,32,34,35,37,39,41-46,49-53,55,57-62,65-68) |
| Identical 200 Responses | HTTP POST (Body Parameters) | 44 out of 68 | Detected: 1,3,5,7,9-27,37-46,53-62 (Previously Detected (7): 10,12,14,16,18,20,24) |
| Redirect (302) Responses | HTTP GET (Query String Parameters) | 44 out of 68 | Detected (INCOSISTENT DETECTION): 1,3,5,7,9-27,37-46,53-62 (Previously Detected (50): 1,3,5,7,9-26,31,32,34,35,37,39,41-46,49-53,55,57-62,65-68) |
| Redirect (302) Responses | HTTP POST (Body Parameters) | 44 out of 68 | Detected (INCOSISTENT DETECTION):1,3,5,7,9-27,37-46,53-62 (Previously Detected (7): 10,12,14,16,18,20,24) |
| Erroneous 404 Responses | HTTP GET (Query String Parameters) | 64 out of 68 | Detected (VERY INCOSISTENT DETECTION): 1,3,5,7,9-68 (Previously Detected (50): 1,3,5,7,9-26,31,32,34,35,37,39,41-46,49-53,55,57-62,65-68) |
| Erroneous 404 Responses | HTTP POST (Body Parameters) | 64 out of 68 | Detected: 1,3,5,7,9-68 (Previously Detected (7): 10,12,14,16,18,20,24) |
| False Positive Lfi Test Cases | HTTP GET (Query String Parameters) | 0 out of 8 | None |
| Detection Accuracy | Chart | ||||
| 100.00% Detection Rate 16.67% False Positives | (108/108) (1/6) |
| Response Type | Input Vector | Detection Rate | Details |
| Errorneous 500 Responses | HTTP GET (Query String Parameters) | 9 out of 9 | Detected: 1-9 |
| Errorneous 500 Responses | HTTP POST (Body Parameters) | 9 out of 9 | Detected: 1-9 |
| Errorneous 200 Responses | HTTP GET (Query String Parameters) | 9 out of 9 | Detected: 1-9 |
| Errorneous 200 Responses | HTTP POST (Body Parameters) | 9 out of 9 | Detected: 1-9 |
| Valid 200 Responses | HTTP GET (Query String Parameters) | 9 out of 9 | Detected: 1-9 |
| Valid 200 Responses | HTTP POST (Body Parameters) | 9 out of 9 | Detected: 1-9 |
| Identical 200 Responses | HTTP GET (Query String Parameters) | 9 out of 9 | Detected: 1-9 |
| Identical 200 Responses | HTTP POST (Body Parameters) | 9 out of 9 | Detected: 1-9 |
| Redirect (302) Responses | HTTP GET (Query String Parameters) | 9 out of 9 | Detected: 1-9 |
| Redirect (302) Responses | HTTP POST (Body Parameters) | 9 out of 9 | Detected: 1-9 |
| Erroneous 404 Responses | HTTP GET (Query String Parameters) | 9 out of 9 | Detected: 1-9 |
| Erroneous 404 Responses | HTTP POST (Body Parameters) | 9 out of 9 | Detected: 1-9 |
| False Positive Rfi Test Cases | HTTP GET (Query String Parameters) | 1 out of 6 | Case 2 (Unvalidated Redirect Classified as RFI) |
| I initially used the default plugins to scan the various directories, and then added optional plugins from the marketplace (both beta and alpha), and even external plugins (the good-old-files project) that add additional security checks to the platform and rescanned directories that didn't get 100%.
Specifically, I used the SQL Injection plugin (and later on all the optional beta and alpha SQL Injection plugins ? not including the SQLMap engine plugin) to scan the relevant SQLi test cases, and the good-old-files extension (https://github.com/hacktics/good-old-files) to scan for potential backup files. In most cases I used a single thread (especially for database test cases, where multiple threads may affect the result due to the sheer number of vulnerabilities) The following plugins were used to scan each category: SQL Injection: SQL Injection (GA plugin), SQL Injection beta/alpha plugins MySQL / PostgreSQL / Oracle / Hypersonic XSS: Cross Site Scripting (Reflected), Script Active Scan Rules, Script Passive Scan Rules, User user controllable html element attribute, controllable javascript event Path Traversal/LFI: Path Traversal, Directory Browsing (*results were inconsistent for some directories) Unvalidated Redirect: URL Redirector Abuse, External Redirect, Open Redirect passive plugin Backup Files: good-old-files (external zap extension) WIVET: Spider root / Spider subtree / Ajax spider (initially on windows with Firefox 25.0.1) RFI - remote file include plugin Most of the scans went pretty smooth, although in some rare cases (LFI and WIVET) the spider / ajax spider did not function properly (bugs reported), and the detection results were very inconsistent for LFI directories with responses other than HTTP 200. After having some issues with the RFI plugin and WIVET scans (the ajax crawler got stock on firefox 25.0.1 - apparently a bug that only occurs under windows), I reported the bugs to ZAP's developers. They quickly released a fix in the form of plugin updates, and I updated the Ajax Crawler and active scan rules and rescanned the RFI test cases and wivet with the ajax spider. To get similar results for RFI/WIVET with ZAP 2.2.2 it is necessary to update these plugins through the marketplace (manage add-ons) feature in zap. |
| Detection Accuracy | Chart | ||
| 73.0% Detection Rate |
| The Ajax Crawler gets up to 73% percent when the optional "crawl in depth" feature is enabled in the Ajax Crawler configuration (Tools->Options->Ajax Crawler).
I managed to get up to 33% while using the Ajax crawler from a Windows 7 station when this optional feature was not enabled. The "regular" spider gets 10% when crawling the whole site, and 12% when re-crawling the subtree ("spider subtree" option). Initialized WIVET's session, limited the spider threads to 1 single thread and the depth to the max, defined the upstream proxy to fiddler, in which I used the filter features to define a valid session identifier, and finally, I edited menu.php in WIVET and excluded the logout URL (100.php). I initially wan't able to reproduce the score the ZAP development team got using the AJAX spider feature - for some reason my Firefox 25.0.1 (windows) got didn't function too well with that feature of ZAP, and the Ajax crawler got stuck in page 2. I notified the developers on the bug, and they issued a fix in the form of an Ajax Crawler plugin update (the bug was specific to windows) - which I updated. It is necessary to update the Ajax Crawler plugin with ZAP 2.2.2 to achieve a similar result. I verified the results twice, and they came out the same. |