Tested Against WAVSEP Version:

The Reflected XSS Detection Accuracy of the Scanner:
Detection AccuracyChart
12.12% Detection Rate
42.86% False Positives
Response TypeInput VectorDetection RateDetails
Reflected XSSHTTP GET (Query String Parameters)8 out of 33Cases Detected: 1-5,30(1st&2nd),32 Cases Missed: 6-29,31
Reflected XSSHTTP POST (Body Parameters)0 out of 33Cases Missed: 1-32
False Positive RXSS Test CasesHTTP GET (Query String Parameters)3 out of 71,2,6

WAVSEP Scan Log:
I used the spider feature of WebScarab to crawl the various application pages, accessed the XSS/CRLF tab, marked all the URLS (CTRL+A) and pressed the ?check? button, so the tool will try and confirm vulnerabilities.
Only URLs with GET parameters were suspected as being vulnerable (I verified that the behavior persists with one additional version of WebScarab - 20090427).

Copyright © 2010-2016 by Shay Chen. All rights reserved.
Click here to learn how this information may be published or reused.