| Logo | Scanner | Version | Vendor |
 | Wapiti | 2.3.0 | OWASP |
| Tested Against WAVSEP Version: |
| Detection Accuracy | Chart | ||||
| 100.00% Detection Rate 20.00% False Positives | (136/136) (2/10) |
| Response Type | Input Vector | Detection Rate | Details |
| Errorneous 500 Responses | HTTP GET (Query String Parameters) | 20 out of 20 | Cases Detected: 1(1st&2nd)-19 |
| Errorneous 500 Responses | HTTP POST (Body Parameters) | 20 out of 20 | Cases Detected: 1(1st&2nd)-19 |
| Errorneous 200 Responses | HTTP GET (Query String Parameters) | 20 out of 20 | Cases Detected: 1(1st&2nd)-19 GET-Experimental: 1 |
| Errorneous 200 Responses | HTTP POST (Body Parameters) | 20 out of 20 | Cases Detected: 1(1st&2nd)-19 POST-Experimental: 1 |
| Valid 200 Responses | HTTP GET (Query String Parameters) | 20 out of 20 | Cases Detected: 1(1st&2nd)-19 |
| Valid 200 Responses | HTTP POST (Body Parameters) | 20 out of 20 | Cases Detected: 1(1st&2nd)-19 |
| Identical 200 Responses | HTTP GET (Query String Parameters) | 8 out of 8 | Cases Detected: 1-8 |
| Identical 200 Responses | HTTP POST (Body Parameters) | 8 out of 8 | Cases Detected: 1-8 |
| False Positive SQLi Test Cases | HTTP GET (Query String Parameters) | 2 out of 10 | Detected: 7,8 (Previously Detected 1,2,6,7,8) |
| Detection Accuracy | Chart | ||||
| 66.67% Detection Rate 42.86% False Positives | (44/66) (3/7) |
| Response Type | Input Vector | Detection Rate | Details |
| Reflected XSS | HTTP GET (Query String Parameters) | 22 out of 33 | Detected: 1-5, 16-30(1st&2nd), 32 GET-Experimental: 1,3 (Previously Detected: 1,3,5,30(1st&2nd)) |
| Reflected XSS | HTTP POST (Body Parameters) | 22 out of 33 | Detected: 1-5, 16-30(1st&2nd), 32 POST-Experimental: 1,3 (Previously Detected: 1,3,5,30(1st&2nd),32) |
| False Positive RXSS Test Cases | HTTP GET (Query String Parameters) | 3 out of 7 | 1,2,6 |
| Detection Accuracy | Chart | ||||
| 51.47% Detection Rate 12.50% False Positives | (420/816) (1/8) |
| Response Type | Input Vector | Detection Rate | Details |
| Errorneous 500 Responses | HTTP GET (Query String Parameters) | 39 out of 68 | Detected: 1-7,9-24,37-44,53-60 (Previously Documented: 1-68 - This time classification was improved - lfi, consumption, errors) |
| Errorneous 500 Responses | HTTP POST (Body Parameters) | 39 out of 68 | Detected: 1-7,9-24,37-44,53-60 (Previously Documented: 1-68 - This time classification was improved - lfi, consumption, errors) |
| Errorneous 200 Responses | HTTP GET (Query String Parameters) | 39 out of 68 | Detected: 1-7,9-24,37-44,53-60 (Previously Detected: 1,3,5,7,9-24,37-44,53-60) |
| Errorneous 200 Responses | HTTP POST (Body Parameters) | 39 out of 68 | Detected: 1-7,9-24,37-44,53-60 (Previously Detected: 1,3,5,7,9-24,37-44,53-60) |
| Valid 200 Responses | HTTP GET (Query String Parameters) | 33 out of 68 | Detected: 1-7,9-24,37,38,40,42,44,53,54,56,58,60 (Previously Detected 1,3,5,7,9-24,37,38,40,42,44,53,54,56,58,60) |
| Valid 200 Responses | HTTP POST (Body Parameters) | 33 out of 68 | Detected: 1-7,9-24,37,38,40,42,44,53,54,56,58,60 (Previously Detected 1,3,5,7,9-24,37,38,40,42,44,53,54,56,58,60) |
| Identical 200 Responses | HTTP GET (Query String Parameters) | 33 out of 68 | Detected: 1-7,9-24,37,38,40,42,44,53,54,56,58,60 (Previously Detected 1,3,5,7,9-24,37,38,40,42,44,53,54,56,58,60) |
| Identical 200 Responses | HTTP POST (Body Parameters) | 33 out of 68 | Detected: 1-7,9-24,37,38,40,42,44,53,54,56,58,60 (Previously Detected 1,3,5,7,9-24,37,38,40,42,44,53,54,56,58,60) |
| Redirect (302) Responses | HTTP GET (Query String Parameters) | 33 out of 68 | Detected: 1-7,9-24,37,38,40,42,44,53,54,56,58,60 (Previously Detected 1,3,5,7,9-24,37,38,40,42,44,53,54,56,58,60) |
| Redirect (302) Responses | HTTP POST (Body Parameters) | 33 out of 68 | Detected: 1-7,9-24,37,38,40,42,44,53,54,56,58,60 (Previously Detected 1,3,5,7,9-24,37,38,40,42,44,53,54,56,58,60) |
| Erroneous 404 Responses | HTTP GET (Query String Parameters) | 33 out of 68 | Detected: 1-7,9-24,37,38,40,42,44,53,54,56,58,60 (Previously Detected 1,3,5,7,9-24,37,38,40,42,44,53,54,56,58,60) |
| Erroneous 404 Responses | HTTP POST (Body Parameters) | 33 out of 68 | Detected: 1-7,9-24,37,38,40,42,44,53,54,56,58,60 (Previously Detected 1,3,5,7,9-24,37,38,40,42,44,53,54,56,58,60) |
| False Positive Lfi Test Cases | HTTP GET (Query String Parameters) | 1 out of 8 | Detected: 7 |
| Detection Accuracy | Chart | ||||
| 57.41% Detection Rate 0.00% False Positives | (62/108) (0/6) |
| Response Type | Input Vector | Detection Rate | Details |
| Errorneous 500 Responses | HTTP GET (Query String Parameters) | 9 out of 9 | Detected: 1-9 (8,9 as java include, 5-7 as error due to the relevant payload injection) (Previously Detected: 1-9) |
| Errorneous 500 Responses | HTTP POST (Body Parameters) | 9 out of 9 | Detected: 1-9 (8,9 as java include, 5-7 as error due to the relevant payload injection) (Previously Detected: 1-9) |
| Errorneous 200 Responses | HTTP GET (Query String Parameters) | 6 out of 9 | Detected: 1-4,8,9 (8,9 as java include) (Previously Detected: 1-4,8,9) |
| Errorneous 200 Responses | HTTP POST (Body Parameters) | 6 out of 9 | Detected: 1-4,8,9 (8,9 as java include) (Previously Detected: 1-4,8,9) |
| Valid 200 Responses | HTTP GET (Query String Parameters) | 4 out of 9 | Detected: 1-4 (Identical to previous results) |
| Valid 200 Responses | HTTP POST (Body Parameters) | 4 out of 9 | Detected: 1-4 (Identical to previous results) |
| Identical 200 Responses | HTTP GET (Query String Parameters) | 4 out of 9 | Detected: 1-4 (Identical to previous results) |
| Identical 200 Responses | HTTP POST (Body Parameters) | 4 out of 9 | Detected: 1-4 (Identical to previous results) |
| Redirect (302) Responses | HTTP GET (Query String Parameters) | 4 out of 9 | Detected: 1-4 (Identical to previous results) |
| Redirect (302) Responses | HTTP POST (Body Parameters) | 4 out of 9 | Detected: 1-4 (Identical to previous results) |
| Erroneous 404 Responses | HTTP GET (Query String Parameters) | 4 out of 9 | Detected: 1-4 (Identical to previous results) |
| Erroneous 404 Responses | HTTP POST (Body Parameters) | 4 out of 9 | Detected: 1-4 (Identical to previous results) |
| False Positive Rfi Test Cases | HTTP GET (Query String Parameters) | 0 out of 6 | None (Case 7 detected as LFI, but that is accurate) |
| I executed the scan multiple times without using while using a policy that included only the relevant plugin (-all, [plugin-name]).
Eventually, I used nearly all the plugin names, which could be mapped using the following SVN link (ignore extensions and mod_ initials): http://sourceforge.net/p/wapiti/code/HEAD/tree/trunk/wapitiCore/attack/ Command Line Example: wapiti http://192.168.56.101:9090/wavsep/active/index-xss.jsp --start "http://192.168.56.101:9090/wavsep/active/index-xss.jsp" --scope "domain" --module "-all,xss" --color --verbose 2 --format "html" --output "result-xss-full" |
| Detection Accuracy | Chart | ||
| 44.0% Detection Rate |
| (Previously Detected 10.00%)
Defined burp to redirect requests to WIVET, and defined a valid cookie using burp match and replace features. I then used Wapiti with a set of minimal audit plugins (xss) to scan burp as if it was WIVET. I used the following command line options: wapiti http://localhost:9999/wivet/index.php --start "http://localhost:9999/wivet/index.php" --scope "domain" --module "-all,xss" --color --verbose 2 --format "html" --output "result-wivet" |