| Scanner | Version | Build | Vendor |
| crawlfish | 0.92 | 2 | ericfish |
| Tested Against WAVSEP Version: |
| Detection Accuracy | Chart | ||||
| 13.64% Detection Rate 28.57% False Positives | (9/66) (2/7) |
| Response Type | Input Vector | Detection Rate | Details |
| Reflected XSS | HTTP GET (Query String Parameters) | 9 out of 33 | Cases Detected: 1-5, 30(1st&2nd),31,32 Cases Missed: 6-29 |
| Reflected XSS | HTTP POST (Body Parameters) | 0 out of 33 | Cases Missed: 1-32 |
| False Positive RXSS Test Cases | HTTP GET (Query String Parameters) | 2 out of 7 | 1,6 |
| I disabled the ?restrict to folder? checkbox (the crawling process only seemed to succeed with this feature disabled), increased the max crawl cap to 100, and scanned the following URLs:
http://192.168.110.1:8080/wavsep/index-xss.jsp http://192.168.110.1:8080/wavsep/index-false.jsp Even though the scanner always crashed at the end of the scan, I was still able to see the scan results with the error window in the background. The tool successfully crawled all URLs, did not detect any POST vulnerabilities (probably because it didn?t submit any forms). |