ScannerVersionVendor
PowerFuzzer1.0Marcin Kozlowski

Tested Against WAVSEP Version:
1.0

The SQL Injection Detection Accuracy of the Scanner:
Detection AccuracyChart
51.47% Detection Rate
40.00% False Positives		(70/136)
(4/10)
Response TypeInput VectorDetection RateDetails
Errorneous 500 ResponsesHTTP GET (Query String Parameters)20 out of 20Cases Detected: 1(1st&2nd)-19
Errorneous 500 ResponsesHTTP POST (Body Parameters)20 out of 20Cases Detected: 1(1st&2nd)-19
Errorneous 200 ResponsesHTTP GET (Query String Parameters)15 out of 20Cases Detected: 1(1st&2nd)-14 Cases Missed: 15-19
Errorneous 200 ResponsesHTTP POST (Body Parameters)15 out of 20Cases Detected: 1(1st&2nd)-14 Cases Missed: 15-19
Valid 200 ResponsesHTTP GET (Query String Parameters)0 out of 20Cases Missed: 1-19
Valid 200 ResponsesHTTP POST (Body Parameters)0 out of 20Cases Missed: 1-19
Identical 200 ResponsesHTTP GET (Query String Parameters)0 out of 8Cases Missed: 1-8
Identical 200 ResponsesHTTP POST (Body Parameters)0 out of 8Cases Missed: 1-8
False Positive SQLi Test CasesHTTP GET (Query String Parameters)4 out of 101,2,6,8
The Reflected XSS Detection Accuracy of the Scanner:
Detection AccuracyChart
24.24% Detection Rate
42.86% False Positives		(16/66)
(3/7)
Response TypeInput VectorDetection RateDetails
Reflected XSSHTTP GET (Query String Parameters)8 out of 33Cases Detected: 1-5,30(1st&2nd),32 Cases Missed: 6-29,31
Reflected XSSHTTP POST (Body Parameters)8 out of 33Cases Detected: 1-5,30(1st&2nd),32 Cases Missed: 6-29,31
False Positive RXSS Test CasesHTTP GET (Query String Parameters)3 out of 71,2,6
WAVSEP Scan Log:
The tool didn?t manage to crawl the xss/false/sql index URLs, so I solved the problem by copying the content from each one of them into the index.jsp file, and executed the scan in front of the root directory:
http://192.168.46.2:8080/wavsep


Copyright © 2010-2016 by Shay Chen. All rights reserved.
Click here to learn how this information may be published or reused.