ScannerVersionVendor
Web Injection Scanner (WIS)0.4netXeyes

Tested Against WAVSEP Version:
1.0

The SQL Injection Detection Accuracy of the Scanner:
Detection AccuracyChart
0.00% Detection Rate
0.00% False Positives		(0/136)
(0/10)
Response TypeInput VectorDetection RateDetails
Errorneous 500 ResponsesHTTP GET (Query String Parameters)0 out of 20Execution Failed.
Errorneous 500 ResponsesHTTP POST (Body Parameters)0 out of 20Execution Failed.
Errorneous 200 ResponsesHTTP GET (Query String Parameters)0 out of 20Execution Failed.
Errorneous 200 ResponsesHTTP POST (Body Parameters)0 out of 20Execution Failed.
Valid 200 ResponsesHTTP GET (Query String Parameters)0 out of 20Execution Failed.
Valid 200 ResponsesHTTP POST (Body Parameters)0 out of 20Execution Failed.
Identical 200 ResponsesHTTP GET (Query String Parameters)0 out of 8Execution Failed.
Identical 200 ResponsesHTTP POST (Body Parameters)0 out of 8Execution Failed.
False Positive SQLi Test CasesHTTP GET (Query String Parameters)0 out of 10Execution Failed.
WAVSEP Scan Log:
When I attempted to use this tool against a vulnerable .Net application, I only managed to cause it to crawl using the following command on a full URL (no vulnerabilities were identified):
wis http://192.168.52.129/aspx/login.aspx
In the current benchmark the tool seemed to work, but failed to crawl the application or locate any exposures. I tried a couple more options, but still got the same results. Among the options attempted:
wis http://192.168.46.2:8080/wavsep/index-sql.jsp
wis http://192.168.46.2:8080/wavsep/index-false.jsp
wis http://192.168.46.2:8080/wavsep/ (after copying the content of index-sql.jsp into index.jsp)
wis http://192.168.46.2:8080/wavsep
wis ?http://192.168.46.2:8080/wavsep/?
wis ?http://192.168.46.2:8080/wavsep/index-sql.jsp?
wis http://192.168.46.2:8080/wavsep/SInjection-Detection-Evaluation-GET-500Error/Case1-InjectionInLogin-String-LoginBypass-WithErrors.jsp?username=textvalue&password=textvalue2
wis ?http://192.168.46.2:8080/wavsep/SInjection-Detection-Evaluation-GET-500Error/Case1-InjectionInLogin-String-LoginBypass-WithErrors.jsp?username=textvalue&password=textvalue2?


Copyright © 2010-2016 by Shay Chen. All rights reserved.
Click here to learn how this information may be published or reused.