| Logo | Scanner | Version | Vendor |
 | WATOBO | 0.9.19 | Andreas Schmidt |
| Tested Against WAVSEP Version: |
| Detection Accuracy | Chart | ||||
| 83.09% Detection Rate 60.00% False Positives | (113/136) (6/10) |
| Response Type | Input Vector | Detection Rate | Details |
| Errorneous 500 Responses | HTTP GET (Query String Parameters) | 19 out of 20 | Detected: 1(1st&2nd),2-17,19 Missed: 18 |
| Errorneous 500 Responses | HTTP POST (Body Parameters) | 19 out of 20 | Detected: 1(1st&2nd),2-17,19 Missed: 18 |
| Errorneous 200 Responses | HTTP GET (Query String Parameters) | 19 out of 20 | Detected: 1(1st&2nd),2-17,19 Missed: 18 |
| Errorneous 200 Responses | HTTP POST (Body Parameters) | 19 out of 20 | Detected: 1(1st&2nd),2-17,19 Missed: 18 |
| Valid 200 Responses | HTTP GET (Query String Parameters) | 15 out of 20 | Detected (Inconsistent): 1(1st), 3,5-9,11,13-19 (previously detected 6-8,11-13,16-18) The time based plugin seems to affect consistency - best to run seperately. |
| Valid 200 Responses | HTTP POST (Body Parameters) | 9 out of 20 | Detected (Inconsistent): 6,7,9,13,15-19 (previously detected: 7,8,11-13,18) The time based plugin seems to affect consistency. |
| Identical 200 Responses | HTTP GET (Query String Parameters) | 7 out of 8 | Detected (Inconsistent): 1,2,4-8 (previously detected: 1-3) Missed: 3 |
| Identical 200 Responses | HTTP POST (Body Parameters) | 6 out of 8 | Detected (Inconsistent): 1,4-8 (previously detected: 1-3) Missed: 2,3 |
| False Positive SQLi Test Cases | HTTP GET (Query String Parameters) | 6 out of 10 | FP: 1,5-8,10 (previously detected: 6-8) |
| Detection Accuracy | Chart | ||||
| 75.76% Detection Rate 100.00% False Positives | (50/66) (7/7) |
| Response Type | Input Vector | Detection Rate | Details |
| Reflected XSS | HTTP GET (Query String Parameters) | 25 out of 33 | Detected (8tc: 100%): 1-5,30(1st&2nd),32 Detected (4tc: 50%): 6,27,28,29 Detected (13tc: 25% plugin): 7,8,10,11,13,14,15,17,18,20,22,23,25 Missed: 9,12,16,19,21,24,26,31 XSS-GET-Experimental: 1,3,8,9,10,11 |
| Reflected XSS | HTTP POST (Body Parameters) | 25 out of 33 | Detected (8tc: 100%): 1-5,30(1st&2nd),32 Detected (4tc: 50%): 6,27,28,29 Detected (13tc: 25% plugin): 7,8,10,11,13,14,15,17,18,20,22,23,25 Missed: 9,12,16,19,21,24,26,31 XSS-POST-Experimental: 1,3,8,9,10,11 |
| False Positive RXSS Test Cases | HTTP GET (Query String Parameters) | 7 out of 7 | FP: 1,2,5,6 FP 25% plugin: 3,4 FP 50% plugin: 7 |
| Detection Accuracy | Chart | ||||
| 41.18% Detection Rate 0.00% False Positives | (336/816) (0/8) |
| Response Type | Input Vector | Detection Rate | Details |
| Errorneous 500 Responses | HTTP GET (Query String Parameters) | 28 out of 68 | Detected: 1*,3,5*,7,9-24,38*,40,42,44,54*,56,58,60 (* - Listed under boot.ini) |
| Errorneous 500 Responses | HTTP POST (Body Parameters) | 28 out of 68 | Detected: 1,3,5,7,9-24,38,40,42,44,54,56,58,60 (All Listed under boot.ini) |
| Errorneous 200 Responses | HTTP GET (Query String Parameters) | 28 out of 68 | Detected: 1*,3,5*,7,9-24,38*,40,42,44,54*,56,58,60 (* - Listed under boot.ini) |
| Errorneous 200 Responses | HTTP POST (Body Parameters) | 28 out of 68 | Detected: 1,3,5,7,9-24,38,40,42,44,54,56,58,60 (All Listed under boot.ini) |
| Valid 200 Responses | HTTP GET (Query String Parameters) | 28 out of 68 | Detected: 1*,3,5*,7,9-24,38*,40,42,44,54*,56,58,60 (* - Listed under boot.ini) |
| Valid 200 Responses | HTTP POST (Body Parameters) | 28 out of 68 | Detected: 1,3,5,7,9-24,38,40,42,44,54,56,58,60 (All Listed under boot.ini) |
| Identical 200 Responses | HTTP GET (Query String Parameters) | 28 out of 68 | Detected: 1*,3,5*,7,9-24,38*,40,42,44,54*,56,58,60 (* - Listed under boot.ini) |
| Identical 200 Responses | HTTP POST (Body Parameters) | 28 out of 68 | Detected: 1,3,5,7,9-24,38,40,42,44,54,56,58,60 (All Listed under boot.ini) |
| Redirect (302) Responses | HTTP GET (Query String Parameters) | 28 out of 68 | Detected: 1*,3,5*,7,9-24,38*,40,42,44,54*,56,58,60 (* - Listed under boot.ini) |
| Redirect (302) Responses | HTTP POST (Body Parameters) | 28 out of 68 | Detected: 1,3,5,7,9-24,38,40,42,44,54,56,58,60 (All Listed under boot.ini) |
| Erroneous 404 Responses | HTTP GET (Query String Parameters) | 28 out of 68 | Detected: 1*,3,5*,7,9-24,38*,40,42,44,54*,56,58,60 (* - Listed under boot.ini) |
| Erroneous 404 Responses | HTTP POST (Body Parameters) | 28 out of 68 | Detected: 1,3,5,7,9-24,38,40,42,44,54,56,58,60 (All Listed under boot.ini) |
| False Positive Lfi Test Cases | HTTP GET (Query String Parameters) | 0 out of 8 | None |
| The application was crawled and tested in two different methods: several scans were performed after crawling the main index pages of various exposures via Burp (while channeling the communication to WATOBO via the proxy chaining feature), and several individual crawling & scanning operations that were similarly performed against several selected directories, to verify abnormal results.
In the first scenario, the crawling process was initiated on the following URLs, while activating the XSS, SQL and LFI plugins (separately for each scope): http://localhost:8080/wavsep/index-xss.jsp http://localhost:8080/wavsep/index-sql.jsp http://localhost:8080/wavsep/index-lfi.jsp http://localhost:8080/wavsep/index-rfi.jsp http://localhost:8080/wavsep/index-false.jsp In the second scenario, the crawling & scanning processes were performed on each directory individually, while verifying that all the access points in each directory were located. I tried scanning with & without the "smart scan" feature, and used 1-15 max persistent requests. I enabled all the XSS plugins for the xss scans (NextGen and Simple, as well as passive tests), the DirectoryWalker and FileInclusion plugins for the traversal/lfi tests, the DirectoryWalker, FileExtensions, and .net files for the obsolete file tests, and all the SQL plugins for the sql injection tests (Boolean, Error, Time). In a few incidents the scanner crashed (I didn't manage to reproduce the issues), but for the most part the scanning process was pretty stable. The proxy mode however, caused the scanner to crash several times, especially when using burp to crawl through watobo (inconsistent ruby crash). Bug Report: rescan never works, verifying results requires restarting watobo, re-crawling the tested urls and then scanning (instead of just rescanning). |
| Detection Accuracy | Chart | ||
| 1.0% Detection Rate |
| Disabled WATOBO smart scan features (just in case they will cause some requests not to be sent, but also tried crawling with them), Enabled passive checks (in case some will uncover links), Initialized WIVET's session, limited the spider threads to 5 threads and expanded the max depth to 20, defined the upstream proxy to fiddler (and later on tried burp as well), in which I used the filter features to define a valid session identifier, and finally, I edited menu.php in WIVET and excluded the logout URL (100.php). Crawling the root WIVET url failed so I tried scanning http://localhost/wivet/index.php and menu.php, and WATOBO managed to crawl some pages (the menu links), but seemed to add them in the wrong path (not under /pages/ - bug?), and that seemed to prevent it from locating any pages linked in the responses.
Eventually, WATOBO did manage to indentify some links, although none of the links that count in wivet score, so assigned it with a symbolic score of 1%, to signify that the crawler is working to some extent. |