ScannerVersionVendor
WSTool0.14001Kim Young-il

Tested Against WAVSEP Version:
1.0

The SQL Injection Detection Accuracy of the Scanner:
Detection AccuracyChart
45.59% Detection Rate
40.00% False Positives		(62/136)
(4/10)
Response TypeInput VectorDetection RateDetails
Errorneous 500 ResponsesHTTP GET (Query String Parameters)20 out of 20Cases Detected: 1(1st&2nd)-19
Errorneous 500 ResponsesHTTP POST (Body Parameters)20 out of 20Cases Detected: 1(1st&2nd)-19
Errorneous 200 ResponsesHTTP GET (Query String Parameters)11 out of 20Cases Detected: 5-10,15-19 Cases Missed: 1(1st&2nd)-4,11-14
Errorneous 200 ResponsesHTTP POST (Body Parameters)11 out of 20Cases Detected: 5-10,15-19 Cases Missed: 1(1st&2nd)-4,11-14
Valid 200 ResponsesHTTP GET (Query String Parameters)0 out of 20Cases Missed: 1-19
Valid 200 ResponsesHTTP POST (Body Parameters)0 out of 20Cases Missed: 1-19
Identical 200 ResponsesHTTP GET (Query String Parameters)0 out of 8Cases Missed: 1-8
Identical 200 ResponsesHTTP POST (Body Parameters)0 out of 8Cases Missed: 1-8
False Positive SQLi Test CasesHTTP GET (Query String Parameters)4 out of 101,2,6,7
The Reflected XSS Detection Accuracy of the Scanner:
Detection AccuracyChart
27.27% Detection Rate
42.86% False Positives		(18/66)
(3/7)
Response TypeInput VectorDetection RateDetails
Reflected XSSHTTP GET (Query String Parameters)9 out of 33Cases Detected: 1-5,30(1st&2nd),31,32 Cases Missed: 6-29
Reflected XSSHTTP POST (Body Parameters)9 out of 33Cases Detected: 1-5,30(1st&2nd),31,32 Cases Missed: 6-29
False Positive RXSS Test CasesHTTP GET (Query String Parameters)3 out of 71,2,6
WAVSEP Scan Log:
I manually configured the ws_init.php (by editing it), enabled almost all the optional features (except ?exception URL? and 2XX, 3XX, 4XX errors), increased the check limit to 600, and finally, initiated the scan using the following commands:
php ws_main.php 192.168.1.100 8080 GET /wavsep/index-xss.jsp >> reportXSS.html
php ws_main.php 192.168.1.100 8080 GET /wavsep/index-sql.jsp >> reportSQL.html
php ws_main.php 192.168.1.100 8080 GET /wavsep/index-false.jsp >> reportFalse.html
The scanner successfully crawled all URLs.


Copyright © 2010-2016 by Shay Chen. All rights reserved.
Click here to learn how this information may be published or reused.