| Logo | Scanner | Version | Vendor |
 | arachni | 1.1 | Tasos Laskos |
| Tested Against WAVSEP Version: |
| Detection Accuracy | Chart | ||||
| 100.00% Detection Rate 0.00% False Positives | (136/136) (0/10) |
| Response Type | Input Vector | Detection Rate | Details |
| Errorneous 500 Responses | HTTP GET (Query String Parameters) | 20 out of 20 | Detected: 1(1st&2nd),2-19 |
| Errorneous 500 Responses | HTTP POST (Body Parameters) | 20 out of 20 | Detected: 1(1st&2nd),2-19 |
| Errorneous 200 Responses | HTTP GET (Query String Parameters) | 20 out of 20 | Detected: 1(1st&2nd),2-19 |
| Errorneous 200 Responses | HTTP POST (Body Parameters) | 20 out of 20 | Detected: 1(1st&2nd),2-19 |
| Valid 200 Responses | HTTP GET (Query String Parameters) | 20 out of 20 | Detected: 1(1st&2nd),2-19 |
| Valid 200 Responses | HTTP POST (Body Parameters) | 20 out of 20 | Detected: 1(1st&2nd),2-19 |
| Identical 200 Responses | HTTP GET (Query String Parameters) | 8 out of 8 | Detected: 1-8 |
| Identical 200 Responses | HTTP POST (Body Parameters) | 8 out of 8 | Detected: 1-8 |
| False Positive SQLi Test Cases | HTTP GET (Query String Parameters) | 0 out of 10 | None (previously detected 7,8) |
| Detection Accuracy | Chart | ||||
| 90.91% Detection Rate 0.00% False Positives | (60/66) (0/7) |
| Response Type | Input Vector | Detection Rate | Details |
| Reflected XSS | HTTP GET (Query String Parameters) | 30 out of 33 | Detected: 1-24,27,28,30(1st&2nd),31,32 Missed: 25,26,29 GET-Experimental: 1,3,4 (Previously Detected: 1-15,27-30(1st&2nd),31,32) |
| Reflected XSS | HTTP POST (Body Parameters) | 30 out of 33 | Detected: 1-24,27,28,30(1st&2nd),31,32 Missed: 25,26,29 POST-Experimental: 1,3,4 (Previously Detected: 1-15,27-30(1st&2nd),31,32) |
| False Positive RXSS Test Cases | HTTP GET (Query String Parameters) | 0 out of 7 | None |
| Detection Accuracy | Chart | ||||
| 100.00% Detection Rate 0.00% False Positives | (816/816) (0/8) |
| Response Type | Input Vector | Detection Rate | Details |
| Errorneous 500 Responses | HTTP GET (Query String Parameters) | 68 out of 68 | Detected: 1-68 (source code disclosure: 9-36, 39-44,46-52,55-68 | file inclusion: 1-8,25,26,27,37,38,45,46,53,54,61,62 | path traversal: 1-8,38,54) (Original Scan Without SDC Plugin Reported: 1-8,25-27,37,38,45,46,53, 54,61,62) |
| Errorneous 500 Responses | HTTP POST (Body Parameters) | 68 out of 68 | Detected: 1-68 (source code disclosure: 9-36, 39-44,46-52,55-68 | file inclusion: 1-8,25,26,27,37,38,45,46,53,54,61,62 | path traversal: 1-8,38,54) (Original Scan Without SDC Plugin Reported: 1-8,25-27,37,38,45,46,53, 54,61,62) |
| Errorneous 200 Responses | HTTP GET (Query String Parameters) | 68 out of 68 | Detected: 1-68 (source code disclosure: 9-36, 39-44,46-52,55-68 | file inclusion: 1-8,25,26,27,37,38,45,46,53,54,61,62 | path traversal: 1-8,38,54) (Original Scan Without SDC Plugin Reported: 1-8,25-27,37,38,45,46,53, 54,61,62) |
| Errorneous 200 Responses | HTTP POST (Body Parameters) | 68 out of 68 | Detected: 1-68 (source code disclosure: 9-36, 39-44,46-52,55-68 | file inclusion: 1-8,25,26,27,37,38,45,46,53,54,61,62 | path traversal: 1-8,38,54) (Original Scan Without SDC Plugin Reported: 1-8,25-27,37,38,45,46,53, 54,61,62) |
| Valid 200 Responses | HTTP GET (Query String Parameters) | 68 out of 68 | Detected: 1-68 (source code disclosure: 9-36, 39-44,46-52,55-68 | file inclusion: 1-8,25,26,27,37,38,45,46,53,54,61,62 | path traversal: 1-8,38,54) (Original Scan Without SDC Plugin Reported: 1-8,25-27,37,38,45,46,53, 54,61,62) |
| Valid 200 Responses | HTTP POST (Body Parameters) | 68 out of 68 | Detected: 1-68 (source code disclosure: 9-36, 39-44,46-52,55-68 | file inclusion: 1-8,25,26,27,37,38,45,46,53,54,61,62 | path traversal: 1-8,38,54) (Original Scan Without SDC Plugin Reported: 1-8,25-27,37,38,45,46,53, 54,61,62) |
| Identical 200 Responses | HTTP GET (Query String Parameters) | 68 out of 68 | Detected: 1-68 (source code disclosure: 9-36, 39-44,46-52,55-68 | file inclusion: 1-8,25,26,27,37,38,45,46,53,54,61,62 | path traversal: 1-8,38,54) (Original Scan Without SDC Plugin Reported: 1-8,25-27,37,38,45,46,53, 54,61,62) |
| Identical 200 Responses | HTTP POST (Body Parameters) | 68 out of 68 | Detected: 1-68 (source code disclosure: 9-36, 39-44,46-52,55-68 | file inclusion: 1-8,25,26,27,37,38,45,46,53,54,61,62 | path traversal: 1-8,38,54) (Original Scan Without SDC Plugin Reported: 1-8,25-27,37,38,45,46,53, 54,61,62) |
| Redirect (302) Responses | HTTP GET (Query String Parameters) | 68 out of 68 | Detected: 1-68 (source code disclosure: 9-36, 39-44,46-52,55-68 | file inclusion: 1-8,25,26,27,37,38,45,46,53,54,61,62 | path traversal: 1-8,38,54) (Original Scan Without SDC Plugin Reported: 1-8,25-27,37,38,45,46,53, 54,61,62) |
| Redirect (302) Responses | HTTP POST (Body Parameters) | 68 out of 68 | Detected: 1-68 (source code disclosure: 9-36, 39-44,46-52,55-68 | file inclusion: 1-8,25,26,27,37,38,45,46,53,54,61,62 | path traversal: 1-8,38,54) (Original Scan Without SDC Plugin Reported: 1-8,25-27,37,38,45,46,53, 54,61,62) |
| Erroneous 404 Responses | HTTP GET (Query String Parameters) | 68 out of 68 | Detected: 1-68 (source code disclosure: 9-36, 39-44,46-52,55-68 | file inclusion: 1-8,25,26,27,37,38,45,46,53,54,61,62 | path traversal: 1-8,38,54) (Original Scan Without SDC Plugin Reported: 1-8,25-27,37,38,45,46,53, 54,61,62) |
| Erroneous 404 Responses | HTTP POST (Body Parameters) | 68 out of 68 | Detected: 1-68 (source code disclosure: 9-36, 39-44,46-52,55-68 | file inclusion: 1-8,25,26,27,37,38,45,46,53,54,61,62 | path traversal: 1-8,38,54) (Original Scan Without SDC Plugin Reported: 1-8,25-27,37,38,45,46,53, 54,61,62) |
| False Positive Lfi Test Cases | HTTP GET (Query String Parameters) | 0 out of 8 | None |
| Detection Accuracy | Chart | ||||
| 100.00% Detection Rate 0.00% False Positives | (108/108) (0/6) |
| Response Type | Input Vector | Detection Rate | Details |
| Errorneous 500 Responses | HTTP GET (Query String Parameters) | 9 out of 9 | Detected: 1-9 Works only when the scanned instance has internet access. (Previously Detected: 1-4) |
| Errorneous 500 Responses | HTTP POST (Body Parameters) | 9 out of 9 | Detected: 1-9 Works only when the scanned instance has internet access. (Previously Detected: 1-4) |
| Errorneous 200 Responses | HTTP GET (Query String Parameters) | 9 out of 9 | Detected: 1-9 Works only when the scanned instance has internet access. (Previously Detected: 1-4) |
| Errorneous 200 Responses | HTTP POST (Body Parameters) | 9 out of 9 | Detected: 1-9 Works only when the scanned instance has internet access. (Previously Detected: 1-4) |
| Valid 200 Responses | HTTP GET (Query String Parameters) | 9 out of 9 | Detected: 1-9 Works only when the scanned instance has internet access. (Previously Detected: 1-4) |
| Valid 200 Responses | HTTP POST (Body Parameters) | 9 out of 9 | Detected: 1-9 Works only when the scanned instance has internet access. (Previously Detected: 1-4) |
| Identical 200 Responses | HTTP GET (Query String Parameters) | 9 out of 9 | Detected: 1-9 Works only when the scanned instance has internet access. (Previously Detected: 1-4) |
| Identical 200 Responses | HTTP POST (Body Parameters) | 9 out of 9 | Detected: 1-9 Works only when the scanned instance has internet access. (Previously Detected: 1-4) |
| Redirect (302) Responses | HTTP GET (Query String Parameters) | 9 out of 9 | Detected: 1-9 Works only when the scanned instance has internet access. (Previously Detected: 1-4) |
| Redirect (302) Responses | HTTP POST (Body Parameters) | 9 out of 9 | Detected: 1-9 Works only when the scanned instance has internet access. (Previously Detected: 1-4) |
| Erroneous 404 Responses | HTTP GET (Query String Parameters) | 9 out of 9 | Detected: 1-9 Works only when the scanned instance has internet access. (Previously Detected: 1-4) |
| Erroneous 404 Responses | HTTP POST (Body Parameters) | 9 out of 9 | Detected: 1-9 Works only when the scanned instance has internet access. (Previously Detected: 1-4) |
| False Positive Rfi Test Cases | HTTP GET (Query String Parameters) | 0 out of 6 | None |
| I installed arachni on the latest Kali VM (results should be identical on Ubuntu).
Most of the tests were performed via the CLI interface, but every result that was different from the previous benchmark result was also verified through the web interface. |
| Detection Accuracy | Chart | ||
| 96.0% Detection Rate |
| (Previously detected 19%)
Running the latest version of arachni from Kali linux (newest version, not the one in kali's repository) gets a clear 96%, as long as you follow the recommended configuration. According to the developer the missing 4% are due to lack of support in SWF and VBScript. I tested both an online version of WIVET and a local instance. Since WIVET was installed on my windows VM and arachni on my linux VM (and since I could not spare any more time to install WIVET in linux), I defined a host-only/NAT/internal network interfaces in the VMs, defined a fixed cookie in the scan policy (didn't use fiddler this time). I then used arachni to scan the remote WIVET port, without a thread limit passive discovery plugin (password disclosure). The configuration and scans were performed through the command line: ./bin/arachni http://wivetipaddress --checks trainer --audit-links --audit-forms --scope-exclude-pattern=logout --scope-exclude-pattern=offscanpages --scope-exclude-pattern='100.php' --scope-exclude-content-pattern='Index of' --http-cookie-string="PHPSESSID=rbqo5ee4b6l7j8tu7i3h9rivu2" |