| Scanner | Version | Build | Vendor |
| Xcobra | 0.2 | 99 | Taras Ivashchenko |
| Tested Against WAVSEP Version: |
| Detection Accuracy | Chart | ||||
| 0.00% Detection Rate 0.00% False Positives | (0/136) (0/10) |
| Response Type | Input Vector | Detection Rate | Details |
| Errorneous 500 Responses | HTTP GET (Query String Parameters) | 0 out of 20 | Execution Failed. |
| Errorneous 500 Responses | HTTP POST (Body Parameters) | 0 out of 20 | Execution Failed. |
| Errorneous 200 Responses | HTTP GET (Query String Parameters) | 0 out of 20 | Execution Failed. |
| Errorneous 200 Responses | HTTP POST (Body Parameters) | 0 out of 20 | Execution Failed. |
| Valid 200 Responses | HTTP GET (Query String Parameters) | 0 out of 20 | Execution Failed. |
| Valid 200 Responses | HTTP POST (Body Parameters) | 0 out of 20 | Execution Failed. |
| Identical 200 Responses | HTTP GET (Query String Parameters) | 0 out of 8 | Execution Failed. |
| Identical 200 Responses | HTTP POST (Body Parameters) | 0 out of 8 | Execution Failed. |
| False Positive SQLi Test Cases | HTTP GET (Query String Parameters) | 0 out of 10 | Execution Failed. |
| Detection Accuracy | Chart | ||||
| 0.00% Detection Rate 0.00% False Positives | (0/66) (0/7) |
| Response Type | Input Vector | Detection Rate | Details |
| Reflected XSS | HTTP GET (Query String Parameters) | 0 out of 33 | Execution Failed. |
| Reflected XSS | HTTP POST (Body Parameters) | 0 out of 33 | Execution Failed. |
| False Positive RXSS Test Cases | HTTP GET (Query String Parameters) | 0 out of 7 | Execution Failed. |
| The lack of documentation made it pretty difficult to locate the dependencies for this tool. I tested it on a Fedora VM with python 2.6.x & PyGTK (and additional libraries). The GUI loaded successfully, but each scan performed with the tool ended immediately without any findings, even though I enabled all the plug-ins. I tried to execute the scanner in a couple of additional ways:
First, I tried to refer the GUI to the public root URL; it did not seem to crawl the application, so I tried the same with the login page; still, no results. Finally I tried executing the scanner (via the GUI) by loading a target file containing the URLs, but even though the URLs were all loaded successfully, no vulnerabilities were found. Similar scans were performed using the command line version of the tool, without any changes in the results (apart from exceptions and notifications). python xcobra.py -i WavsepScan.txt -d 7 ?v The tool did not find vulnerabilities (it seemed to be working, since it did not throw exceptions). |