| Scanner | Version | Vendor |
| XSSS | 0.40 | Sven Neuhaus |
| Tested Against WAVSEP Version: |
| Detection Accuracy | Chart | ||||
| 33.33% Detection Rate 71.43% False Positives | (22/66) (5/7) |
| Response Type | Input Vector | Detection Rate | Details |
| Reflected XSS | HTTP GET (Query String Parameters) | 5 out of 33 | Crashed during the test. Cases Detected: 1-5 Cases Missed: 6-32 |
| Reflected XSS | HTTP POST (Body Parameters) | 17 out of 33 | Cases Detected: 1-7,11,14,17,20,22,25,27-30(1st) Cases Missed: 8-10,12,13,15,16,18,19,21, 23,24,26,30(2nd),31,32 |
| False Positive RXSS Test Cases | HTTP GET (Query String Parameters) | 5 out of 7 | 1,2,4,6,7 |
| I installed the dependencies, gave the perl script execution permission, and then executed the tool in front of the root URL of the public section of the application, while enabling the form scanning feature (the public section should be completely covered by the default crawling depth of the tool, which is 5, so no additional configuration changes were made). I used the following execution commands:
./xss --forms http://192.168.1.101:8080/wavsep/index-xss.jsp ./xss --forms http://192.168.1.101:8080/wavsep/index-false.jsp The tool did not manage to crawl the application pages, but I eventually managed to scan the directories using the following commands: ./xss http://192.168.1.101:8080/wavsep/RXSS-Detection-Evaluation-GET/ ./xss --forms http://192.168.1.101:8080/wavsep/RXSS-Detection-Evaluation-POST/ ./xss http://192.168.1.101:8080/wavsep/RXSS-FalsePositives-GET/ |