| Scanner | Version | Vendor |
| Secubat | 0.5 | Stefan Kals |
| Tested Against WAVSEP Version: |
| Detection Accuracy | Chart | ||||
| 18.38% Detection Rate 70.00% False Positives | (25/136) (7/10) |
| Response Type | Input Vector | Detection Rate | Details |
| Errorneous 500 Responses | HTTP GET (Query String Parameters) | 0 out of 20 | Execution Failed. |
| Errorneous 500 Responses | HTTP POST (Body Parameters) | 11 out of 20 | Cases Detected: 2-5, 7-14 Cases Missed: 1(1st&2nd),6,15-19 |
| Errorneous 200 Responses | HTTP GET (Query String Parameters) | 0 out of 20 | Execution Failed. |
| Errorneous 200 Responses | HTTP POST (Body Parameters) | 11 out of 20 | Cases Detected: 2-5, 7-14 Cases Missed: 1(1st&2nd),6,15-19 |
| Valid 200 Responses | HTTP GET (Query String Parameters) | 0 out of 20 | Execution Failed. |
| Valid 200 Responses | HTTP POST (Body Parameters) | 0 out of 20 | Cases Missed: 1(1st&2nd)-19 (Only RXSS Cases Were Detected) |
| Identical 200 Responses | HTTP GET (Query String Parameters) | 0 out of 8 | Execution Failed. |
| Identical 200 Responses | HTTP POST (Body Parameters) | 3 out of 8 | Cases Detected: 1-3 Cases Missed: 4-8 |
| False Positive SQLi Test Cases | HTTP GET (Query String Parameters) | 7 out of 10 | 1-4,6-8 |
| Detection Accuracy | Chart | ||||
| 7.58% Detection Rate 0.00% False Positives | (5/66) (0/7) |
| Response Type | Input Vector | Detection Rate | Details |
| Reflected XSS | HTTP GET (Query String Parameters) | 0 out of 33 | Execution Failed for GET parameters. |
| Reflected XSS | HTTP POST (Body Parameters) | 5 out of 33 | Cases Detected: 1,2,30(1st&2nd),32 (Case 31 Identified as Injection, not XSS) Cases Missed: 3-29,31 |
| False Positive RXSS Test Cases | HTTP GET (Query String Parameters) | 0 out of 7 | None (Empty Report) |
| After a long and weary installation & configuration process of MSSQL 2005 Express, MSSQL management studio and the tool itself, I started the tool and configured the following values:
Max Runtime 10:10:00, Max Pages/Domain 500, Max Depth 5, This domain only ? enabled, Enable attacking ? enabled, Attack this crawling run ? enabled, All Plugins Enabled (3 XSS, 1 SQL) The crawling and scanning process was executed in front of http://localhost:8080/wavsep/index-xss.jsp, but the crawling process did not succeed when executed on the main index or the root directory (even after the index.jsp page was populated with links), so I tried referring the scanner to the individual root of each vulnerable directory. When that didn?t work, I crawled the application first (and verified that the process succeeded by viewing the report), and then executed the scan on the appropriate crawling results. The tool successfully crawled all the URLs (eventually, while requiring me to scan each directory independently); however, the tool got stuck in every scan, and required me to restart upon each failure, but one of the errors gave me a lead to the reason ? it seems that the attack plugins ignored the 8080 port the application resided on and accessed port 80 instead, so I used burp to channel the communication from port 80 to port 8080, and re-initiated the crawl and the scan on the different directories, as if they resided on port 80. (http://localhost:8080/wavsep/RXSS-Detection-Evaluation-GET, etc) The Max Pages/Domain was automatically reduced to 99, and in addition, regardless of what I did, the scanning phase always stopped without performing any attacks (only crawling requests appeared in burp log, without any attack patterns). I verified that the MSSQL database used by the tool was populated with crawling information (and it has been), tried executing it in-front of different URLs, including index pages and folders, attempted it with and without burp?s port 80 forwarding, but to no avail. Eventually, I decided to try an old copy I had, and to scan the POST pages first, and finally, I was rewarded for my efforts, and the tool finally worked! (Same configuration, but the maximum test time was set to 30 minutes and the max pages to 80). The tool was eventually used to scan all the POST URLs in the project (all the GET tests failed): http://localhost/wavsep/RXSS-Detection-Evaluation-POST/index.jsp http://localhost/wavsep/SInjection-Detection-Evaluation-POST-500Error/index.jsp http://localhost/wavsep/SInjection-Detection-Evaluation-POST-200Error/index.jsp http://localhost/wavsep/SInjection-Detection-Evaluation-POST-200Valid/index.jsp http://localhost/wavsep/SInjection-Detection-Evaluation-POST-200Identical/index.jsp In addition, I altered my false positive test cases so they?ll support POST as well, and executed the scanner against them. |