| Logo | Scanner | Version | Build | Vendor |
 | sqlmap | 1.0 | Jul 5,2012 | sqlmap developers |
| Tested Against WAVSEP Version: |
| Detection Accuracy | Chart | ||||
| 100.00% Detection Rate 0.00% False Positives | (136/136) (0/10) |
| Response Type | Input Vector | Detection Rate | Details |
| Errorneous 500 Responses | HTTP GET (Query String Parameters) | 20 out of 20 | Detected: 1(1st&2nd)-19 |
| Errorneous 500 Responses | HTTP POST (Body Parameters) | 20 out of 20 | Detected: 1(1st&2nd)-19 |
| Errorneous 200 Responses | HTTP GET (Query String Parameters) | 20 out of 20 | Detected: 1(1st&2nd)-19 |
| Errorneous 200 Responses | HTTP POST (Body Parameters) | 20 out of 20 | Detected: 1(1st&2nd)-19 |
| Valid 200 Responses | HTTP GET (Query String Parameters) | 20 out of 20 | Detected: 1(1st&2nd)-19 (case 4 requires level = 4) |
| Valid 200 Responses | HTTP POST (Body Parameters) | 20 out of 20 | Detected: 1(1st&2nd)-19 |
| Identical 200 Responses | HTTP GET (Query String Parameters) | 8 out of 8 | Detected: 1-8 |
| Identical 200 Responses | HTTP POST (Body Parameters) | 8 out of 8 | Detected: 1-8 |
| False Positive SQLi Test Cases | HTTP GET (Query String Parameters) | 0 out of 10 | None |
| In my experience, the best way to make sqlmap behave like a scanner is to optimize it, so I did not enable any exploitation features in the configuration file, and in addition, crawled the application?s SQL vulnerable pages and false positive pages through burp, while creating a separate burp-formatted log file for each individual directory (and making sure to include only the relevant requests in each log file). I supplied the burp-generated log files to sqlmap as the target source, and used sqlmap?s config file to configure the following scan variables (in sqlmap.conf):
Changes made to the configuration file of sqlmap (sqlmap.conf): logFile (list in the stable version) = BurpLogs\Burp-WAVSEP-[log-name].log Level of tests to perform (level = 4) (sometimes 2) Risk of tests to perform (risk = 3) SQL injection techniques to test for (tech=BEST) (the default is BEUST) dbms = mysql 5, os = windows, getBanner = False, extensiveFp = True, batch = True, flushSession = True, forms = False (Parse and test forms on target url), freshQueries = True (Ignores query results stored in session file), extensiveFp = False The scans were executed against each individual directory, using the following command: python sqlmap.py -c sqlmap.conf The tool scanned all the URLs, performed initial tests on all GET/POST/cookie/user-agent values, and detected all the vulnerable test cases (!), with zero false positives. In most cases, all the vulnerable pages were located in the initial scan, while in rare cases it required a secondary scan (either identical or with level = 2 or 4) to locate all the test cases (probably load issues on the tested station). |