Detailed Scan Results - XSSploit - WAVSEP Benchmark 2014/2016

Scanner	Version	Vendor
XSSploit	0.5	SCRT Information Security

Tested Against WAVSEP Version:

1.0

The Reflected XSS Detection Accuracy of the Scanner:

Detection Accuracy

Chart

21.21% Detection Rate
85.71% False Positives

(14/66)
(6/7)

Response Type	Input Vector	Detection Rate	Details
Reflected XSS	HTTP GET (Query String Parameters)	7 out of 33	Incomplete Results. Cases Detected: 1-7 Cases Missed: 8-32
Reflected XSS	HTTP POST (Body Parameters)	7 out of 33	Incomplete Results. Cases Detected: 1-7 Cases Missed: 8-32
False Positive RXSS Test Cases	HTTP GET (Query String Parameters)	6 out of 7	1-4,6,7

WAVSEP Scan Log:

I tried installing the scanner in multiple operating systems (ubuntu 9, fedora 11, windows xp), but for some reason, whenever I started executing it on an application, the spider would not work (http://192.168.1.100:8080/wavsep/index-xss.jsp). At the last deadline, a few hours before releasing the article, I decided to try again. I uninstalled every python installation an module from my windows XP vm, deleted any trace of the word ?python? from the registry, and installed python 2.5, pyOpenSSL, wxPython and pyCurl (the site claims that only python 2.5 and wxPython are required, but I got carried out). In addition, I defined burp proxy to forward traffic from port 80 to port 8080, and crawled & scanned the following URLs:
http://localhost/wavsep/index-xss.jsp
http://localhost/wavsep/RXSS-Detection-Evaluation-GET/index.jsp
http://localhost/wavsep/RXSS-Detection-Evaluation-POST/index.jsp
http://localhost/wavsep/RXSS-FalsePositives-GET/index.jsp
http://localhost/wavsep/index-false.jsp
This time, the spider feature that did work, and so did the scanner? So it seems like being stubborn has some advantages after all?
The scanner successfully crawled all URLs and submitted all the forms, but when I started analyzing, various exceptions were presented in the tool?s console (particularly on page 32), and the scan was never truly ?completed? (except in the false positive URLs); it was however, possible to view the results that were already discovered by the tool.
I repeated the process with various URLs, with identical results and problems.