Detailed Scan Results - WebInspect - WAVSEP Benchmark 2014/2016

Logo	Scanner	Version	Build	Vendor
	WebInspect	10.1.177.0	SB 4.11.00	HP Application Security Center

Tested Against WAVSEP Version:

1.5

The SQL Injection Detection Accuracy of the Scanner:

Detection Accuracy

Chart

100.00% Detection Rate
0.00% False Positives

(136/136)
(0/10)

Response Type	Input Vector	Detection Rate	Details
Errorneous 500 Responses	HTTP GET (Query String Parameters)	20 out of 20	Detected: 1(1st&2nd),2-19
Errorneous 500 Responses	HTTP POST (Body Parameters)	20 out of 20	Detected: 1(1st&2nd),2-19
Errorneous 200 Responses	HTTP GET (Query String Parameters)	20 out of 20	Detected: 1(1st&2nd),2-19 200-Experimental-GET: 1
Errorneous 200 Responses	HTTP POST (Body Parameters)	20 out of 20	Detected: 1(1st&2nd),2-19 200-Experimental-POST: 1
Valid 200 Responses	HTTP GET (Query String Parameters)	20 out of 20	Detected: 1(1st&2nd),2-19
Valid 200 Responses	HTTP POST (Body Parameters)	20 out of 20	Detected: 1(1st&2nd),2-19
Identical 200 Responses	HTTP GET (Query String Parameters)	8 out of 8	Detected: 1-8
Identical 200 Responses	HTTP POST (Body Parameters)	8 out of 8	Detected: 1-8
False Positive SQLi Test Cases	HTTP GET (Query String Parameters)	0 out of 10	None (Standard Policy & All Checks Policy).

The Reflected XSS Detection Accuracy of the Scanner:

Detection Accuracy

Chart

100.00% Detection Rate
0.00% False Positives

(66/66)
(0/7)

Response Type	Input Vector	Detection Rate	Details
Reflected XSS	HTTP GET (Query String Parameters)	33 out of 33	Detected: 1-30(1st&2nd),31,32 RXSS-Experimental-GET: 1,3
Reflected XSS	HTTP POST (Body Parameters)	33 out of 33	Detected: 1-30(1st&2nd),31,32 RXSS-Experimental-POST: 1
False Positive RXSS Test Cases	HTTP GET (Query String Parameters)	0 out of 7	None (Standard Policy & All Checks Policy)

The Local File Inclusion Detection Accuracy of the Scanner:

Detection Accuracy

Chart

91.18% Detection Rate
0.00% False Positives

(744/816)
(0/8)

Response Type	Input Vector	Detection Rate	Details
Errorneous 500 Responses	HTTP GET (Query String Parameters)	62 out of 68	Detected (Vendor Custom Policy): 1-27,29,31-46,49-62, 65-68 Benchmark Original Results (49): 1-27,33,36-46,53-62 (All Checks & Standard Policies) (Previously Detected: 1,4,9,10,15,16,21,24,37-44,53-60)
Errorneous 500 Responses	HTTP POST (Body Parameters)	62 out of 68	Detected (Vendor Custom Policy): 1-27,29,31-46,49-62, 65-68 Benchmark Original Results (49):1-27,33,36-46,53-62 (All Checks & Standard Policies) (Previously Detected: 1,9,10,15,16,21,24,37,39,41,43,53,55,57,59)
Errorneous 200 Responses	HTTP GET (Query String Parameters)	62 out of 68	Detected (Vendor Custom Policy): 1-27,29,31-46,49-62, 65-68 Benchmark Original Results (49): 1-27,33,36-46,53-62 (All Checks & Standard Policies) (Previously Detected: 1,4,7,9-24,37-44,53-60)
Errorneous 200 Responses	HTTP POST (Body Parameters)	62 out of 68	Detected (Vendor Custom Policy): 1-27,29,31-46,49-62, 65-68 Benchmark Original Results (49): 1-27,33,36-46,53-62 (All Checks & Standard Policies) (Previously Detected: 1,9-12,15-18,21,22,24,37,39,41,43,53,55,57,59)
Valid 200 Responses	HTTP GET (Query String Parameters)	62 out of 68	Detected (Vendor Custom Policy): 1-27,29,31-46,49-62, 65-68 Benchmark Original Results (49): 1-27,33,36-46,53-62 (All Checks & Standard Policies) (Previously Detected: 1,3-5,7,9-24,37-44,53-60)
Valid 200 Responses	HTTP POST (Body Parameters)	62 out of 68	Detected (Vendor Custom Policy): 1-27,29,31-46,49-62, 65-68 Benchmark Original Results: 1-27,33,36-46,53-62 (All Checks & Standard Policies) (Previously Detected: 1,3,5,7,9-24,37,39,41,43,53,55,57,59)
Identical 200 Responses	HTTP GET (Query String Parameters)	62 out of 68	Detected (Vendor Custom Policy): 1-27,29,31-46,49-62, 65-68 Benchmark Original Results (49): 1-27,33,36-46,53-62 (All Checks & Standard Policies) (Previously Detected: 1,3-5,7,9-24,37-44,53-60)
Identical 200 Responses	HTTP POST (Body Parameters)	62 out of 68	Detected (Vendor Custom Policy): 1-27,29,31-46,49-62, 65-68 Benchmark Original Results (49): 1-27,33,36-46,53-62 (All Checks & Standard Policies) (Previously Detected: 1,3,5,7,9-24,37,39,41,43,53,55,57,59)
Redirect (302) Responses	HTTP GET (Query String Parameters)	62 out of 68	Detected (Vendor Custom Policy): 1-27,29,31-46,49-62, 65-68 Benchmark Original Results (49): 1-27,33,36-46,53-62 (All Checks & Standard Policies) (Previously Detected: 1,3-5,7,9-24,37-44,53-60)
Redirect (302) Responses	HTTP POST (Body Parameters)	62 out of 68	Detected (Vendor Custom Policy): 1-27,29,31-46,49-62, 65-68 Benchmark Original Results (49): 1-27,33,36-46,53-62 (All Checks & Standard Policies) (Previously Detected: 1,3,5,7,9-24,37,39,41,43,53,55,57,59)
Erroneous 404 Responses	HTTP GET (Query String Parameters)	62 out of 68	Detected (Vendor Custom Policy): 1-27,29,31-46,49-62, 65-68 Benchmark Original Results (49): Unified: 1,2,4,9,10,15,21,24,25,28,31,34,37-44,46-60,62-68
Erroneous 404 Responses	HTTP POST (Body Parameters)	62 out of 68	Detected (Vendor Custom Policy): 1-27,29,31-46,49-62, 65-68 Benchmark Original Results (49): 1-27,33,36-46,53-62 (All Checks & Standard Policies) (Previously Detected: 1,9,10,15,16,21,24,37,39,41,43,53,55,57,59)
False Positive Lfi Test Cases	HTTP GET (Query String Parameters)	0 out of 8	None (Custom, Standard Policy, All Checks Policy)

The Remote File Inclusion Detection Accuracy of the Scanner:

Detection Accuracy

Chart

100.00% Detection Rate
0.00% False Positives

(108/108)
(0/6)

Response Type	Input Vector	Detection Rate	Details
Errorneous 500 Responses	HTTP GET (Query String Parameters)	9 out of 9	Detected: 1-9 as Arbitrary Remote File Include. (Previously Detected:1,2,5)
Errorneous 500 Responses	HTTP POST (Body Parameters)	9 out of 9	Detected: 1-9 as Arbitrary Remote File Include. (Previously Detected:1,2,5)
Errorneous 200 Responses	HTTP GET (Query String Parameters)	9 out of 9	Detected: 1-9 as Arbitrary Remote File Include. (Previously Detected:1-7)
Errorneous 200 Responses	HTTP POST (Body Parameters)	9 out of 9	Detected: 1-9 as Arbitrary Remote File Include. (Previously Detected:1-6)
Valid 200 Responses	HTTP GET (Query String Parameters)	9 out of 9	Detected: 1-9 as Arbitrary Remote File Include. (Previously Detected:1-7)
Valid 200 Responses	HTTP POST (Body Parameters)	9 out of 9	Detected: 1-9 as Arbitrary Remote File Include. (Previously Detected:1-6)
Identical 200 Responses	HTTP GET (Query String Parameters)	9 out of 9	Detected: 1-9 as Arbitrary Remote File Include. (Previously Detected:1-7)
Identical 200 Responses	HTTP POST (Body Parameters)	9 out of 9	Detected: 1-9 as Arbitrary Remote File Include. (Previously Detected:1-6)
Redirect (302) Responses	HTTP GET (Query String Parameters)	9 out of 9	Detected: 1-9 as Arbitrary Remote File Include. (Previously Detected:1-7)
Redirect (302) Responses	HTTP POST (Body Parameters)	9 out of 9	Detected: 1-9 as Arbitrary Remote File Include. (Previously Detected:1-6)
Erroneous 404 Responses	HTTP GET (Query String Parameters)	9 out of 9	Detected: 1-9 as Arbitrary Remote File Include. (Previously Detected:1,2,5,8,9)
Erroneous 404 Responses	HTTP POST (Body Parameters)	9 out of 9	Detected: 1-9 as Arbitrary Remote File Include. (Previously Detected:1,2,5)
False Positive Rfi Test Cases	HTTP GET (Query String Parameters)	0 out of 6	None (Standard Policy & All Checks Policy) - not counting LFI detection - valid file:/ exploit.

WAVSEP Scan Log:

Prior to scanning, I updated the product on December 26, 2013.
I used a ?thorough? coverage method in most of the scans, and used the following policies in scans:
SQL Injection Tests: the ?SQL Injection? and ?Aggressive SQL Injection? policies (much better results for the latter), "All Checks" and "Standard" Policies.
XSS tests: CustomXSS Policy & Standard Policy.
Traversal/LFI tests: the Standard policy (missed plenty), an LFI custom policy with the following plugins: "Local File Inclusion/Reading Vulnerability", "Possible Local File Inclusion/Reading Vulnerability", "Parameter Manipulation Directory Traversal Command Execution?"
RFI tests: the Standard policy.
Unvalidated Redirect tests: "All Checks" and "Standard" Policies.
Obsolete files tests: "All Checks" policy (eventually detected by the plugin "Backup File (copy of)), the "Standard" policy, and eventually a custom policy with all the plugins that contained the word backup (dozens of them), the "query sequence" plugin, the "common include files" plugin, all the source code disclosure plugins, Common Application Test Files, all the plugins under "predictable resource location", several generic plugins that contained the words old/copy/web.config, several directory probing plugins and all the plugins that contained the web-inf name.
WIVET tests: For information on the WIVET score/configuration, read the designated WIVET description.
Each result was verified at least twice, and all results were consistent in all scans.

*UPDATE*: After publishing the benchmark, the vendor proposed scanning the LFI test cases using a different configuration, which provided much better results - and included scanning the application with a thorough testing mode while using a custom policy containing the following plugins:
10287 ? Local File Include,
10271 ? Local File Inclusion/Reading Vulnerability,
10272 ? Possible Local File Inclusion/Reading Vulnerability,
11327 ? LFI Tomcat,
11332 ? LFI IIS

The WIVET Score of the Scanner:

Detection Accuracy

Chart

96.0% Detection Rate

WIVET Scan Log:

96% - crawler "depth first mode" (update).
94% - crawler "breadth first" mode (default).
I used the following configuration:
Crawl Only (on http://localhost/wivet/index.php), Thorough Mode, Disabled the crawler's "Ignore Case Sensitivity" feature, Defined Fiddler as an explicit proxy and defined a valid WIVET session id in fiddler's filter (after clearing the previous WIVET results, of course), and finally, removed 100.php (logout) from WIVET's menu, to prevent Webinspect from initializing the result.
Apart from a couple of protocol violations fiddler experienced, all went according to plan.
The results were verified twice.

*Update* - after the benchmark publication the vendor provided information on custom configuration that could improve the results - changing the crawler mode to "depth first" in the general tab in the scan settings (button) presented during the scan wizard.