| Logo | Scanner | Version | Build | Vendor |
 | AppSpider | 6.0 | 773/778 | Rapid7 |
| Tested Against WAVSEP Version: |
| Detection Accuracy | Chart | ||||
| 97.06% Detection Rate 0.00% False Positives | (132/136) (0/10) |
| Response Type | Input Vector | Detection Rate | Details |
| Errorneous 500 Responses | HTTP GET (Query String Parameters) | 20 out of 20 | Detected (Error): 1(1st&2nd)-19 Detected (Blind): 1(1st&2nd)-3,5-19 |
| Errorneous 500 Responses | HTTP POST (Body Parameters) | 20 out of 20 | Detected (Error): 1(1st&2nd)-19 Detected (Blind): 1(1st&2nd)-3,6-8,10-13,15-18 |
| Errorneous 200 Responses | HTTP GET (Query String Parameters) | 20 out of 20 | Detected (Error): 1(1st&2nd)-19 Detected (Blind): 1(1st&2nd)-9,11-19 GET-Experimental: 1 |
| Errorneous 200 Responses | HTTP POST (Body Parameters) | 20 out of 20 | Detected (Error): 1(1st&2nd)-19 Detected (Blind): 1(1st&2nd)-3,6-8,10-13,15-18 POST-Experimental: 1 |
| Valid 200 Responses | HTTP GET (Query String Parameters) | 20 out of 20 | Detected (Blind): 1(1st&2nd)-19 (Previously Detected: 1(1st&2nd)-3,6-8,10-13,15-18) |
| Valid 200 Responses | HTTP POST (Body Parameters) | 16 out of 20 | Detected (Blind): 1(1st&2nd)-4,6,8,9,11-16,18,19 (Previously Detected: 1(1st&2nd)-3,6-8,10-13,15-18) |
| Identical 200 Responses | HTTP GET (Query String Parameters) | 8 out of 8 | Detected (Blind): 1-8 (Previously Detected: 1,2,3) |
| Identical 200 Responses | HTTP POST (Body Parameters) | 8 out of 8 | Detected (Blind): 1-8 (Previously Detected: 1,2,3) |
| False Positive SQLi Test Cases | HTTP GET (Query String Parameters) | 0 out of 10 | None |
| Detection Accuracy | Chart | ||||
| 100.00% Detection Rate 0.00% False Positives | (66/66) (0/7) |
| Response Type | Input Vector | Detection Rate | Details |
| Reflected XSS | HTTP GET (Query String Parameters) | 33 out of 33 | Detected: 1-30(1st&2nd),31,32 (Prevously Detected: 1-8,10-12,14,16-25,27-29,30(1st&2nd)-32) GET-Experimental:1,2,3,7 |
| Reflected XSS | HTTP POST (Body Parameters) | 33 out of 33 | Detected: 1-30(1st&2nd),31,32 (Previously Detected: 1-12,16-19,22-24, 28,30(1st&2nd)-32) POST-Experimental: 2,3,7 |
| False Positive RXSS Test Cases | HTTP GET (Query String Parameters) | 0 out of 7 | None |
| Detection Accuracy | Chart | ||||
| 81.13% Detection Rate 12.50% False Positives | (662/816) (1/8) |
| Response Type | Input Vector | Detection Rate | Details |
| Errorneous 500 Responses | HTTP GET (Query String Parameters) | 64 out of 68 | Detected: 1-4,8-26,28-68 (Detected using the parameter fuzzing / remote file include plugin, Listed under remote file include, but with appropriate traversal/lfi classification) |
| Errorneous 500 Responses | HTTP POST (Body Parameters) | 57 out of 68 | Detected: 1-4,9-18,21,22,24-26,28-32,34,35,37-53,55-68 (Detected using the parameter fuzzing / remote file include plugin, Listed under remote file include, but with appropriate traversal/lfi classification) |
| Errorneous 200 Responses | HTTP GET (Query String Parameters) | 64 out of 68 | Detected: 1-4,8-26,28-68 (Detected using the parameter fuzzing / remote file include plugin, Listed under remote file include, but with appropriate traversal/lfi classification) |
| Errorneous 200 Responses | HTTP POST (Body Parameters) | 57 out of 68 | Detected: 1-4,9-18,21,22,24-26,28-32,34,35,37-53,55-68 (Detected using the parameter fuzzing / remote file include plugin, Listed under remote file include, but with appropriate traversal/lfi classification) |
| Valid 200 Responses | HTTP GET (Query String Parameters) | 55 out of 68 | Detected: 9-26,28-36,39-52,55-68 (Detected using the parameter fuzzing / remote file include plugin, Listed under remote file include, but with appropriate traversal/lfi classification) |
| Valid 200 Responses | HTTP POST (Body Parameters) | 50 out of 68 | Detected: 9-18,21,22,24-26,28-32,34,35,39-52,55-68 (Detected using the parameter fuzzing / remote file include plugin, Listed under remote file include, but with appropriate traversal/lfi classification) |
| Identical 200 Responses | HTTP GET (Query String Parameters) | 55 out of 68 | Detected: 9-26,28-36,39-52,55-68 (Detected using the parameter fuzzing / remote file include plugin, Listed under remote file include, but with appropriate traversal/lfi classification) |
| Identical 200 Responses | HTTP POST (Body Parameters) | 50 out of 68 | Detected: 9-18,21,22,24-26,28-32,34,35,39-52,55-68 (Detected using the parameter fuzzing / remote file include plugin, Listed under remote file include, but with appropriate traversal/lfi classification) |
| Redirect (302) Responses | HTTP GET (Query String Parameters) | 55 out of 68 | Detected: 9-26,28-36,39-52,55-68 (Detected using the parameter fuzzing / remote file include plugin, Listed under remote file include, but with appropriate traversal/lfi classification) |
| Redirect (302) Responses | HTTP POST (Body Parameters) | 50 out of 68 | Detected: 9-18,21,22,24-26,28-32,34,35,39-52,55-68 (Detected using the parameter fuzzing / remote file include plugin, Listed under remote file include, but with appropriate traversal/lfi classification) |
| Erroneous 404 Responses | HTTP GET (Query String Parameters) | 55 out of 68 | Detected: 9-26,28-36,39-52,55-68 (Detected using the parameter fuzzing / remote file include plugin, Listed under remote file include, but with appropriate traversal/lfi classification) |
| Erroneous 404 Responses | HTTP POST (Body Parameters) | 50 out of 68 | Detected: 9-18,21,22,24-26,28-32,34,35,39-52,55-68 (Detected using the parameter fuzzing / remote file include plugin, Listed under remote file include, but with appropriate traversal/lfi classification) |
| False Positive Lfi Test Cases | HTTP GET (Query String Parameters) | 1 out of 8 | Case 7 |
| Detection Accuracy | Chart | ||||
| 79.63% Detection Rate 0.00% False Positives | (86/108) (0/6) |
| Response Type | Input Vector | Detection Rate | Details |
| Errorneous 500 Responses | HTTP GET (Query String Parameters) | 8 out of 9 | Detected: 1,2,3,4,5,6,8,9 |
| Errorneous 500 Responses | HTTP POST (Body Parameters) | 7 out of 9 | Detected: 1,2,3,5,6,8,9 Case 7 Identified as Parameter Fuzzing. |
| Errorneous 200 Responses | HTTP GET (Query String Parameters) | 8 out of 9 | Detected: 1,2,3,4,5,6,8,9 |
| Errorneous 200 Responses | HTTP POST (Body Parameters) | 7 out of 9 | Detected: 1,2,3,5,6,8,9 Case 7 Identified as Parameter Fuzzing. |
| Valid 200 Responses | HTTP GET (Query String Parameters) | 7 out of 9 | Detected: 1,2,3,5,6,8,9 |
| Valid 200 Responses | HTTP POST (Body Parameters) | 7 out of 9 | Detected: 1,2,3,5,6,8,9 |
| Identical 200 Responses | HTTP GET (Query String Parameters) | 7 out of 9 | Detected: 1,2,3,5,6,8,9 |
| Identical 200 Responses | HTTP POST (Body Parameters) | 7 out of 9 | Detected: 1,2,3,5,6,8,9 |
| Redirect (302) Responses | HTTP GET (Query String Parameters) | 7 out of 9 | Detected: 1,2,3,5,6,8,9 |
| Redirect (302) Responses | HTTP POST (Body Parameters) | 7 out of 9 | Detected: 1,2,3,5,6,8,9 |
| Erroneous 404 Responses | HTTP GET (Query String Parameters) | 7 out of 9 | Detected: 1,2,3,5,6,8,9 |
| Erroneous 404 Responses | HTTP POST (Body Parameters) | 7 out of 9 | Detected: 1,2,3,5,6,8,9 |
| False Positive Rfi Test Cases | HTTP GET (Query String Parameters) | 0 out of 6 | None |
| NTOSpider was configured in the following manner:
I defined the "Server Load" as Light (with the number of URL Retry Attempts updated to 5) The advanced attack properties MaxSameNameParameterAttacks, LinksToAttackBeforeLimitingAttacks and ParametersToAttackBeforeLimitingAttacks were all set to 10000 (wavsep is composed out of MANY links and forms with parameters which in many cases share the same name). In Attack Policy general definitions tab, changing the "Attack Per Input" property to "all" instead of smart seemed to affect accuracy as well. The rest of the attack limiting conditions shouldn't occur in wavsep, and were left intact. I only used the relevant vulnerability detection plugins when scanning each directory: SQL Injection plugins: Blind SQL,SQL Injection, SQL Injection Auth bypass XSS: Cross-site scripting reflected & simple plugins, dom xss passive plugin Unvalidated Redirected: Unvalidated Redirect plugin Remote File Inclusion (XSS via RFI): Remote File Inclusion plugin, Parameter Fuzzing plugin Path Traversal / Local File Inclusion: NTOSpider doesn't seem to support this feature Backup Files: NTOSpider doesn't seem to have this feature, I tried "Source Code Disclosure" and "Predictable Resource Location" just in case they may identify any backup files under their category, but with no results. In many cases and rescans I also limited the max concurrent connections property to 1 (particularly in SQL Injection scans). |
| Detection Accuracy | Chart | ||
| 94.0% Detection Rate |
| In order to get the best out of NTOSpider I took the advice its developers and enabled the sequential scan feature with 200 ms Drip delay - I got 94% against WIVET on Windows 7.
The WIVET score of NTOSpider without these defenitions and on Windows XP reached 85%, however, I followed the developer recommendations for almost every other scanner, so this case was no different. I crawled wivet root URL while setting the same cookie I had in my browser to NTOSpider, and while leaving all the default configuration values intact. The only change I made was to disable all the test plugins except two passive plugins: Email Disclosure and Information Disclosure in Comments (my way of verifying that NTOSpider has a reason to crawl the application). |