| Logo | Scanner | Version | Build | Vendor |
 | Acunetix WVS | 10.5 | 20160627 | Acunetix |
| Tested Against WAVSEP Version: |
| Detection Accuracy | Chart | ||||
| 100.00% Detection Rate 0.00% False Positives | (136/136) (0/10) |  |
| Response Type | Input Vector | Detection Rate | Details |
| Errorneous 500 Responses | HTTP GET (Query String Parameters) | 20 out of 20 | Detected: 1(1st&2nd),2-19 |
| Errorneous 500 Responses | HTTP POST (Body Parameters) | 20 out of 20 | Detected: 1(1st&2nd),2-19 |
| Errorneous 200 Responses | HTTP GET (Query String Parameters) | 20 out of 20 | Detected: 1(1st&2nd),2-19 200-Experimental-GET: 1 |
| Errorneous 200 Responses | HTTP POST (Body Parameters) | 20 out of 20 | Detected: 1(1st&2nd),2-19 200-Experimental-POST: 1 |
| Valid 200 Responses | HTTP GET (Query String Parameters) | 20 out of 20 | Detected: 1(1st&2nd),2-19 |
| Valid 200 Responses | HTTP POST (Body Parameters) | 20 out of 20 | Detected: 1(1st&2nd),2-19 |
| Identical 200 Responses | HTTP GET (Query String Parameters) | 8 out of 8 | Detected: 1-8 |
| Identical 200 Responses | HTTP POST (Body Parameters) | 8 out of 8 | Detected: 1-8 |
| False Positive SQLi Test Cases | HTTP GET (Query String Parameters) | 0 out of 10 | None |
| Detection Accuracy | Chart | ||||
| 100.00% Detection Rate 0.00% False Positives | (66/66) (0/7) | |
| Response Type | Input Vector | Detection Rate | Details |
| Reflected XSS | HTTP GET (Query String Parameters) | 33 out of 33 | Detected: 1-30(1st&2nd),31,32 XSS-Experimental-GET: 1,3 |
| Reflected XSS | HTTP POST (Body Parameters) | 33 out of 33 | Detected: 1-30(1st&2nd),31,32 XSS-Experimental-POST: 1,3 |
| False Positive RXSS Test Cases | HTTP GET (Query String Parameters) | 0 out of 7 | None |
| Detection Accuracy | Chart | ||||
| 94.12% Detection Rate 0.00% False Positives | (768/816) (0/8) | |
| Response Type | Input Vector | Detection Rate | Details |
| Errorneous 500 Responses | HTTP GET (Query String Parameters) | 64 out of 68 | Detected: 1,3,5,7,9-68 (Previously Detected: 1,3,5,7,9-27,37-40,42,44-46,53-56,58,60-62) |
| Errorneous 500 Responses | HTTP POST (Body Parameters) | 64 out of 68 | Detected: 1,3,5,7,9-68 (Previously Detected: 1,3,5,7,9-27,37-40,42,44-46,53-56,58,60-62) |
| Errorneous 200 Responses | HTTP GET (Query String Parameters) | 64 out of 68 | Detected: 1,3,5,7,9-68 (Previously Detected: 1,3,5,7,9-27,37-40,42,44-46,53-56,58,60-62) |
| Errorneous 200 Responses | HTTP POST (Body Parameters) | 64 out of 68 | Detected: 1,3,5,7,9-68 (Previously Detected: 1,3,5,7,9-27,37-40,42,44-46,53-56,58,60-62) |
| Valid 200 Responses | HTTP GET (Query String Parameters) | 64 out of 68 | Detected: 1,3,5,7,9-68 (Previously Detected: 1,3,5,7,9-27,37-40,42,44-46,53-56,58,60-62) |
| Valid 200 Responses | HTTP POST (Body Parameters) | 64 out of 68 | Detected: 1,3,5,7,9-68 (Previously Detected: 1,3,5,7,9-27,37-40,42,44-46,53-56,58,60-62) |
| Identical 200 Responses | HTTP GET (Query String Parameters) | 64 out of 68 | Detected: 1,3,5,7,9-68 (Previously Detected: 1,3,5,7,9-27,37-40,42,44-46,53-56,58,60-62) |
| Identical 200 Responses | HTTP POST (Body Parameters) | 64 out of 68 | Detected: 1,3,5,7,9-68 (Previously Detected: 1,3,5,7,9-27,37-40,42,44-46,53-56,58,60-62) |
| Redirect (302) Responses | HTTP GET (Query String Parameters) | 64 out of 68 | Detected: 1,3,5,7,9-68 (Previously Detected: 1,3,5,7,9-27,37-40,42,44-46,53-56,58,60-62) |
| Redirect (302) Responses | HTTP POST (Body Parameters) | 64 out of 68 | Detected: 1,3,5,7,9-68 (Previously Detected: 1,3,5,7,9-27,37-40,42,44-46,53-56,58,60-62) |
| Erroneous 404 Responses | HTTP GET (Query String Parameters) | 64 out of 68 | Detected: 1,3,5,7,9-68 (Previously Detected: 1,3,5,7,9-27,37-40,42,44-46,53-56,58,60-62) |
| Erroneous 404 Responses | HTTP POST (Body Parameters) | 64 out of 68 | Detected: 1,3,5,7,9-68 (Previously Detected: 1,3,5,7,9-27,37-40,42,44-46,53-56,58,60-62) |
| False Positive Lfi Test Cases | HTTP GET (Query String Parameters) | 0 out of 8 | In some vulnerable Java versions case 01 will be classified as vulnerable, but that is actually true, and is caused due to the forward method being vulnerable to directory traversal in that specific java version. |
| Detection Accuracy | Chart | ||||
| 100.00% Detection Rate 0.00% False Positives | (108/108) (0/6) | |
| Response Type | Input Vector | Detection Rate | Details |
| Errorneous 500 Responses | HTTP GET (Query String Parameters) | 9 out of 9 | Detected: 1-9 (Previously Detected: 1-7) |
| Errorneous 500 Responses | HTTP POST (Body Parameters) | 9 out of 9 | Detected: 1-9 (Previously Detected: 1-7) |
| Errorneous 200 Responses | HTTP GET (Query String Parameters) | 9 out of 9 | Detected: 1-9 (Previously Detected: 1-7) |
| Errorneous 200 Responses | HTTP POST (Body Parameters) | 9 out of 9 | Detected: 1-9 (Previously Detected: 1-7) |
| Valid 200 Responses | HTTP GET (Query String Parameters) | 9 out of 9 | Detected: 1-9 (Previously Detected: 1-7) |
| Valid 200 Responses | HTTP POST (Body Parameters) | 9 out of 9 | Detected: 1-9 (Previously Detected: 1-7) |
| Identical 200 Responses | HTTP GET (Query String Parameters) | 9 out of 9 | Detected: 1-9 (Previously Detected: 1-7) |
| Identical 200 Responses | HTTP POST (Body Parameters) | 9 out of 9 | Detected: 1-9 (Previously Detected: 1-7) |
| Redirect (302) Responses | HTTP GET (Query String Parameters) | 9 out of 9 | Detected: 1-9 (Previously Detected: 1-7) |
| Redirect (302) Responses | HTTP POST (Body Parameters) | 9 out of 9 | Detected: 1-9 (Previously Detected: 1-7) |
| Erroneous 404 Responses | HTTP GET (Query String Parameters) | 9 out of 9 | Detected: 1-9 (Previously Detected: 1-7) |
| Erroneous 404 Responses | HTTP POST (Body Parameters) | 9 out of 9 | Detected: 1-9 (Previously Detected: 1-7) |
| False Positive Rfi Test Cases | HTTP GET (Query String Parameters) | 0 out of 6 | None |
| I used the default policy the vast majority of scans (and verified the results with other policies). Results were consistent in all scans.
In all of the scans I also: disabled the HTTP header scanning options, limited the parallel connections to 1, and verified that the tool successfully crawled all the URLs. The tool seemed to successfully scan all the test cases, without any exceptional incidents. |
| Detection Accuracy | Chart | ||
| 94.0% Detection Rate | |
| (Previously Detected 92.00%)
Initialized WIVET's session, limited the parallel connections to 1, enabled the "fetch default index files" feature, excluded the 100.php URL, defined a valid session identifier as a custom cookie, and at the end of the scan wizard - disabled the "case insensitive" feature. |