| Scanner | Version | Build | Vendor |
| JSky (Commercial Edition) | 3.5.1 | 905 | NoSec |
| Tested Against WAVSEP Version: |
| Detection Accuracy | Chart | ||||
| 61.03% Detection Rate 0.00% False Positives | (83/136) (0/10) |
| Response Type | Input Vector | Detection Rate | Details |
| Errorneous 500 Responses | HTTP GET (Query String Parameters) | 20 out of 20 | Cases Detected: 1(1st&2nd)-19 |
| Errorneous 500 Responses | HTTP POST (Body Parameters) | 18 out of 20 | Cases Detected: 1(1st&2nd)-5,7-15,17-19 Cases Missed: 6,16 |
| Errorneous 200 Responses | HTTP GET (Query String Parameters) | 20 out of 20 | Cases Detected: 1(1st&2nd)-19 |
| Errorneous 200 Responses | HTTP POST (Body Parameters) | 18 out of 20 | Cases Detected: 1(1st&2nd)-5,7-15,17-19 Cases Missed: 6,16 |
| Valid 200 Responses | HTTP GET (Query String Parameters) | 4 out of 20 | Cases Detected: 6,7,16,17 Cases Missed: 1(1st&2nd)-5,8-15,18,19 |
| Valid 200 Responses | HTTP POST (Body Parameters) | 2 out of 20 | Cases Detected: 7,17 Cases Missed: 1(1st&2nd)-6,8-16,18,19 |
| Identical 200 Responses | HTTP GET (Query String Parameters) | 1 out of 8 | Cases Detected: 1 Cases Missed: 2-8 |
| Identical 200 Responses | HTTP POST (Body Parameters) | 0 out of 8 | Cases Missed: 1-8 |
| False Positive SQLi Test Cases | HTTP GET (Query String Parameters) | 0 out of 10 | None |
| Detection Accuracy | Chart | ||||
| 50.00% Detection Rate 0.00% False Positives | (33/66) (0/7) |
| Response Type | Input Vector | Detection Rate | Details |
| Reflected XSS | HTTP GET (Query String Parameters) | 17 out of 33 | Cases Detected: 1-5,9,22-30(1st&2nd),32 Cases Missed: 6-8,10-21,31 |
| Reflected XSS | HTTP POST (Body Parameters) | 16 out of 33 | Cases Detected: 1-5,9,22-30(1st&2nd) Cases Missed: 6-8,10-21,31,32 |
| False Positive RXSS Test Cases | HTTP GET (Query String Parameters) | 0 out of 7 | None |
| Detection Accuracy | Chart | ||||
| 48.53% Detection Rate 12.50% False Positives | (396/816) (1/8) |
| Response Type | Input Vector | Detection Rate | Details |
| Errorneous 500 Responses | HTTP GET (Query String Parameters) | 33 out of 68 | Detected: 1-6,9-12,15-18,21,22,24,37-44,53-60 |
| Errorneous 500 Responses | HTTP POST (Body Parameters) | 33 out of 68 | Detected: 1-6,9-12,15-18,21,22,24,37-44,53-60 (vs a special tescase version with action defined in forms, otherwise will not crawl) |
| Errorneous 200 Responses | HTTP GET (Query String Parameters) | 33 out of 68 | Detected: 1-6,9-12,15-18,21,22,24,37-44,53-60 |
| Errorneous 200 Responses | HTTP POST (Body Parameters) | 33 out of 68 | Detected: 1-6,9-12,15-18,21,22,24,37-44,53-60 (vs a special tescase version with action defined in forms, otherwise will not crawl) |
| Valid 200 Responses | HTTP GET (Query String Parameters) | 33 out of 68 | Detected: 1-6,9-12,15-18,21,22,24,37-44,53-60 |
| Valid 200 Responses | HTTP POST (Body Parameters) | 33 out of 68 | Detected: 1-6,9-12,15-18,21,22,24,37-44,53-60 (vs a special tescase version with action defined in forms, otherwise will not crawl) |
| Identical 200 Responses | HTTP GET (Query String Parameters) | 33 out of 68 | Detected: 1-6,9-12,15-18,21,22,24,37-44,53-60 |
| Identical 200 Responses | HTTP POST (Body Parameters) | 33 out of 68 | Detected: 1-6,9-12,15-18,21,22,24,37-44,53-60 (vs a special tescase version with action defined in forms, otherwise will not crawl) |
| Redirect (302) Responses | HTTP GET (Query String Parameters) | 33 out of 68 | Detected: 1-6,9-12,15-18,21,22,24,37-44,53-60 |
| Redirect (302) Responses | HTTP POST (Body Parameters) | 33 out of 68 | Detected: 1-6,9-12,15-18,21,22,24,37-44,53-60 (vs a special tescase version with action defined in forms, otherwise will not crawl) |
| Erroneous 404 Responses | HTTP GET (Query String Parameters) | 33 out of 68 | Detected: 1-6,9-12,15-18,21,22,24,37-44,53-60 |
| Erroneous 404 Responses | HTTP POST (Body Parameters) | 33 out of 68 | Detected: 1-6,9-12,15-18,21,22,24,37-44,53-60 (vs a special tescase version with action defined in forms, otherwise will not crawl) |
| False Positive Lfi Test Cases | HTTP GET (Query String Parameters) | 1 out of 8 | RFI test cases detected as LFI. |
| Detection Accuracy | Chart | ||||
| 22.22% Detection Rate 0.00% False Positives | (24/108) (0/6) |
| Response Type | Input Vector | Detection Rate | Details |
| Errorneous 500 Responses | HTTP GET (Query String Parameters) | 2 out of 9 | Detected: 1,3 (as LFI) |
| Errorneous 500 Responses | HTTP POST (Body Parameters) | 2 out of 9 | Detected: 1,3 (as LFI, vs a special tescase version with action defined in forms) |
| Errorneous 200 Responses | HTTP GET (Query String Parameters) | 2 out of 9 | Detected: 1,3 (as LFI) |
| Errorneous 200 Responses | HTTP POST (Body Parameters) | 2 out of 9 | Detected: 1,3 (as LFI, vs a special tescase version with action defined in forms) |
| Valid 200 Responses | HTTP GET (Query String Parameters) | 2 out of 9 | Detected: 1,3 (as LFI) |
| Valid 200 Responses | HTTP POST (Body Parameters) | 2 out of 9 | Detected: 1,3 (as LFI, vs a special tescase version with action defined in forms) |
| Identical 200 Responses | HTTP GET (Query String Parameters) | 2 out of 9 | Detected: 1,3 (as LFI) |
| Identical 200 Responses | HTTP POST (Body Parameters) | 2 out of 9 | Detected: 1,3 (as LFI, vs a special tescase version with action defined in forms) |
| Redirect (302) Responses | HTTP GET (Query String Parameters) | 2 out of 9 | Detected: 1,3 (as LFI) |
| Redirect (302) Responses | HTTP POST (Body Parameters) | 2 out of 9 | Detected: 1,3 (as LFI, vs a special tescase version with action defined in forms) |
| Erroneous 404 Responses | HTTP GET (Query String Parameters) | 2 out of 9 | Detected: 1,3 (as LFI) |
| Erroneous 404 Responses | HTTP POST (Body Parameters) | 2 out of 9 | Detected: 1,3 (as LFI, vs a special tescase version with action defined in forms) |
| False Positive Rfi Test Cases | HTTP GET (Query String Parameters) | 0 out of 6 | None |
| The scans were executed with the following configuration:
"can go up", "Urls are case sensitive", "extract urls from javascript", 1-8 threads (1 for WIVET), "Crawl first and then scan", "Deeply execute javascript", and designated scan policy for each directory (custom policies for XSS / SQLi / LFI, which include all the relevant plugins). In the case of LFI/RFI vulnerabilities, JSky did not detect any POST exposures at first, until I discovered the problem was related to a bug in the crawling mechanism which did not submit forms without an action property (and then created a version of the test cases that did use the action property). |
| Detection Accuracy | Chart | ||
| 44.0% Detection Rate |
| Initialized WIVET's session, limited the spider threads to 1 single thread and removed any directory location restrictions from the scanner, defined a valid session identifier using the scan wizard, instructed the scaner to "deeply execute javascript", and finally, I edited menu.php in WIVET and excluded the logout URL (100.php).
I verified the results twice, and they came out the same. |