| Logo | Scanner | Version | Vendor |
 | Syhunt Mini (Sandcat Mini) | 4.4.3.0 | Syhunt |
| Tested Against WAVSEP Version: |
| Detection Accuracy | Chart | ||||
| 100.00% Detection Rate 50.00% False Positives | (136/136) (5/10) |
| Response Type | Input Vector | Detection Rate | Details |
| Errorneous 500 Responses | HTTP GET (Query String Parameters) | 20 out of 20 | Detected: 1(1st&2nd),2-19 |
| Errorneous 500 Responses | HTTP POST (Body Parameters) | 20 out of 20 | Detected: 1(1st&2nd),2-19 |
| Errorneous 200 Responses | HTTP GET (Query String Parameters) | 20 out of 20 | Detected: 1(1st&2nd),2-19 Did not detect the experimental test cases (get/post). |
| Errorneous 200 Responses | HTTP POST (Body Parameters) | 20 out of 20 | Detected: 1(1st&2nd),2-19 Did not detect the experimental test cases (get/post) |
| Valid 200 Responses | HTTP GET (Query String Parameters) | 20 out of 20 | Detected: 1(1st&2nd),2-19 |
| Valid 200 Responses | HTTP POST (Body Parameters) | 20 out of 20 | Detected: 1(1st&2nd),2-19 |
| Identical 200 Responses | HTTP GET (Query String Parameters) | 8 out of 8 | Detected: 1-8 |
| Identical 200 Responses | HTTP POST (Body Parameters) | 8 out of 8 | Detected: 1-8 |
| False Positive SQLi Test Cases | HTTP GET (Query String Parameters) | 5 out of 10 | 2,4,6,7,8 |
| Detection Accuracy | Chart | ||||
| 100.00% Detection Rate 0.00% False Positives | (66/66) (0/7) |
| Response Type | Input Vector | Detection Rate | Details |
| Reflected XSS | HTTP GET (Query String Parameters) | 33 out of 33 | Detected: 1-30(1st&2nd),31,32 RXSS-GET-Experimental: 1,3 |
| Reflected XSS | HTTP POST (Body Parameters) | 33 out of 33 | Detected: 1-30(1st&2nd),31,32 |
| False Positive RXSS Test Cases | HTTP GET (Query String Parameters) | 0 out of 7 | None |
| Detection Accuracy | Chart | ||||
| 44.44% Detection Rate 0.00% False Positives | (48/108) (0/6) |
| Response Type | Input Vector | Detection Rate | Details |
| Errorneous 500 Responses | HTTP GET (Query String Parameters) | 4 out of 9 | Detected: 1-4 |
| Errorneous 500 Responses | HTTP POST (Body Parameters) | 4 out of 9 | Detected: 1-4 (tested against forms with an action property - due to a bug in the form parsing mechanism) |
| Errorneous 200 Responses | HTTP GET (Query String Parameters) | 4 out of 9 | Detected: 1-4 |
| Errorneous 200 Responses | HTTP POST (Body Parameters) | 4 out of 9 | Detected: 1-4 (tested against forms with an action property - due to a bug in the form parsing mechanism) |
| Valid 200 Responses | HTTP GET (Query String Parameters) | 4 out of 9 | Detected: 1-4 |
| Valid 200 Responses | HTTP POST (Body Parameters) | 4 out of 9 | Detected: 1-4 (tested against forms with an action property - due to a bug in the form parsing mechanism) |
| Identical 200 Responses | HTTP GET (Query String Parameters) | 4 out of 9 | Detected: 1-4 |
| Identical 200 Responses | HTTP POST (Body Parameters) | 4 out of 9 | Detected: 1-4 (tested against forms with an action property - due to a bug in the form parsing mechanism) |
| Redirect (302) Responses | HTTP GET (Query String Parameters) | 4 out of 9 | Detected: 1-4 |
| Redirect (302) Responses | HTTP POST (Body Parameters) | 4 out of 9 | Detected: 1-4 (tested against forms with an action property - due to a bug in the form parsing mechanism) |
| Erroneous 404 Responses | HTTP GET (Query String Parameters) | 4 out of 9 | Detected: 1-4 |
| Erroneous 404 Responses | HTTP POST (Body Parameters) | 4 out of 9 | Detected: 1-4 (tested against forms with an action property - due to a bug in the form parsing mechanism) |
| False Positive Rfi Test Cases | HTTP GET (Query String Parameters) | 0 out of 6 | Nonw |
| The scans were executed against each individual directory, using the following commands:
SandcatCS.exe localhost:8080 -nodos -hm:xss -surl:/wavsep/active/index-xss.jsp SandcatCS.exe localhost:8080 -nodos -hm:sqlinj -surl:/wavsep/active/index-sql.jsp SandcatCS.exe localhost:8080 -nodos -hm:faultinj -surl:/wavsep/active/index-sql.jsp SandcatCS.exe localhost:8080 -nodos -hm:complete -surl:/wavsep/active/index-obsolete.jsp SandcatCS.exe localhost:8080 -nodos -hm:complete -surl:/wavsep/active/Obsolete-Files/ObsoleteFile-FalsePositives-GET/index.jsp Since I could not customize the policies (and isolate the lfi/rfi plugins), I could not effectively scan the LFI test cases (816+), due to time constrains and the affect the other plugins had on accuracy. Due to various technical issues / potential bugs, I did not manage to scan WIVET using the product. |