| Logo | Scanner | Version | Build | Vendor |
 | Netsparker | 4.1.1.0 | 2015.06.16.1433 | Netsparker Ltd |
| Tested Against WAVSEP Version: |
| Detection Accuracy | Chart | ||||
| 100.00% Detection Rate 0.00% False Positives | (136/136) (0/10) |
| Response Type | Input Vector | Detection Rate | Details |
| Errorneous 500 Responses | HTTP GET (Query String Parameters) | 20 out of 20 | Detected: 1(1st&2nd)-19 |
| Errorneous 500 Responses | HTTP POST (Body Parameters) | 20 out of 20 | Detected: 1(1st&2nd)-19 |
| Errorneous 200 Responses | HTTP GET (Query String Parameters) | 20 out of 20 | Detected: 1(1st&2nd)-19 200-Experimental-GET: 1 |
| Errorneous 200 Responses | HTTP POST (Body Parameters) | 20 out of 20 | Detected: 1(1st&2nd)-19 200-Experimental-POST: 1 |
| Valid 200 Responses | HTTP GET (Query String Parameters) | 20 out of 20 | Detected: 1(1st&2nd)-19 |
| Valid 200 Responses | HTTP POST (Body Parameters) | 20 out of 20 | Detected: 1(1st&2nd)-19 |
| Identical 200 Responses | HTTP GET (Query String Parameters) | 8 out of 8 | Detected: 1-8 |
| Identical 200 Responses | HTTP POST (Body Parameters) | 8 out of 8 | Detected: 1-8 |
| False Positive SQLi Test Cases | HTTP GET (Query String Parameters) | 0 out of 10 | None |
| Detection Accuracy | Chart | ||||
| 100.00% Detection Rate 0.00% False Positives | (66/66) (0/7) |
| Response Type | Input Vector | Detection Rate | Details |
| Reflected XSS | HTTP GET (Query String Parameters) | 33 out of 33 | Detected: 1-30(1st&2nd), 31,32 XSS-GET-Experimental: 1,3,4,7, Possible: 8-11, FH/BTH: 5,6 (Previously Detected: 1-26,28-30(1st&2nd), 31,32) Experimental-GET: 1,3,4 |
| Reflected XSS | HTTP POST (Body Parameters) | 33 out of 33 | Detected: 1-30(1st&2nd), 31,32 XSS-POST-Experimental: 1,3,4,7, Possible: 8-11, FH/BTH: 5,6 (Previously Detected: 1-26,28-30(1st&2nd), 31,32) Experimental-POST: 1,3,4 |
| False Positive RXSS Test Cases | HTTP GET (Query String Parameters) | 0 out of 7 | None |
| Detection Accuracy | Chart | ||||
| 100.00% Detection Rate 0.00% False Positives | (816/816) (0/8) |
| Response Type | Input Vector | Detection Rate | Details |
| Errorneous 500 Responses | HTTP GET (Query String Parameters) | 68 out of 68 | Detected: 1-68 (Previously Detected - Confirmed: 1,3,5,7,9-24,38,40,42,44,54,56,58,60 Probable: 37,53 Possible: 28-30,39,47,48,55,63,64) |
| Errorneous 500 Responses | HTTP POST (Body Parameters) | 68 out of 68 | Detected: 1-68 (Previously Detected - Confirmed: 1,3,5,7,9-24,38,40,42,44,54,56,58,60 Probable: 37,53 Possible: 28-30,39,47,48,55,63,64) |
| Errorneous 200 Responses | HTTP GET (Query String Parameters) | 68 out of 68 | Detected: 1-68 (Previously Detected - Confirmed: 1,3,5,7,9-24,38,40,42,44,54,56,58,60 Probable: 37,53 Possible: 28-30,39,47,48,55,63,64) |
| Errorneous 200 Responses | HTTP POST (Body Parameters) | 68 out of 68 | Detected: 1-68 (Previously Detected - Confirmed: 1,3,5,7,9-24,38,40,42,44,54,56,58,60 Probable: 37,53 Possible: 28-30,39,47,48,55,63,64) |
| Valid 200 Responses | HTTP GET (Query String Parameters) | 68 out of 68 | Detected: 1-68 (Previously Detected - Confirmed: 1,3,5,7,9-24,38,40,42,44,54,56,58,60 Probable: 37,53 Possible: 28-30,39,47,48,55,63,64) |
| Valid 200 Responses | HTTP POST (Body Parameters) | 68 out of 68 | Detected: 1-68 (Previously Detected - Confirmed: 1,3,5,7,9-24,38,40,42,44,54,56,58,60 Probable: 37,53 Possible: 28-30,39,47,48,55,63,64) |
| Identical 200 Responses | HTTP GET (Query String Parameters) | 68 out of 68 | Detected: 1-68 (Previously Detected - Confirmed: 1,3,5,7,9-24,38,40,42,44,54,56,58,60 Probable: 37,53 Possible: 28-30,39,47,48,55,63,64) |
| Identical 200 Responses | HTTP POST (Body Parameters) | 68 out of 68 | Detected: 1-68 (Previously Detected - Confirmed: 1,3,5,7,9-24,38,40,42,44,54,56,58,60 Probable: 37,53 Possible: 28-30,39,47,48,55,63,64) |
| Redirect (302) Responses | HTTP GET (Query String Parameters) | 68 out of 68 | Detected: 1-68 (Previously Detected - Confirmed: 1,3,5,7,9-24,38,40,42,44,54,56,58,60 Probable: 37,53 Possible: 28-30,39,47,48,55,63,64) |
| Redirect (302) Responses | HTTP POST (Body Parameters) | 68 out of 68 | Detected: 1-68 (Previously Detected - Confirmed: 1,3,5,7,9-24,38,40,42,44,54,56,58,60 Probable: 37,53 Possible: 28-30,39,47,48,55,63,64) |
| Erroneous 404 Responses | HTTP GET (Query String Parameters) | 68 out of 68 | Full Score Required MAX 404 to be set to 250 or more. Might be Fixed in Newest Release. Detected: 1-68 (Previously Detected: 1-17,21,24,25,28,31,34,37-68) |
| Erroneous 404 Responses | HTTP POST (Body Parameters) | 68 out of 68 | Full Score Requires MAX 404 to be set to 250 or more. Might be Fixed in Newest Release. Detected: 1-68 (Previously Detected: 1-17,21,24,25,28,31,34,37,39-44,46-53,55-60,62-68) |
| False Positive Lfi Test Cases | HTTP GET (Query String Parameters) | 0 out of 8 | None |
| Detection Accuracy | Chart | ||||
| 100.00% Detection Rate 0.00% False Positives | (108/108) (0/6) |
| Response Type | Input Vector | Detection Rate | Details |
| Errorneous 500 Responses | HTTP GET (Query String Parameters) | 9 out of 9 | Detected: 1-9 (XSS via RFI) (Previously Detected: 1-4) |
| Errorneous 500 Responses | HTTP POST (Body Parameters) | 9 out of 9 | Detected: 1-9 (XSS via RFI) (Previously Detected: 1-4) |
| Errorneous 200 Responses | HTTP GET (Query String Parameters) | 9 out of 9 | Detected: 1-9 (XSS via RFI) (Previously Detected: 1-4) |
| Errorneous 200 Responses | HTTP POST (Body Parameters) | 9 out of 9 | Detected: 1-9 (XSS via RFI) (Previously Detected: 1-4) |
| Valid 200 Responses | HTTP GET (Query String Parameters) | 9 out of 9 | Detected: 1-9 (XSS via RFI) (Previously Detected: 1-4) |
| Valid 200 Responses | HTTP POST (Body Parameters) | 9 out of 9 | Detected: 1-9 (XSS via RFI) (Previously Detected: 1-4) |
| Identical 200 Responses | HTTP GET (Query String Parameters) | 9 out of 9 | Detected: 1-9 (XSS via RFI) (Previously Detected: 1-4) |
| Identical 200 Responses | HTTP POST (Body Parameters) | 9 out of 9 | Detected: 1-9 (XSS via RFI) (Previously Detected: 1-4) |
| Redirect (302) Responses | HTTP GET (Query String Parameters) | 9 out of 9 | Detected: 1-9 (XSS via RFI) (Previously Detected: 1-4) |
| Redirect (302) Responses | HTTP POST (Body Parameters) | 9 out of 9 | Detected: 1-9 (XSS via RFI) (Previously Detected: 1-4) |
| Erroneous 404 Responses | HTTP GET (Query String Parameters) | 9 out of 9 | Detected: 1-9 (XSS via RFI) (Previously Detected: 1-4) |
| Erroneous 404 Responses | HTTP POST (Body Parameters) | 9 out of 9 | Detected: 1-9 (XSS via RFI) (Previously Detected: 1-4) |
| False Positive Rfi Test Cases | HTTP GET (Query String Parameters) | 0 out of 6 | None |
| Since I was already familiar with Netsparker, I was aware of an optimization feature called Heuristic URL Rewrite Support which is supposed to prevent the tool from re-scanning similar URLs ? and since this feature affects the accuracy of wavsep assessments, it was disabled for the purposes of the various scans (in each one of the default and custom scan policies I used).
The scanning process was performed with 1-6 threads, while enabling only the relevant set of plugins for each directory (LFI/RFI, XSS & All the SQLI Plugins, Backup Files and Redirect). Whenever there was a suspicion of thread collision or other non-scanner related accuracy issue, I rescanned a smaller group of URLs with fewer threads, to verify the results. While defining cusom policies, I used the vendor recommended WAVSEP configuration which is available online - In addition to disabling the URL Rewrite detection, In the configuration I enabled Wait Resource Finder , Text Parser , Fallback To Get and Analyze Javascript / AJAX options under Crawling section, Set the Max 404 pages to attack to 250, the directory name under set common directory value to 150, enabled the Simulate All feature in the Open Redirection section, and enabled the Bypass Scope for Static Checks feature under the scope section. After stubmling on what seemed to be a gui configuration bug (reported to the vendor and fixed), I extended the amount of Max 404 pages to attack in the configuration to 2500 for all obsolete file scans - which seemed to have a positive affect on both detection and false positive reduction. I used the "Static Resources", "Signatures", "HTML Content", "Backup Files" and "Common Directories" (150 directory names) plugins for the obsolete / hidden file scans (I also scanned with the "All Checks" policy to verify I didn't miss any plugins), |
| Detection Accuracy | Chart | ||
| 92.0% Detection Rate |
| I Initialized WIVET's session, Selected a custom passive policy, defined a valid session identifier and excluded the logout URLs (logout.php, 100.php). |