| Logo | Scanner | Version | Build | Vendor |
 | IBM AppScan | 9.0.0.999 / 8.8.0.0 | 466 | IBM Security Systems Division |
| Tested Against WAVSEP Version: |
| Detection Accuracy | Chart | ||||
| 100.00% Detection Rate 0.00% False Positives | (136/136) (0/10) |
| Response Type | Input Vector | Detection Rate | Details |
| Errorneous 500 Responses | HTTP GET (Query String Parameters) | 20 out of 20 | Detected: 1(1st&2nd),2-19 |
| Errorneous 500 Responses | HTTP POST (Body Parameters) | 20 out of 20 | Detected: 1(1st&2nd),2-19 |
| Errorneous 200 Responses | HTTP GET (Query String Parameters) | 20 out of 20 | Detected: 1(1st&2nd),2-19 200Error-Experimental-GET: 1 |
| Errorneous 200 Responses | HTTP POST (Body Parameters) | 20 out of 20 | Detected: 1(1st&2nd),2-19 200Error-Experimental-POST: 1 |
| Valid 200 Responses | HTTP GET (Query String Parameters) | 20 out of 20 | Detected: 1(1st&2nd),2-19 |
| Valid 200 Responses | HTTP POST (Body Parameters) | 20 out of 20 | Detected: 1(1st&2nd),2-19 |
| Identical 200 Responses | HTTP GET (Query String Parameters) | 8 out of 8 | Detected: 1-8 |
| Identical 200 Responses | HTTP POST (Body Parameters) | 8 out of 8 | Detected: 1-8 |
| False Positive SQLi Test Cases | HTTP GET (Query String Parameters) | 0 out of 10 | Optional Plugin "SQL Injection File Write" identifies the index page as vulnerable (not enabled by default). Previously Detected: 2,4,6 |
| Detection Accuracy | Chart | ||||
| 100.00% Detection Rate 0.00% False Positives | (66/66) (0/7) |
| Response Type | Input Vector | Detection Rate | Details |
| Reflected XSS | HTTP GET (Query String Parameters) | 33 out of 33 | Detected: 1-30(1st&2nd),31,32 RXSS-Experimental-GET: 1-3 (Previously Detected More: 13,7,8,9,10,11) |
| Reflected XSS | HTTP POST (Body Parameters) | 33 out of 33 | Detected: 1-30(1st&2nd),31,32 RXSS-Experimental-GET: 1-3 (Previously Detected More:13,7,8,9,10,11) |
| False Positive RXSS Test Cases | HTTP GET (Query String Parameters) | 0 out of 7 | None |
| Detection Accuracy | Chart | ||||
| 100.00% Detection Rate 0.00% False Positives | (816/816) (0/8) |
| Response Type | Input Vector | Detection Rate | Details |
| Errorneous 500 Responses | HTTP GET (Query String Parameters) | 68 out of 68 | Detected: 1-68 (Previously Detected: 1,3,5,9-12,15-18,21,22,24,37-44,53-60) |
| Errorneous 500 Responses | HTTP POST (Body Parameters) | 68 out of 68 | Detected: 1-68 (Previously Detected: 1,3,5,7,9-24,37-44,53-60) |
| Errorneous 200 Responses | HTTP GET (Query String Parameters) | 68 out of 68 | Detected: 1-68 (Previously Detected: 1,3,5,9-12,15-18,21,22,24,37-44,53-60) |
| Errorneous 200 Responses | HTTP POST (Body Parameters) | 68 out of 68 | Detected: 1-68 (Previously Detected: 1,3,5,7,9-24,37-44,53-60) |
| Valid 200 Responses | HTTP GET (Query String Parameters) | 68 out of 68 | Detected: 1-68 (Previously Detected: 1,3,5,9-12,15-18,21,22,24,37-44,53-60) |
| Valid 200 Responses | HTTP POST (Body Parameters) | 68 out of 68 | Detected: 1-68 (Previously Detected: 1,3,5,7,9-24,37-44,53-60) |
| Identical 200 Responses | HTTP GET (Query String Parameters) | 68 out of 68 | Detected: 1-68 (Previously Detected: 1,3,5,9-12,15-18,21,22,24,37-44,53-60) |
| Identical 200 Responses | HTTP POST (Body Parameters) | 68 out of 68 | Detected: 1-68 (Previously Detected: 1,3,5,7,9-24,37-44,53-60) |
| Redirect (302) Responses | HTTP GET (Query String Parameters) | 68 out of 68 | Detected: 1-68 (Previously Detected: 1,3,5,9-12,15-18,21,22,24,37-44,53-60) |
| Redirect (302) Responses | HTTP POST (Body Parameters) | 68 out of 68 | Detected: 1-68 (Previously Detected: 1,3,5,7,9-24,37-44,53-60) |
| Erroneous 404 Responses | HTTP GET (Query String Parameters) | 68 out of 68 | Detected: 1-68 (Previously Detected: 1,3,5,9-12,15-18,21,22,24,37-44,53-60) |
| Erroneous 404 Responses | HTTP POST (Body Parameters) | 68 out of 68 | Detected: 1-68 (Previously Detected: 1,3,5,7,9-24,37-44,53-60) |
| False Positive Lfi Test Cases | HTTP GET (Query String Parameters) | 0 out of 8 | None |
| Detection Accuracy | Chart | ||||
| 100.00% Detection Rate 0.00% False Positives | (108/108) (0/6) |
| Response Type | Input Vector | Detection Rate | Details |
| Errorneous 500 Responses | HTTP GET (Query String Parameters) | 9 out of 9 | Detected: 1-9 |
| Errorneous 500 Responses | HTTP POST (Body Parameters) | 9 out of 9 | Detected: 1-9 |
| Errorneous 200 Responses | HTTP GET (Query String Parameters) | 9 out of 9 | Detected: 1-9 |
| Errorneous 200 Responses | HTTP POST (Body Parameters) | 9 out of 9 | Detected: 1-9 |
| Valid 200 Responses | HTTP GET (Query String Parameters) | 9 out of 9 | Detected: 1-9 |
| Valid 200 Responses | HTTP POST (Body Parameters) | 9 out of 9 | Detected: 1-9 |
| Identical 200 Responses | HTTP GET (Query String Parameters) | 9 out of 9 | Detected: 1-9 |
| Identical 200 Responses | HTTP POST (Body Parameters) | 9 out of 9 | Detected: 1-9 |
| Redirect (302) Responses | HTTP GET (Query String Parameters) | 9 out of 9 | Detected: 1-9 |
| Redirect (302) Responses | HTTP POST (Body Parameters) | 9 out of 9 | Detected: 1-9 |
| Erroneous 404 Responses | HTTP GET (Query String Parameters) | 9 out of 9 | Detected: 1-9 |
| Erroneous 404 Responses | HTTP POST (Body Parameters) | 9 out of 9 | Detected: 1-9 |
| False Positive Rfi Test Cases | HTTP GET (Query String Parameters) | 0 out of 6 | None |
| I configured the tool according to the detailed recommendations I received from the relevant personal at IBM AppScan:
General Configuration Values: Communication and Proxy ? Number of Threads -> 1 Communication and Proxy ->Timeout -> 15 (default) Automatic Form Fill-> User & Password Defined (Anything but null, in order to handle a bug) Test Options -> Disabled Adaptive Testing (URL Rewrite Prevention) Advanced Configuration-> Similarity Threshold ->99 For LFI/RFI: In Advanced Configuration -> Communication: Treat Error Response as Valid = 2 SQL Injection Scan Plugins: SQL Injection, Blind SQL Injection, Blind SQL Injection (Time Based), Database Error Pattern Found XSS Scan Plugins: Cross Site Scripting (All Variants) RFI/LFI Scan Plugins: Windows File Parameter Alteration, Unix File Parameter Alteration, Poison NullByte Windows File Retrieval, Poison NullByte Unix File Retrieval, Server Side Directories File Retrieval, Remote RSS Feed Inclusion, PHP Remote File Inclusion, PHP Remote File Inclusion on Cookie, JSP File Inclusion, Cross Site Scripting using Malicious RSS Feed Inclusion. Obsolete Files: Various "Backup" related plugins and also all inclusive policies Unvalidated Redirect: dedicated plugins and also all inclusive policies |
| Detection Accuracy | Chart | ||
| 92.0% Detection Rate |
| Previous Score: 91.00%
Initialized WIVET's session, limited the spider threads to 1 single thread, defined fiddler as an outgoing proxy and defined a valid session identifier in fiddler filter feature, excluded the logout URL in appscan (100.php), enabled the various Flash parsing & execution features in the configuration (Increased the Depth, Click and Screen Limit to 1000), selected the depth first in the explore options, |