| Logo | Scanner | Version | Build | Vendor |
 | N-Stalker 2012 Free Edition | 10.13.11.31 | b31 | N-Stalker |
| Tested Against WAVSEP Version: |
| Detection Accuracy | Chart | ||||
| 95.45% Detection Rate 0.00% False Positives | (63/66) (0/7) |
| Response Type | Input Vector | Detection Rate | Details |
| Reflected XSS | HTTP GET (Query String Parameters) | 32 out of 33 | Detected: 1-30(1st&2nd),32 Missed: 31 RXSS-Experimental-GET: 1,3,4 (Previously Detected: 1-5,30(1st&2nd),32) |
| Reflected XSS | HTTP POST (Body Parameters) | 31 out of 33 | Detected: 1-8,10-30(1st&2nd),32 |
| False Positive RXSS Test Cases | HTTP GET (Query String Parameters) | 0 out of 7 | None |
| Prior to testing, I updated my N-Stalker 2012 free edition to the latest version (31 December, 2013), and also updated the various tool databases to their latest version. I started a new scan with a custom XSS policy and also used the Full XSS Assessment Scan policy to separately scan each of the XSS-vulnerable directories in WAVSEP.
I tried scanning using various configurations, with and without optimizations. The tool was limited to scanning 500 URLs in one scan, and also produced better results when scanning each directory individually. |
| Detection Accuracy | Chart | ||
| 16.0% Detection Rate |
| Initialized WIVET's session, defined fiddler as an outgoing proxy and defined a valid session identifier in fiddler
filter feature, excluded the logout URL in appscan (100.php), and tried scanning with various configuration options (enabled the optional parse javascript and parse error pages crawler options, tried with and without checks, with optimizations, while increasing the spider various restrictions, etc) |