N-Stalker 2012 Free Edition10.13.11.31b31N-Stalker

Tested Against WAVSEP Version:

The Reflected XSS Detection Accuracy of the Scanner:
Detection AccuracyChart
95.45% Detection Rate
0.00% False Positives
Response TypeInput VectorDetection RateDetails
Reflected XSSHTTP GET (Query String Parameters)32 out of 33Detected: 1-30(1st&2nd),32 Missed: 31 RXSS-Experimental-GET: 1,3,4 (Previously Detected: 1-5,30(1st&2nd),32)
Reflected XSSHTTP POST (Body Parameters)31 out of 33Detected: 1-8,10-30(1st&2nd),32
False Positive RXSS Test CasesHTTP GET (Query String Parameters)0 out of 7None

WAVSEP Scan Log:
Prior to testing, I updated my N-Stalker 2012 free edition to the latest version (31 December, 2013), and also updated the various tool databases to their latest version. I started a new scan with a custom XSS policy and also used the Full XSS Assessment Scan policy to separately scan each of the XSS-vulnerable directories in WAVSEP.
I tried scanning using various configurations, with and without optimizations.
The tool was limited to scanning 500 URLs in one scan, and also produced better results when scanning each directory individually.

The WIVET Score of the Scanner:
Detection AccuracyChart
16.0% Detection Rate

WIVET Scan Log:
Initialized WIVET's session, defined fiddler as an outgoing proxy and defined a valid session identifier in fiddler
filter feature,
excluded the logout URL in appscan (100.php), and tried scanning with various configuration options (enabled the optional parse javascript and parse error pages crawler options, tried with and without checks, with optimizations, while increasing the spider various restrictions, etc)

Copyright © 2010-2016 by Shay Chen. All rights reserved.
Click here to learn how this information may be published or reused.