| Logo | Scanner | Version | Vendor |
 | Netsparker Community Edition | 3.1.6.0 | Netsparker Ltd |
| Tested Against WAVSEP Version: |
| Detection Accuracy | Chart | ||||
| 72.06% Detection Rate 30.00% False Positives | (98/136) (3/10) |
| Response Type | Input Vector | Detection Rate | Details |
| Errorneous 500 Responses | HTTP GET (Query String Parameters) | 20 out of 20 | Detected: 1(1st&2nd),2-19 |
| Errorneous 500 Responses | HTTP POST (Body Parameters) | 20 out of 20 | Detected: 1(1st&2nd),2-19 |
| Errorneous 200 Responses | HTTP GET (Query String Parameters) | 20 out of 20 | Detected: 1(1st&2nd),2-19 |
| Errorneous 200 Responses | HTTP POST (Body Parameters) | 20 out of 20 | Detected: 1(1st&2nd),2-19 |
| Valid 200 Responses | HTTP GET (Query String Parameters) | 8 out of 20 | Detected: 1(2nd),3,6,11,12,13,15,16 (Previously Detected: 1(2nd),3,6,12,13,15,16) |
| Valid 200 Responses | HTTP POST (Body Parameters) | 8 out of 20 | Detected: 1(2nd),3,6,11,12,13,15,16 (Previously Detected: 1(2nd),3,6,12,13,15,16) |
| Identical 200 Responses | HTTP GET (Query String Parameters) | 1 out of 8 | Detected: 1 Missed: 2-8 |
| Identical 200 Responses | HTTP POST (Body Parameters) | 1 out of 8 | Detected: 1 Missed: 2-8 |
| False Positive SQLi Test Cases | HTTP GET (Query String Parameters) | 3 out of 10 | 2,4,6 (Reported as Probable - but hidden in the community edition) |
| Detection Accuracy | Chart | ||||
| 78.79% Detection Rate 0.00% False Positives | (52/66) (0/7) |
| Response Type | Input Vector | Detection Rate | Details |
| Reflected XSS | HTTP GET (Query String Parameters) | 33 out of 33 | Detected: 1-30(1st&2nd),31,32 (Previously Detected: 1-9,16,22-26,28-30(1st&2nd),31,32) GET-Experimental: 1,3,4,8,11 |
| Reflected XSS | HTTP POST (Body Parameters) | 19 out of 33 | Detected: 1-19 Previously Detected: 1-9,16,22-26,28-30(1st&2nd),31,32 POST-Experimental: 1,3,4,8,11 |
| False Positive RXSS Test Cases | HTTP GET (Query String Parameters) | 0 out of 7 | None |
| I used 1-6 threads (multiple scans) to scan the various directories, and scanned each directory individually with 2 policies: "community edition checks" and "All Checks". The scan went well without any exceptions (no trace of the previous VBScript issue).
Although the "Backup Files" is officially listed as a plugin in the community edition policy, for some reason it did not disclose the results of its scan (notified that it is only available in the standard or enterprise edition), and thus no results are provided for this category. |
| Detection Accuracy | Chart | ||
| 91.0% Detection Rate |
| For some reason the system proxy feature did not work properly with the new version of Netsparker CE (it ignored it on XP), so I was not able to forward the communication through Fiddler and customize the cookie. Since the custom cookie feature was disabled in the free edition, I wasn't able to scan WIVET, and couldn't spare the time to work around the issue.
The wivet result presented is the result that the previous version of Netsparker CE had, which was obtained using the following process: Initialized WIVET's session, Disabled all scan plugins (except the spider), limited the spider threads to 1 single thread, defined a valid session identifier and excluded the logout URL (100.php), even though I already removed it manually from WIVET's menu. I verified the results twice, and they came out the same. |