Detailed Scan Results - IronWASP - WAVSEP Benchmark 2014/2016

Logo	Scanner	Version	Vendor
	IronWASP	0.9.7.4	Lavakumar Kuppan

Tested Against WAVSEP Version:

1.5

The SQL Injection Detection Accuracy of the Scanner:

Detection Accuracy

Chart

99.26% Detection Rate
0.00% False Positives

(135/136)
(0/10)

Response Type	Input Vector	Detection Rate	Details
Errorneous 500 Responses	HTTP GET (Query String Parameters)	20 out of 20	Detected: 1(1st&end),2-19
Errorneous 500 Responses	HTTP POST (Body Parameters)	20 out of 20	Detected: 1(1st&2nd),2-19
Errorneous 200 Responses	HTTP GET (Query String Parameters)	20 out of 20	Detected: 1(1st&2nd),2-19 GET-Experimental: 1
Errorneous 200 Responses	HTTP POST (Body Parameters)	20 out of 20	Detected: 1(1st&2nd),2-19 POST-Experimental: 1
Valid 200 Responses	HTTP GET (Query String Parameters)	20 out of 20	Detected: 1(1st&2nd),2-19
Valid 200 Responses	HTTP POST (Body Parameters)	20 out of 20	Detected: 1(1st&2nd),2-19
Identical 200 Responses	HTTP GET (Query String Parameters)	7 out of 8	Detected: 1,2,3,5,6,7,8 (Verified 3 Times - Inconsistent, Sometimes detectes 1,2,3,4,6) Previously Detected: 1-8
Identical 200 Responses	HTTP POST (Body Parameters)	8 out of 8	Detected: 1-8
False Positive SQLi Test Cases	HTTP GET (Query String Parameters)	0 out of 10	None (Previously Detected 2,4,6,7,8)

The Reflected XSS Detection Accuracy of the Scanner:

Detection Accuracy

Chart

100.00% Detection Rate
0.00% False Positives

(66/66)
(0/7)

Response Type	Input Vector	Detection Rate	Details
Reflected XSS	HTTP GET (Query String Parameters)	33 out of 33	Detected: 1-29,30(1st&2nd),31,32 GET-Experimental: 1,3,5,6,7,8,9,10,11 DXSS-GET-Experimental: 1,2,3,4 (Previously Detected: 1-15,22-30(1st&2nd) RXSS-GET-Experimental: 1)
Reflected XSS	HTTP POST (Body Parameters)	33 out of 33	Detected: 1-29,30(1st&2nd),31,32 POST-Experimental: 1,3,5,6,7,8,9,10,11 (Previously Detected: 1-15,22-30(1st&2nd) RXSS-POST-Experimental: 1)
False Positive RXSS Test Cases	HTTP GET (Query String Parameters)	0 out of 7	None

The Local File Inclusion Detection Accuracy of the Scanner:

Detection Accuracy

Chart

53.06% Detection Rate
0.00% False Positives

(433/816)
(0/8)

Response Type	Input Vector	Detection Rate	Details
Errorneous 500 Responses	HTTP GET (Query String Parameters)	37 out of 68	Detected: 1,4,5,7,9-16,18-21,23-25,28,37,39,40,41,43,45-48,53,56,57,59,61-64 (Inconsistent)* (Previously Detected: 1,3,5,7,9-25,28,38,40,42,44,46,48,54,56,58,60,62,64)
Errorneous 500 Responses	HTTP POST (Body Parameters)	31 out of 68	Detected: 1,3,4,7,9,10,14-17,21,22,24,25,28,37,39-41,43,46-48,53,55-57,59,62-64 (Inconsistent)* (Previously Detected: 1,3,5,7,9-25,28,38,40,42,44,46,48,54,56,58,60,62,64)
Errorneous 200 Responses	HTTP GET (Query String Parameters)	39 out of 68	Detected: 1,4,5,7,9-21,23-25,28,37,39-41,43,45-48,53,55-57,59,61-64 (Inconsistent)* (Previously Detected: 1,3,5,7,9-25,28,38,40,42,44,46,48,54,56,58,60,62,64)
Errorneous 200 Responses	HTTP POST (Body Parameters)	36 out of 68	Detected: 1,4,5,7,9-11,13-17,19-25,28,37,39-41,43,46-48,53,55-57,59,62-64 (Inconsistent)* (Previously Detected: 1,3,5,7,9-25,28,38,40,42,44,46,48,54,56,58,60,62,64)
Valid 200 Responses	HTTP GET (Query String Parameters)	40 out of 68	Detected: 1,4,5,7,9-25,28,37,39-41,43,45-48,53,55-57,59,61-64 (Inconsistent)* (Previously Detected: 1,3,5,7,9-25,28,38,40,42,44,46,48,54,56,58,60,62,64)
Valid 200 Responses	HTTP POST (Body Parameters)	33 out of 68	Detected: 3,4,5,7,9-11,14-17,20-22,24,25,28,37,39,40,41,43,46-48,53,55-57,59,62-64 (Inconsistent)* (Previously Detected: 1,3,5,7,9-25,28,38,40,42,44,46,48,54,56,58,60,62,64)
Identical 200 Responses	HTTP GET (Query String Parameters)	40 out of 68	Detected: 1,4,5,7,9-25,28,37,39-41,43,45-48,53,55-57,59,61-64 (Inconsistent)* (Previously Detected: 1,3,5,7,9-25,28,38,40,42,44,46,48,54,56,58,60,62,64)
Identical 200 Responses	HTTP POST (Body Parameters)	34 out of 68	DetectedL 1,3,4,9-11,13-17,20-25,28,37,39-41,43,46-48,53,55-57,59,62,63,64 (Inconsistent)* (Previously Detected: 1,3,5,7,9-25,28,38,40,42,44,46,48,54,56,58,60,62,64)
Redirect (302) Responses	HTTP GET (Query String Parameters)	38 out of 68	Detected: 1,4,5,9-17,19-25,28,37,39-41,43,45-48,53,55-57,59,61-64 (Inconsistent)* (Previously Detected: 1,3,5,7,9-25,28,38,40,42,44,46,48,54,56,58,60,62,64)
Redirect (302) Responses	HTTP POST (Body Parameters)	32 out of 68	Detected: 1,3,4,9-11,13-16,19-21,23-25,28,37,39-41,43,46-48,53,55-57,59,62,63 (Inconsistent)* (Previously Detected: 1,3,5,7,9-25,28,38,40,42,44,46,48,54,56,58,60,62,64)
Erroneous 404 Responses	HTTP GET (Query String Parameters)	40 out of 68	Detected: 1,4,5,7,9-25,28,37,39-41,43,45-48,53,55-57,59,61-64 (Inconsistent)* (Previously Detected: 1,3,5,7,9-25,28,38,40,42,44,46,48,54,56,58,60,62,64)
Erroneous 404 Responses	HTTP POST (Body Parameters)	33 out of 68	Detected: 1,3,4,5,7,9,10,12,14-16,20,21,23-25,28,37,39-41,43,46-48,53,55-57,59,62-64 (Inconsistent)* (Previously Detected: 1,3,5,7,9-25,28,38,40,42,44,46,48,54,56,58,60,62,64)
False Positive Lfi Test Cases	HTTP GET (Query String Parameters)	0 out of 8	None

The Remote File Inclusion Detection Accuracy of the Scanner:

Detection Accuracy

Chart

77.78% Detection Rate
0.00% False Positives

(84/108)
(0/6)

Response Type	Input Vector	Detection Rate	Details
Errorneous 500 Responses	HTTP GET (Query String Parameters)	7 out of 9	Detected: 1-7 as RFI, 8,9 as LFI (Not included in score)
Errorneous 500 Responses	HTTP POST (Body Parameters)	7 out of 9	Detected (Inconsistent):1-7 as RFI, 8,9 as LFI (Not included in score)
Errorneous 200 Responses	HTTP GET (Query String Parameters)	7 out of 9	Detected: 1-7 as RFI, 8,9 as LFI (Not included in score)
Errorneous 200 Responses	HTTP POST (Body Parameters)	7 out of 9	Detected (Inconsistent): 1-7 as RFI, 8,9 as LFI (Not included in score)
Valid 200 Responses	HTTP GET (Query String Parameters)	7 out of 9	Detected (Inconsistent): 1-7 as RFI, 8,9 as LFI (Not included in score)
Valid 200 Responses	HTTP POST (Body Parameters)	7 out of 9	Detected (Inconsistent): 1-7 as RFI, 8,9 as LFI (Not included in score)
Identical 200 Responses	HTTP GET (Query String Parameters)	7 out of 9	Detected: 1-7 as RFI, 8,9 as LFI (Not included in score)
Identical 200 Responses	HTTP POST (Body Parameters)	7 out of 9	Detected (Inconsistent): 1-7 as RFI, 8,9 as LFI (Not included in score)
Redirect (302) Responses	HTTP GET (Query String Parameters)	7 out of 9	Detected: 1-7 as RFI, 8,9 as LFI (Not included in score)
Redirect (302) Responses	HTTP POST (Body Parameters)	7 out of 9	Detected (Inconsistent): 1-7 as RFI, 8,9 as LFI (Not included in score)
Erroneous 404 Responses	HTTP GET (Query String Parameters)	7 out of 9	Detected (Inconsistent): 1-7 as RFI, 8,9 as LFI (Not included in score)
Erroneous 404 Responses	HTTP POST (Body Parameters)	7 out of 9	Detected (Inconsistent): 1-7 as RFI, 8,9 as LFI (Not included in score)
False Positive Rfi Test Cases	HTTP GET (Query String Parameters)	0 out of 6	None

WAVSEP Scan Log:

I used burp/zap to crawl the various pages through ironwasp (and verified all the relevant links were successfully documented in ironwasp logs), tested the various directories using the default settings while using the dedicated detection plugin independently (SQL injection plugin for the sqli directories, etc), and limiting the threads from time to time.
(All the results were verified twice+).
For some reason I wasn't able to scan WIVET using the tool's crawler (bug?) while using the exact same method I used with the rest of the tools (either directly and/or through fiddler with a fixed valid PHPSESSID as a filter).