LogoScannerVersionVendor
Ammonite1.2RyscCorp.

Tested Against WAVSEP Version:
1.2

The SQL Injection Detection Accuracy of the Scanner:
Detection AccuracyChart
96.32% Detection Rate
70.00% False Positives
(131/136)
(7/10)
Response TypeInput VectorDetection RateDetails
Errorneous 500 ResponsesHTTP GET (Query String Parameters)20 out of 20Detected: 1(1st&2nd),2-19
Errorneous 500 ResponsesHTTP POST (Body Parameters)20 out of 20Detected: 1(1st&2nd),2-19
Errorneous 200 ResponsesHTTP GET (Query String Parameters)20 out of 20Detected: 1(1st&2nd),2-19 200Error-Experimental-GET: 1
Errorneous 200 ResponsesHTTP POST (Body Parameters)20 out of 20Detected: 1(1st&2nd),2-19 200Error-Experimental-POST: 1
Valid 200 ResponsesHTTP GET (Query String Parameters)20 out of 20Detected: 1(1st&2nd),2-19
Valid 200 ResponsesHTTP POST (Body Parameters)19 out of 20Detected: 1(1st&2nd),3-19 Missed: 2
Identical 200 ResponsesHTTP GET (Query String Parameters)7 out of 8Detected: 1-4,6-8 Missed: 5
Identical 200 ResponsesHTTP POST (Body Parameters)5 out of 8Detected: 1-4,7 Missed: 5,6,8
False Positive SQLi Test CasesHTTP GET (Query String Parameters)7 out of 101-4,6-8. Also detected RXSS-False Cases 1-4,6 as SQLi.

The Reflected XSS Detection Accuracy of the Scanner:
Detection AccuracyChart
24.24% Detection Rate
42.86% False Positives
(16/66)
(3/7)
Response TypeInput VectorDetection RateDetails
Reflected XSSHTTP GET (Query String Parameters)8 out of 33Detected: 1-5,30(1st&2nd),32 RXSS-Experimental-GET: 1
Reflected XSSHTTP POST (Body Parameters)8 out of 33Detected: 1-5,30(1st&2nd),32 RXSS-Experimental-POST: 1
False Positive RXSS Test CasesHTTP GET (Query String Parameters)3 out of 71,2,6

The Local File Inclusion Detection Accuracy of the Scanner:
Detection AccuracyChart
63.97% Detection Rate
37.50% False Positives
(522/816)
(3/8)
Response TypeInput VectorDetection RateDetails
Errorneous 500 ResponsesHTTP GET (Query String Parameters)45 out of 68Detected: 1,3,5,7,9-25,28,37-48,53,55-64
Errorneous 500 ResponsesHTTP POST (Body Parameters)44 out of 68Detected: 1,3,5,7,9-25,28,37-48,53,55-60,62-64
Errorneous 200 ResponsesHTTP GET (Query String Parameters)45 out of 68Detected: 1,3,5,7,9-25,28,37-48,53,55-64
Errorneous 200 ResponsesHTTP POST (Body Parameters)44 out of 68Detected: 1,3,5,7,9-25,28,37-48,53,55-60,62-64
Valid 200 ResponsesHTTP GET (Query String Parameters)44 out of 68Detected: 1,3,5,7,9-25,28,37,39-48,53,55-64
Valid 200 ResponsesHTTP POST (Body Parameters)42 out of 68Detected: 1,3,5,7,9-25,28,37,39-44,46-48,53,55-60,62-64
Identical 200 ResponsesHTTP GET (Query String Parameters)44 out of 68Detected: 1,3,5,7,9-25,28,37,39-48,53,55-64
Identical 200 ResponsesHTTP POST (Body Parameters)42 out of 68Detected: 1,3,5,7,9-25,28,37,39-44,46-48,53,55-60,62-64
Redirect (302) ResponsesHTTP GET (Query String Parameters)44 out of 68Detected: 1,3,5,7,9-25,28,37,39-48,53,55-64
Redirect (302) ResponsesHTTP POST (Body Parameters)42 out of 68Detected: 1,3,5,7,9-25,28,37,39-44,46-48,53,55-60,62-64
Erroneous 404 ResponsesHTTP GET (Query String Parameters)44 out of 68Detected: 1,3,5,7,9-25,28,37,39-48,53,55-64
Erroneous 404 ResponsesHTTP POST (Body Parameters)42 out of 68Detected: 1,3,5,7,9-25,28,37,39-44,46-48,53,55-60,62-64
False Positive Lfi Test CasesHTTP GET (Query String Parameters)3 out of 82,4,6, in addition to RFI test cases detected as LFI.

The Remote File Inclusion Detection Accuracy of the Scanner:
Detection AccuracyChart
44.44% Detection Rate
33.33% False Positives
(48/108)
(2/6)
Response TypeInput VectorDetection RateDetails
Errorneous 500 ResponsesHTTP GET (Query String Parameters)4 out of 9Detected: 2,7,8,9 (as LFI)
Errorneous 500 ResponsesHTTP POST (Body Parameters)4 out of 9Detected: 2,7,8,9 (as LFI)
Errorneous 200 ResponsesHTTP GET (Query String Parameters)4 out of 9Detected: 2,7,8,9 (as LFI)
Errorneous 200 ResponsesHTTP POST (Body Parameters)4 out of 9Detected: 2,7,8,9 (as LFI)
Valid 200 ResponsesHTTP GET (Query String Parameters)4 out of 9Detected: 2,7,8,9 (as LFI)
Valid 200 ResponsesHTTP POST (Body Parameters)4 out of 9Detected: 2,7,8,9 (as LFI)
Identical 200 ResponsesHTTP GET (Query String Parameters)4 out of 9Detected: 2,7,8,9 (as LFI)
Identical 200 ResponsesHTTP POST (Body Parameters)4 out of 9Detected: 2,7,8,9 (as LFI)
Redirect (302) ResponsesHTTP GET (Query String Parameters)4 out of 9Detected: 2,7,8,9 (as LFI)
Redirect (302) ResponsesHTTP POST (Body Parameters)4 out of 9Detected: 2,7,8,9 (as LFI)
Erroneous 404 ResponsesHTTP GET (Query String Parameters)4 out of 9Detected: 2,7,8,9 (as LFI)
Erroneous 404 ResponsesHTTP POST (Body Parameters)4 out of 9Detected: 2,7,8,9 (as LFI)
False Positive Rfi Test CasesHTTP GET (Query String Parameters)2 out of 62,4 (as LFI)

WAVSEP Scan Log:
The Ammonite scanner is in fact, a fiddler extension, and as such, relies on many existing fiddler features, and extends some of them. However, that also meant I needed to use an external spider.
I installed Ammonite on fiddler 2.3.9.9, used the spider feature of burp-suite with fiddler defined as an upstream proxy in order to populate fiddler URL list with the relevant URLs, prior to each scan, and eventually, scanned each directory individually, since scanning multiple directories caused the scanner to produce results that were significantly less accurate then a dedicated scan (bug report(?): I performed the first few scans with all the plugins & input vectors enabled, and noticed plenty of buffer overflows / sql injection false positives, and the scanner stopped detecting some exposures after scanning a certain amount of entry points).
During the various scans, I used 1-2 Threads, Limited the requests per second to a maximum of 50, limited the input vectors to Query (GET) and Body (POST), and in most cases (not all), disabled the "skip identical requests feature".
I enabled the following plugins for the various scans:
SQL Injection: Verbose, Boolean and Timing SQLi Plugins
Cross Site Scripting: Cross Site Scripting Plugin
LFI/RFI: Local File Inclusion Plugin


Copyright © 2010-2016 by Shay Chen. All rights reserved.
Click here to learn how this information may be published or reused.