| Logo | Scanner | Version | Build | Vendor |
 | QualysGuard WAS | 2014-01-21 | Update | Qualys, Inc. |
| Tested Against WAVSEP Version: |
| Detection Accuracy | Chart | ||||
| 63.24% Detection Rate 0.00% False Positives | (86/136) (0/10) |
| Response Type | Input Vector | Detection Rate | Details |
| Errorneous 500 Responses | HTTP GET (Query String Parameters) | 20 out of 20 | Detected: 1(1st&2nd),2-19 |
| Errorneous 500 Responses | HTTP POST (Body Parameters) | 10 out of 20 | Detected: 1(1st&2nd),2,3,5,8,14,16,17,19 (Previously Detected: 1(1st&2nd),2-19) |
| Errorneous 200 Responses | HTTP GET (Query String Parameters) | 20 out of 20 | Detected: 1(1st&2nd),2-19 200Error-Experimental-GET:1 |
| Errorneous 200 Responses | HTTP POST (Body Parameters) | 10 out of 20 | Detected: 1(1st&2nd),2,3,5,15-19 200Error-Experimental-POST:1 (Previously Detected: 1(1st&2nd),2-19) |
| Valid 200 Responses | HTTP GET (Query String Parameters) | 13 out of 20 | Detected: 1(1st&2nd),2,3,6-8,11,12,15-18 Missed: 4,5,9,10,13,14,19 |
| Valid 200 Responses | HTTP POST (Body Parameters) | 8 out of 20 | Detected: 1(1st&2nd),2,3,15-18 (Previously Detected: 1(1st&2nd),2,3,6-8,11,12,15-18) |
| Identical 200 Responses | HTTP GET (Query String Parameters) | 3 out of 8 | Detected: 1-3 |
| Identical 200 Responses | HTTP POST (Body Parameters) | 2 out of 8 | Detected: 1,2 (Previously Detected: 1-3) |
| False Positive SQLi Test Cases | HTTP GET (Query String Parameters) | 0 out of 10 | None |
| Detection Accuracy | Chart | ||||
| 50.00% Detection Rate 0.00% False Positives | (33/66) (0/7) |
| Response Type | Input Vector | Detection Rate | Details |
| Reflected XSS | HTTP GET (Query String Parameters) | 24 out of 33 | Detected: 1-12,16,22-24,26-30(1st&2nd),31,32 Missed: 13-15,17-21,25 RXSS-Experimental-GET: 1,3 (Previously Detected Identical Results) |
| Reflected XSS | HTTP POST (Body Parameters) | 9 out of 33 | Detected: 1-5,8,30(1st&2nd),32 (After adapting the form/parameter names to an incremental format) (Previously Detected: 1-18,20,22-24,26-30(1st&2nd),31,32) |
| False Positive RXSS Test Cases | HTTP GET (Query String Parameters) | 0 out of 7 | None (cases 1,2,6 classified as unencoded characters, but not as XSS) |
| I installed a local software appliance (virtualbox VM), personalized it (long story) and started using the interface to create various scan policies and scheduled scans (although I eventually executed most of the scans myself).
I created an application to represent WAVSEP, defined the local appliance (named it WAVSEP_[VulName]) as the scanner appliance, and defined various URLs for scanning purposes (and replaced them in each scan). I used the following generic configuration: Form Submission: Post & Get, Maximum crawl requests = 2000, Scan Intensity: Lowest / Maximum (varies), Disabled password bruteforcing Policies/Plugins used in SQL injection detection: The complete policy, and also a custom policy that included: SQL Injection, Blind SQL Injection, SQL Injection in HTTP Header Policies/Plugins used in Reflected XSS detection: The complete policy, and also a custom policy that included: "Reflected Cross-Site Scripting (XSS) Vulnerabilities" (QID 150001),"Reflected Cross-Site Scripting (XSS) in HTTP Header" (QID 150046),"Reflected Cross Site Scripting (XSS) in Web Service" (QID 150090),"Web Server Vulnerable to Cross Site Scripting" (QID 10788), "Browser-Specific Cross Site Scripting (XSS)" (QID 150013), "Browser-Specific Cross Site Scripting (XSS) in HTTP Headers" (QID 150048), "Browser-Specific Cross Site Scripting (XSS) in Web Service" (QID 150092) Policies/Plugins used in Unvalidated Redirect detection: The complete policy, and also a custom policy that included: "Open Redirect" (QID 150051) Policies/Plugins used in Backup/Obsoelte File detection (detected when directories are scanned individually): The complete policy, and also a custom policy that included: "Backup Files Present on Web Server" (QID 7008), "Path based vulnerabilities" (QID 150004) - works better on it's own. In Traversal / LFI / RFI Detection (nothing was detected): "Local File Inclusion" (QID 150011), "Generic Web Server Directory Traversal Vulnerability" (QID 86375), "Java Web Server Directory Traversal Vulnerability" (QID 10147), "Apache Tomcat Absolute Path Traversal Vulnerability" (QID 86776), "YAWS Directory Traversal Vulnerability" (QID 86925),"Perl Web Server Directory Traversal Vulnerability" (QID 10750), "Path-based Vulnerability" (QID 150004) In XSS via RFI Detection (nothing was detected): Generic Web Server Directory Traversal Path-Based Vulnerability Directory Listing PHP Remote File Inclusion Local File Inclusion PHP Command Injection |
| Detection Accuracy | Chart | ||
| 92.0% Detection Rate |
| I used the following configuration while scanning the WIVET application (as mentioned in previous posts ? a customized version of WIVET with multipled links and without the logout URL):
Checked: "Crawl all Links and directories found in the robots.txt file, if present." Checked: "Crawl all Links and directories found in the sitemap.xml file, if present." Plugins Enabled: Links Discovered During User-Agent and Mobile Site Checks Content of sitemap.xml Content of robots.txt Flash Analysis Domain Related Links Discovered Cookies Collected External Links Discovered External Form Actions Discovered Form is Protected Against CSRF Session Cookies Links Crawled Reflected Cross Site Scripting (XSS) Vulnerabilities Using fiddler as a proxy didn't seem to work like it did for many other scanners, however, the header customization features worked perfectly and enabled me to define a valid session identifier, and since I already removed the 100.php link from the menu, I did not define any URL restrictions. Bottom line: it worked, and I have to admit I was impressed with the score (92%) |