Detailed Scan Results - N-Stalker - WAVSEP Benchmark 2014/2016

Logo	Scanner	Version	Build	Vendor
	N-Stalker	X	10.14.1.7	N-Stalker

Tested Against WAVSEP Version:

1.5

The SQL Injection Detection Accuracy of the Scanner:

Detection Accuracy

Chart

96.32% Detection Rate
0.00% False Positives

(131/136)
(0/10)

Response Type	Input Vector	Detection Rate	Details
Errorneous 500 Responses	HTTP GET (Query String Parameters)	20 out of 20	Detected Blind: 1 (1st/2nd), 2-3, 6-19 Detected SQL Error: 4, 5 Previously Detected: 1(1st),3,6-9,11-19
Errorneous 500 Responses	HTTP POST (Body Parameters)	20 out of 20	Detected Blind: 1 (1st/2nd), 2-3, 6-9, 11-19 Detected SQL Error: 4, 5, 10 Previously Detected: 1(1st&2nd), 2,3,6-9,11-14
Errorneous 200 Responses	HTTP GET (Query String Parameters)	20 out of 20	Detected Blind: 1 (1st/2nd), 2-3, 6-19 Detected SQL Error: 4-5. Sometimes 2,10 detected as sql errors. Previously Detected: 1(1st&2nd),2,6,8-13,16-19
Errorneous 200 Responses	HTTP POST (Body Parameters)	20 out of 20	Detected Blind: 1 (1st/2nd), 2-3, 6-9, 11-19 Detected SQL Error: 4-5, 10 Previously Detected: 1(1st&2nd)-14
Valid 200 Responses	HTTP GET (Query String Parameters)	18 out of 20	Detected Blind: 1 (1st/2nd), 2-3, 6-19 (sometimes case 5 indenfied instead of 10) Previously Detected: 5-13,16-19
Valid 200 Responses	HTTP POST (Body Parameters)	17 out of 20	Detected Blind: 1 (1st/2nd), 2-3, 6-9, 11-19 Previously Detected: Case 11
Identical 200 Responses	HTTP GET (Query String Parameters)	8 out of 8	Detected Blind: 1-8 Previously Detected: 1-3
Identical 200 Responses	HTTP POST (Body Parameters)	8 out of 8	Detected Blind: 1-8 Previously Detected: Non
False Positive SQLi Test Cases	HTTP GET (Query String Parameters)	0 out of 10	Detected cases 7 and 8 as SQL Error handling fault, but not as SQL Injection

The Reflected XSS Detection Accuracy of the Scanner:

Detection Accuracy

Chart

96.97% Detection Rate
0.00% False Positives

(64/66)
(0/7)

Response Type	Input Vector	Detection Rate	Details
Reflected XSS	HTTP GET (Query String Parameters)	32 out of 33	Detected: 1-30(1st&2nd),32 Missed: 31
Reflected XSS	HTTP POST (Body Parameters)	32 out of 33	Detected: 1-30(1st&2nd),32 Missed: 31
False Positive RXSS Test Cases	HTTP GET (Query String Parameters)	0 out of 7	None

The Local File Inclusion Detection Accuracy of the Scanner:

Detection Accuracy

Chart

92.77% Detection Rate
12.50% False Positives

(757/816)
(1/8)

Response Type	Input Vector	Detection Rate	Details
Errorneous 500 Responses	HTTP GET (Query String Parameters)	68 out of 68	Detected: 1-68 (J2EE Directory Traversal) Previously Detected: 1,3,5,7,9-30,37-48,53-64
Errorneous 500 Responses	HTTP POST (Body Parameters)	68 out of 68	Detected: 1-68 (J2EE Directory Traversal) Previously Detected: 3,5,7,11-14,17-20,22,23,26,27,29,30,38,45,54,61
Errorneous 200 Responses	HTTP GET (Query String Parameters)	68 out of 68	Detected: 1-68 (J2EE Directory Traversal) Previously Detected: 1,3,5,7,9-25,28,37-48,53-64
Errorneous 200 Responses	HTTP POST (Body Parameters)	68 out of 68	Detected: 1-68 (J2EE Directory Traversal) Previously Detected: 3,5,7,11-14,17-20,22,23,38
Valid 200 Responses	HTTP GET (Query String Parameters)	68 out of 68	Detected: 1-24,37-44,53-60,25-36 (J2EE),45-52 (J2EE), 61-68 (J2EE) Previously Detected (56): 9-36, 39-52, 55-68
Valid 200 Responses	HTTP POST (Body Parameters)	68 out of 68	Detected: 1-24,37-44,53-60,25-36 (J2EE),45-52 (J2EE), 61-68 (J2EE) Previously Detected (56): 9-36, 39-52, 55-68
Identical 200 Responses	HTTP GET (Query String Parameters)	68 out of 68	Detected: 1-24,37-44,53-60,25-36 (J2EE),45-52 (J2EE), 61-68 (J2EE) Previously Detected (56): 9-36, 39-52, 55-68
Identical 200 Responses	HTTP POST (Body Parameters)	66 out of 68	Detected: 1-24,37,39-44,53,55-60,25-36 (J2EE), 45-52 (J2EE), 61-68 Missed: 38,54 Previously Detected (56): 9-36, 39-52, 55-68
Redirect (302) Responses	HTTP GET (Query String Parameters)	68 out of 68	Detected: 1-24,37-44,53-60,25-36 (J2EE),45-52 (J2EE), 61-68 (J2EE) Previously Detected (56): 9-36, 39-52, 55-68
Redirect (302) Responses	HTTP POST (Body Parameters)	68 out of 68	Detected: 1-24,37-44,53-60,25-36 (J2EE),45-52 (J2EE), 61-68 (J2EE) Previously Detected (56): 9-36, 39-52, 55-68
Erroneous 404 Responses	HTTP GET (Query String Parameters)	42 out of 68	Detected: 1,2,9,10,15,16,21,24,25,28,31,34,37-68 Previously Detected (38): 9,10,15,16,21,24,25,28,31,34,39-52,55-68
Erroneous 404 Responses	HTTP POST (Body Parameters)	37 out of 68	Detected: 1,2,9,10,15,16,21,24,25,28,31,34,37,39-44,46-53,55-60,62-66 Previously Detected(36): 9,10,15,16,21,24,25,28,31,34,39-44,46-52,55-60,62-68
False Positive Lfi Test Cases	HTTP GET (Query String Parameters)	1 out of 8	Case 7. Sometimes also identifies the RFI case 6 from the unvalidated redirect false positive test cases as vulnerable to LFI.

The Remote File Inclusion Detection Accuracy of the Scanner:

Detection Accuracy

Chart

92.59% Detection Rate
0.00% False Positives

(100/108)
(0/6)

Response Type	Input Vector	Detection Rate	Details
Errorneous 500 Responses	HTTP GET (Query String Parameters)	9 out of 9	Detected: 1-9
Errorneous 500 Responses	HTTP POST (Body Parameters)	9 out of 9	Detected: 1-9
Errorneous 200 Responses	HTTP GET (Query String Parameters)	9 out of 9	Detected: 1-9
Errorneous 200 Responses	HTTP POST (Body Parameters)	9 out of 9	Detected: 1-9
Valid 200 Responses	HTTP GET (Query String Parameters)	9 out of 9	Detected: 1-9
Valid 200 Responses	HTTP POST (Body Parameters)	9 out of 9	Detected: 1-9
Identical 200 Responses	HTTP GET (Query String Parameters)	9 out of 9	Detected: 1-9
Identical 200 Responses	HTTP POST (Body Parameters)	9 out of 9	Detected: 1-9
Redirect (302) Responses	HTTP GET (Query String Parameters)	9 out of 9	Detected: 1-9
Redirect (302) Responses	HTTP POST (Body Parameters)	9 out of 9	Detected: 1-9
Erroneous 404 Responses	HTTP GET (Query String Parameters)	5 out of 9	Detected: 1,2,5,8,9
Erroneous 404 Responses	HTTP POST (Body Parameters)	5 out of 9	Detected: 1,2,5,8,9
False Positive Rfi Test Cases	HTTP GET (Query String Parameters)	0 out of 6	None

WAVSEP Scan Log:

I used the scan wizard to scan each directory individually, optimized the scan before starting the scan session (the optimize button), and defined a custom policy for each scanned directory which included only the relevant plugins (verified results for one directory per vulnerability with all the vulnerability detection plugins, to verify I didn't forget to use any important plugins). When necessary, I also limited the amount of threads or made policy adjustments. Most results were also verified using the OWASP policy included by default (the custom policy had better results).

The WIVET Score of the Scanner:

Detection Accuracy

Chart

94.0% Detection Rate

WIVET Scan Log:

Initialized WIVET's session, defined burpsuite as an outgoing proxy, defined a valid WIVET session identifier in burpsuite match and replace feature,
excluded the logout URL in appscan (100.php), and tried scanning with various configuration options (enabled the optional parse javascript and parse error pages crawler options, tried with and without checks, with optimizations, while increasing the spider various restrictions, etc)