| Logo | Scanner | Version | Build | Vendor |
 | W3AF | 1.6 | rev-5460aa0377 | W3AF developers |
| Tested Against WAVSEP Version: |
| Detection Accuracy | Chart | ||||
| 35.29% Detection Rate 30.00% False Positives | (48/136) (3/10) |
| Response Type | Input Vector | Detection Rate | Details |
| Errorneous 500 Responses | HTTP GET (Query String Parameters) | 19 out of 20 | Detected: 1(1st&2nd)-18 Missed: 19 (Previously Detected: 1(1st&2nd)-14,17,19 (case 19 was detected as eval injection)) |
| Errorneous 500 Responses | HTTP POST (Body Parameters) | 1 out of 20 | Detected: 7 (Inconsistent) (Previously Detected: 1(1st&2nd)-14,17) |
| Errorneous 200 Responses | HTTP GET (Query String Parameters) | 19 out of 20 | Detected: 1(1st&2nd),2-18 200Error-Experimental-GET: 1 Missed: 19 (Previously Detected: 1(1st&2nd)-14,16-19) |
| Errorneous 200 Responses | HTTP POST (Body Parameters) | 0 out of 20 | Detected None (Previously Detected: 1(1st&2nd)-14 200Error-Experimental-POST: 1) |
| Valid 200 Responses | HTTP GET (Query String Parameters) | 7 out of 20 | Detected: 6,7,8,11,12,13,16 (Inconsistent) (Previously Detected: 9,12,19) |
| Valid 200 Responses | HTTP POST (Body Parameters) | 0 out of 20 | Detected None (Previously Detected: 3,8,9,13,16-19) |
| Identical 200 Responses | HTTP GET (Query String Parameters) | 2 out of 8 | Detected: 1,2 Missed: 3-8 (Previously Detected: 1) |
| Identical 200 Responses | HTTP POST (Body Parameters) | 0 out of 8 | Detected None (Previously Detected: 1,2) |
| False Positive SQLi Test Cases | HTTP GET (Query String Parameters) | 3 out of 10 | 2,4,6 |
| Detection Accuracy | Chart | ||||
| 37.88% Detection Rate 0.00% False Positives | (25/66) (0/7) |
| Response Type | Input Vector | Detection Rate | Details |
| Reflected XSS | HTTP GET (Query String Parameters) | 25 out of 33 | Detected: 1-12,15,22-30(1st&2nd),31,32 GET-Experimental: 6,7 (Previously Detected: 1-7,30(1st&2nd),32) |
| Reflected XSS | HTTP POST (Body Parameters) | 0 out of 33 | Detected None. POST-Experimental: 6,7 Did not seem able to complete the POST scans (multiple verifications with different policies, and entry points). (Previously Detected: 1-7,30(1st&2nd),32) |
| False Positive RXSS Test Cases | HTTP GET (Query String Parameters) | 0 out of 7 | Detected None (previously detected 1,2,6) |
| Detection Accuracy | Chart | ||||
| 57.48% Detection Rate 12.50% False Positives | (469/816) (1/8) |
| Response Type | Input Vector | Detection Rate | Details |
| Errorneous 500 Responses | HTTP GET (Query String Parameters) | 40 out of 68 | Detected: 1,3,5,9-24,28,37-44,47,48,53-60,63,64 (some as file read error) |
| Errorneous 500 Responses | HTTP POST (Body Parameters) | 43 out of 68 | Detected: 1,3,5,7,9-24,28-30,37-44,47,48,53-60,63,64 (some as file read error) |
| Errorneous 200 Responses | HTTP GET (Query String Parameters) | 43 out of 68 | Detected: 1,3,5,7,9-24,28-30,37-44,47,48,53-60,63,64 (some as file read error) |
| Errorneous 200 Responses | HTTP POST (Body Parameters) | 43 out of 68 | Detected: 1,3,5,7,9-24,28-30,37-44,47,48,53-60,63,64 (some as file read error) |
| Valid 200 Responses | HTTP GET (Query String Parameters) | 39 out of 68 | Detected: 1,3,5,7,9-24,28-30,37-40,42,44,47,48,53-56,58,60,63,64 |
| Valid 200 Responses | HTTP POST (Body Parameters) | 39 out of 68 | Detected: 1,3,5,7,9-24,28-30,37-40,42,44,47,48,53-56,58,60,63,64 |
| Identical 200 Responses | HTTP GET (Query String Parameters) | 39 out of 68 | Detected: 1,3,5,7,9-24,28-30,37-40,42,44,47,48,53-56,58,60,63,64 |
| Identical 200 Responses | HTTP POST (Body Parameters) | 39 out of 68 | Detected: 1,3,5,7,9-24,28-30,37-40,42,44,47,48,53-56,58,60,63,64 |
| Redirect (302) Responses | HTTP GET (Query String Parameters) | 39 out of 68 | Detected: 1,3,5,7,9-24,28-30,37-40,42,44,47,48,53-56,58,60,63,64 |
| Redirect (302) Responses | HTTP POST (Body Parameters) | 39 out of 68 | Detected: 1,3,5,7,9-24,28-30,37-40,42,44,47,48,53-56,58,60,63,64 |
| Erroneous 404 Responses | HTTP GET (Query String Parameters) | 27 out of 68 | Detected: 1,7,9,10,12,13,15,16,21,24,28,37-40,42,44,47,48,53-56,58,60,63,64 |
| Erroneous 404 Responses | HTTP POST (Body Parameters) | 39 out of 68 | Detected: 1,3,5,7,9-24,28-30,37-40,42,44,47,48,53-56,58,60,63,64 |
| False Positive Lfi Test Cases | HTTP GET (Query String Parameters) | 1 out of 8 | 7 |
| Detection Accuracy | Chart | ||||
| 16.67% Detection Rate 16.67% False Positives | (18/108) (1/6) |
| Response Type | Input Vector | Detection Rate | Details |
| Errorneous 500 Responses | HTTP GET (Query String Parameters) | 9 out of 9 | Detected: 1-9 (Previously Detected: 2,8,9 (File Read Error Plugin)) |
| Errorneous 500 Responses | HTTP POST (Body Parameters) | 0 out of 9 | Detected None (Previously Detected: 2,8,9 (File Read Error Plugin)) |
| Errorneous 200 Responses | HTTP GET (Query String Parameters) | 9 out of 9 | Detected: 1-9 (Previously Detected: 2,8,9 (File Read Error Plugin)) |
| Errorneous 200 Responses | HTTP POST (Body Parameters) | 0 out of 9 | Detected None (Previously Detected: 2,8,9 (File Read Error Plugin)) |
| Valid 200 Responses | HTTP GET (Query String Parameters) | 0 out of 9 | Detected None |
| Valid 200 Responses | HTTP POST (Body Parameters) | 0 out of 9 | Detected None |
| Identical 200 Responses | HTTP GET (Query String Parameters) | 0 out of 9 | Detected None |
| Identical 200 Responses | HTTP POST (Body Parameters) | 0 out of 9 | Detected None |
| Redirect (302) Responses | HTTP GET (Query String Parameters) | 0 out of 9 | Detected None |
| Redirect (302) Responses | HTTP POST (Body Parameters) | 0 out of 9 | Detected None |
| Erroneous 404 Responses | HTTP GET (Query String Parameters) | 0 out of 9 | Detected None |
| Erroneous 404 Responses | HTTP POST (Body Parameters) | 0 out of 9 | Detected None |
| False Positive Rfi Test Cases | HTTP GET (Query String Parameters) | 1 out of 6 | Detected: 5 (previously identified case 7 as FP RFI) |
| After struggling to upgrade the w3af instace in Kali linux, and finding out that there is no longer support for the windows version, I decided to install w3af from scratch on an Ubunto linux with python 2.7.
After installing all the dependencies (and struggling a bit with ntlk and a few other packages), I finally got the latest version of the platform running. I used W3AF built-in web_spider crawl plugin to crawl the URLs in each directory, and executed a scan with the following plugins enabled (varies for each scan): Cross Site Scripting: xss (audit plugin), domXSS (grep plugin) SQL Injection: sqli, blindSqli (all audit plugins) Remote File Inclusion: remoteFileInclude, xss (all audit plugins) Local File Inclusion: localFileInclude (audit plugin) Open Redirect: global_redirect, phishing_vector (all audit plugins) Obsolete Files: content_negotiation, digit_sum, dir_file_bruter (bf_directories, bf_files,be_recursive), url_fuzzer, wordnet (all crawl plugins) I used a development release (git checkout) during the test, and from time to time experienced unexplained issues which included scans that stopped immediately after the crawling phase, scanned that ignored form parameters, and from time to time, scans that got stuck. I tried working with w3af console to see if the same issues that appeared with w3af gui persist, found a configuration entry I couldn't find in the GUI called form fuzzing mode (under misc-settings), and changed it using the following command: set form_fuzzing_mode all The results were identical in a few of verifications, and the stop-after-crawling issue persisted (verified in verbose mode), so I eventually used the results obtained through w3af_gui. |
| Detection Accuracy | Chart | ||
| 19.0% Detection Rate |
| (Previously Detected 17.00%)
Initialized WIVET's session, defined burp suite as an transparent proxy, forwarded the communication from burp to wivet and defined a valid session identifier in burp match and replace feature, excluded the logout URL by manually removing it from the HTML menu file in wivet (100.php), enabled the various optional crawling features (webspider, robots, digitsum, urlfuzzer, etc), disabled all the audit plugins and started the scan. |