| Scanner | Version | Build | Vendor |
| XSSer | 1.6 | 1 | psy |
| Tested Against WAVSEP Version: |
| Detection Accuracy | Chart | ||||
| 50.00% Detection Rate 85.71% False Positives | (33/66) (6/7) |
| Response Type | Input Vector | Detection Rate | Details |
| Reflected XSS | HTTP GET (Query String Parameters) | 33 out of 33 | Detected: 1-30(1st&2nd),31,32 GET-Experimental: 1-11 (Previously Detected: 1-10,13,14,16,17,19-21,23-25,27,30(2nd),32) |
| Reflected XSS | HTTP POST (Body Parameters) | 0 out of 33 | None |
| False Positive RXSS Test Cases | HTTP GET (Query String Parameters) | 6 out of 7 | 1,2,3,4,6,7 (Previously Detected 1,2,6,7) |
| I installed XSSer using its Debian/Ubuntu package, started a terminal window and loaded the GTK GUI using the following command:
Xsser --gtk The tool's arsenal of features is OVERWHELMING (if you just crawl the various menus enough, you'll see them), and covers a variety of detection and exploitation scenarios. I choose the "intruder" fly mode, marked the "automatic", "crawler", "statistics", "verbose" and "launch", and then the buttons "aim" and "fly". The tool seemed to be working and scanned the files in the target urls, (http://192.168.56.101:9090/wavsep/active/index-xss.jsp, and later its subdirectories) And also seemed to be using the OS default browser to perform the various checks, however, some sort of bug caused the tabs and popups to remain open, and it quickly got to the point where firefox would not open any more tabs, and to numerous annoying popups to appear and stay until I clicked them all (about two minutes of clicking). The results for GET cases were very good, and covered all the test cases and even all the experimental test cases, however, the tool did not seem able to submit html forms, and thus, did not cover any of the post test cases. Finally, the line "composed" by the GTK GUI included the following commands: xsser -u http://192.168.56.101:9090/wavsep/active/index-xss.jsp -c 200 --Cw 1 --Cl -s -v --launch --user-agent Googlebot/2.1 (+http://www.google.com/bot.html) --threads 5 --timeout 30 --retries 1 --delay 0 --auto All in all, if this tool would have been actively maintained, had its bugs fixed and had the post/json/xml input vectors covered, it could be a fantastic addition to any pen-tester's arsenal, and in any event could be used as an infrastructure for other open source projects. |
| Detection Accuracy | Chart | ||
| 1.0% Detection Rate |
| I used both the intruder and explorer modes, and after predefining a valid PHPSESSID identifier for wivet, tried scanning both the root directory, menu.php and index.php root files of wivet, while testing this process with both "drop cookie" and without it.
While scanning menu.php, XSSer manages to parse and identify all the menu links (but fails to do so if referred to the root /wivet/ directory or to the frame containing index.php page). However, in all scenarios, XSSer did not identify the various pages that counted in wivet's score, and thus, although it did manage to crawl the menu pages, its score (from wivet's perspective) was 0%. Since I couldn't truly assign a 0% score to a scanner that did manage to crawl some pages (or all the GET pages of wavsep for that matter), I assigned a symbolic score of 1%, to signify that the scanner is somehow working. |