ScannerVersionVendor
Secubat0.5Stefan Kals

Tested Against WAVSEP Version:
1.0

Product Details:
Accurate
Version
License /
Technology
Last Update
Source Code
Activity
0.5 (Alpha) LGPL
.Net 2.0
27-01-2010 27-01-2010
Source Code

General Features:
GUIConfigUsageStabilityPerformanceReportScanLogPauseSession
SimpleSimpleUnstableFast

Authentication, Control and Connection Features:
Custom
Cookie
Custom
Header
B
A
S
I
C
D
I
G
E
S
T
N
T
L
M
N
T
L
M
v
2
K
E
R
B
E
R
O
S
F
O
R
M
PROXY
GZIP
DEFLATE
SSL
CERT
Logout
Detection
Exclude
Logout
Exclude
URL
Exclude
Param

Coverage Features:
C
O
U
N
T
Manual
Crawl
URL
File
Html
Crawler
Ajax
Crawler
Flash
Crawler
Applet
Crawler
Silverlight
Crawler
WSDL
Crawler
REST
Crawler
Field
Autofill
Smart
Autofill
Anti
CSRF
Support
Viewstate
Support
CAPTCHA
Bypass
WAF
Bypass
1

Input Vector Support:
C
O
U
N
T
G
E
T
P
O
S
T
C
O
O
K
I
E
H
E
A
D
E
R
S
E
C
R
E
T
P
N
a
m
e
X
M
L
X
m
l
A
T
T
X
m
l
T
A
G
J
S
O
N
.
N
e
t
E
N
C
A
M
F
J
a
v
a
S
E
R
.
N
e
t
S
E
R
W
C
F
W
C
F
-
B
i
n
W
e
b
S
o
c
k
D
W
R
C
u
s
t
o
m
2

Audit Features:
C
O
U
N
T
S
Q
L
i
B
S
Q
L
i
S
S
J
S
i
R
X
S
S
P
X
S
S
D
X
S
S
J
S
O
N
h
L
F
I
R
F
I
C
M
D
E
x
e
c
U
P
L
O
A
D
R
E
D
I
R
E
C
T
C
R
L
F
i
L
D
A
P
i
X
P
A
P
H
i
M
X
i
S
S
I
F
O
R
M
A
T
i
C
O
D
E
i
X
M
L
i
E
L
i
B
U
F
F
E
R
o
I
N
T
E
G
E
R
o
C
O
D
E
D
i
s
c
B
A
C
K
U
P
f
P
A
D
D
I
N
G
A
U
T
H
b
P
R
I
V
e
X
X
E
S
E
S
S
I
O
N
F
I
X
A
T
I
O
N
C
S
R
F
A
D
o
S
2

Complimentary Audit Features:
WebServer
Hardening
CGI
Scanning
Dir & File
Enumeration
Passive
Analysis
Additional
Features

The SQL Injection Detection Accuracy of the Scanner:
Detection AccuracyChart
18.38% Detection Rate
70.00% False Positives
(25/136)
(7/10)

The Reflected XSS Detection Accuracy of the Scanner:
Detection AccuracyChart
7.58% Detection Rate
0.00% False Positives
(5/66)
(0/7)

Additional Audit Features:
None

Additional Features:
None

Overview:
The tool is pretty difficult to install (requires installation of MSSQL, manual execution of a database creation script and initially loading the plug-ins through the GUI). It seems to succeed in the crawling process (the database is populated with information and the data is available for future usage in the GUI), but did not detect exposures in a consistent manner, regardless of the scan execution method (scan alongside the crawling process, immediately after crawling or in a separate time and instance) and the scan plug-ins selected (but depending on the application tested). The crawler does not seem to handle malformed HTML very well, and gets stuck or stops the crawling process when referred to pages that contain it (Probably related to the fact the tool is in early beta). The tool detects multiple locations of the same instance of XSS exposures, and also assigns unclear description to the SQL injections detected.


Copyright © 2010-2016 by Shay Chen. All rights reserved.
Click here to learn how this information may be published or reused.