LogoScannerVersionVendor
Tinfoil SecurityXTinfoil Security

Tested Against WAVSEP Version:
1.5

The SQL Injection Detection Accuracy of the Scanner:
Detection AccuracyChart
100.00% Detection Rate
0.00% False Positives
(136/136)
(0/10)
Response TypeInput VectorDetection RateDetails
Errorneous 500 ResponsesHTTP GET (Query String Parameters)20 out of 20Detected: 1(1st&2nd)-19
Errorneous 500 ResponsesHTTP POST (Body Parameters)20 out of 20Detected: 1(1st&2nd)-19
Errorneous 200 ResponsesHTTP GET (Query String Parameters)20 out of 20Detected: 1(1st&2nd)-19
Errorneous 200 ResponsesHTTP POST (Body Parameters)20 out of 20Detected: 1(1st&2nd)-19
Valid 200 ResponsesHTTP GET (Query String Parameters)20 out of 20Detected: 1(1st&2nd)-19
Valid 200 ResponsesHTTP POST (Body Parameters)20 out of 20Detected: 1(1st&2nd)-19
Identical 200 ResponsesHTTP GET (Query String Parameters)8 out of 8Detected: 1-8
Identical 200 ResponsesHTTP POST (Body Parameters)8 out of 8Detected: 1-8 Previous Scans Detected: 1-3,5-8 (in some instances detected only 1-4,6,8 and Missed 4 and 7, especially on low threads, but on verifications found 7 of 8).
False Positive SQLi Test CasesHTTP GET (Query String Parameters)0 out of 10Detected None Previously Detected: 7.8

The Reflected XSS Detection Accuracy of the Scanner:
Detection AccuracyChart
100.00% Detection Rate
0.00% False Positives
(66/66)
(0/7)
Response TypeInput VectorDetection RateDetails
Reflected XSSHTTP GET (Query String Parameters)33 out of 331-9, 10-21, 22-30(1st & 2nd), 31,32
Reflected XSSHTTP POST (Body Parameters)33 out of 331-9, 10-21, 22-30(1st & 2nd), 31,32
False Positive RXSS Test CasesHTTP GET (Query String Parameters)0 out of 7None

The Local File Inclusion Detection Accuracy of the Scanner:
Detection AccuracyChart
100.00% Detection Rate
0.00% False Positives
(816/816)
(0/8)
Response TypeInput VectorDetection RateDetails
Errorneous 500 ResponsesHTTP GET (Query String Parameters)68 out of 68Detected: 1-68 (some as LFI, Path Traversal or Source Disclosure)
Errorneous 500 ResponsesHTTP POST (Body Parameters)68 out of 68Detected: 1-68 (some as LFI, Path Traversal or Source Disclosure)
Errorneous 200 ResponsesHTTP GET (Query String Parameters)68 out of 68Detected: 1-68 (some as LFI, Path Traversal or Source Disclosure)
Errorneous 200 ResponsesHTTP POST (Body Parameters)68 out of 68Detected: 1-68 (some as LFI, Path Traversal or Source Disclosure)
Valid 200 ResponsesHTTP GET (Query String Parameters)68 out of 68Detected:1-68 (some as LFI, some as Source Disclosure)
Valid 200 ResponsesHTTP POST (Body Parameters)68 out of 68Detected:1-68 (some as LFI, some as Source Disclosure)
Identical 200 ResponsesHTTP GET (Query String Parameters)68 out of 68Detected:1-68 (some as LFI, some as Source Disclosure)
Identical 200 ResponsesHTTP POST (Body Parameters)68 out of 68Detected:1-68 (some as LFI, some as Source Disclosure)
Redirect (302) ResponsesHTTP GET (Query String Parameters)68 out of 68Detected:1-68 (some as LFI, some as Source Disclosure)
Redirect (302) ResponsesHTTP POST (Body Parameters)68 out of 68Detected:1-68 (some as LFI, some as Source Disclosure)
Erroneous 404 ResponsesHTTP GET (Query String Parameters)68 out of 68Detected:1-68 (some as LFI, some as Source Disclosure)
Erroneous 404 ResponsesHTTP POST (Body Parameters)68 out of 68Detected:1-68 (some as LFI, some as Source Disclosure)
False Positive Lfi Test CasesHTTP GET (Query String Parameters)0 out of 8Case 1 was identified as a FP, however, after investigation it turned out to be a java bug on xp that expanded the control of forward actions.

The Remote File Inclusion Detection Accuracy of the Scanner:
Detection AccuracyChart
100.00% Detection Rate
0.00% False Positives
(108/108)
(0/6)
Response TypeInput VectorDetection RateDetails
Errorneous 500 ResponsesHTTP GET (Query String Parameters)9 out of 9Detected: 1-9
Errorneous 500 ResponsesHTTP POST (Body Parameters)9 out of 9Detected: 1-9
Errorneous 200 ResponsesHTTP GET (Query String Parameters)9 out of 9Detected: 1-9
Errorneous 200 ResponsesHTTP POST (Body Parameters)9 out of 9Detected: 1-9
Valid 200 ResponsesHTTP GET (Query String Parameters)9 out of 9Detected: 1-9
Valid 200 ResponsesHTTP POST (Body Parameters)9 out of 9Detected: 1-9
Identical 200 ResponsesHTTP GET (Query String Parameters)9 out of 9Detected: 1-9
Identical 200 ResponsesHTTP POST (Body Parameters)9 out of 9Detected: 1-9
Redirect (302) ResponsesHTTP GET (Query String Parameters)9 out of 9Detected: 1-9
Redirect (302) ResponsesHTTP POST (Body Parameters)9 out of 9Detected: 1-9
Erroneous 404 ResponsesHTTP GET (Query String Parameters)9 out of 9Detected: 1-9
Erroneous 404 ResponsesHTTP POST (Body Parameters)9 out of 9Detected: 1-9
False Positive Rfi Test CasesHTTP GET (Query String Parameters)0 out of 6Identifies 1,3,4 as file inclusion (most scanners do), currently treated as valid conclusion since its not classifed as RFI

WAVSEP Scan Log:
I created a dedicated scan policy for each vulnerability (e.g. XSS, SQLi, etc), and only enabled plugins relevant for each exposure in the relevant policy. Most of the results were consistent from the root URL, but due to connection pooling issues or sheer URL numbers, I had to scan the LFI and SQL directories one by one to finish the scans in a reasonable time as well as make sure the results were not affected.
In the vast majority of scans I enabled the Scan with Javascript feature, while in all of them I enabled the Disable Website Duplication feature.
I also reduced the amount of threads to 2-5, to make sure there won't be any load effects on the results.
During the scans I identified one false positive results in LFI (case 1) which turned out to be a java specific security bug on windows XP, which actually caused the issue to behave just like an LFI. The false positive was not counted as one, since ? well, in that case, even though the code was actually a forward ? it behaved just like an LFI/traversal issue in terms of capabilities.

The WIVET Score of the Scanner:
Detection AccuracyChart
94.0% Detection Rate

WIVET Scan Log:
I created a dedicated WIVET scan policy, and included the XSS plugins (just to give the engine an incentive to access to the pages), while enabling the current features - Scan with Javascript and Disable Website Duplication.
I also reduced the amount of threads to 2-5, to make sure there won't be any load effects on the results.
To avoid the need to customize cookies and set URL restrictions through Tinfoil support, I used a local configuration of a chained burp and fiddler instances (burp was used to adjust link schemes in my internal lab, while fiddler was used to set a constant cookie), chained burp to fiddler and caused fiddler to forward the communication to the actual wivet website.
Although initially I had some setbacks with this configuration model, eventually I got it to work and managed to crawl the relevant WIVET application and make sure the configuration didn't have any harmful effect on the results (used another scanner against it).

Copyright © 2010-2016 by Shay Chen. All rights reserved.
Click here to learn how this information may be published or reused.