| Logo | Scanner | Version | Vendor |
 | Tinfoil Security | X | Tinfoil Security |
| Tested Against WAVSEP Version: |
| Detection Accuracy | Chart | ||||
| 100.00% Detection Rate 0.00% False Positives | (136/136) (0/10) |
| Response Type | Input Vector | Detection Rate | Details |
| Errorneous 500 Responses | HTTP GET (Query String Parameters) | 20 out of 20 | Detected: 1(1st&2nd)-19 |
| Errorneous 500 Responses | HTTP POST (Body Parameters) | 20 out of 20 | Detected: 1(1st&2nd)-19 |
| Errorneous 200 Responses | HTTP GET (Query String Parameters) | 20 out of 20 | Detected: 1(1st&2nd)-19 |
| Errorneous 200 Responses | HTTP POST (Body Parameters) | 20 out of 20 | Detected: 1(1st&2nd)-19 |
| Valid 200 Responses | HTTP GET (Query String Parameters) | 20 out of 20 | Detected: 1(1st&2nd)-19 |
| Valid 200 Responses | HTTP POST (Body Parameters) | 20 out of 20 | Detected: 1(1st&2nd)-19 |
| Identical 200 Responses | HTTP GET (Query String Parameters) | 8 out of 8 | Detected: 1-8 |
| Identical 200 Responses | HTTP POST (Body Parameters) | 8 out of 8 | Detected: 1-8 Previous Scans Detected: 1-3,5-8 (in some instances detected only 1-4,6,8 and Missed 4 and 7, especially on low threads, but on verifications found 7 of 8). |
| False Positive SQLi Test Cases | HTTP GET (Query String Parameters) | 0 out of 10 | Detected None Previously Detected: 7.8 |
| Detection Accuracy | Chart | ||||
| 100.00% Detection Rate 0.00% False Positives | (66/66) (0/7) |
| Response Type | Input Vector | Detection Rate | Details |
| Reflected XSS | HTTP GET (Query String Parameters) | 33 out of 33 | 1-9, 10-21, 22-30(1st & 2nd), 31,32 |
| Reflected XSS | HTTP POST (Body Parameters) | 33 out of 33 | 1-9, 10-21, 22-30(1st & 2nd), 31,32 |
| False Positive RXSS Test Cases | HTTP GET (Query String Parameters) | 0 out of 7 | None |
| Detection Accuracy | Chart | ||||
| 100.00% Detection Rate 0.00% False Positives | (816/816) (0/8) |
| Response Type | Input Vector | Detection Rate | Details |
| Errorneous 500 Responses | HTTP GET (Query String Parameters) | 68 out of 68 | Detected: 1-68 (some as LFI, Path Traversal or Source Disclosure) |
| Errorneous 500 Responses | HTTP POST (Body Parameters) | 68 out of 68 | Detected: 1-68 (some as LFI, Path Traversal or Source Disclosure) |
| Errorneous 200 Responses | HTTP GET (Query String Parameters) | 68 out of 68 | Detected: 1-68 (some as LFI, Path Traversal or Source Disclosure) |
| Errorneous 200 Responses | HTTP POST (Body Parameters) | 68 out of 68 | Detected: 1-68 (some as LFI, Path Traversal or Source Disclosure) |
| Valid 200 Responses | HTTP GET (Query String Parameters) | 68 out of 68 | Detected:1-68 (some as LFI, some as Source Disclosure) |
| Valid 200 Responses | HTTP POST (Body Parameters) | 68 out of 68 | Detected:1-68 (some as LFI, some as Source Disclosure) |
| Identical 200 Responses | HTTP GET (Query String Parameters) | 68 out of 68 | Detected:1-68 (some as LFI, some as Source Disclosure) |
| Identical 200 Responses | HTTP POST (Body Parameters) | 68 out of 68 | Detected:1-68 (some as LFI, some as Source Disclosure) |
| Redirect (302) Responses | HTTP GET (Query String Parameters) | 68 out of 68 | Detected:1-68 (some as LFI, some as Source Disclosure) |
| Redirect (302) Responses | HTTP POST (Body Parameters) | 68 out of 68 | Detected:1-68 (some as LFI, some as Source Disclosure) |
| Erroneous 404 Responses | HTTP GET (Query String Parameters) | 68 out of 68 | Detected:1-68 (some as LFI, some as Source Disclosure) |
| Erroneous 404 Responses | HTTP POST (Body Parameters) | 68 out of 68 | Detected:1-68 (some as LFI, some as Source Disclosure) |
| False Positive Lfi Test Cases | HTTP GET (Query String Parameters) | 0 out of 8 | Case 1 was identified as a FP, however, after investigation it turned out to be a java bug on xp that expanded the control of forward actions. |
| Detection Accuracy | Chart | ||||
| 100.00% Detection Rate 0.00% False Positives | (108/108) (0/6) |
| Response Type | Input Vector | Detection Rate | Details |
| Errorneous 500 Responses | HTTP GET (Query String Parameters) | 9 out of 9 | Detected: 1-9 |
| Errorneous 500 Responses | HTTP POST (Body Parameters) | 9 out of 9 | Detected: 1-9 |
| Errorneous 200 Responses | HTTP GET (Query String Parameters) | 9 out of 9 | Detected: 1-9 |
| Errorneous 200 Responses | HTTP POST (Body Parameters) | 9 out of 9 | Detected: 1-9 |
| Valid 200 Responses | HTTP GET (Query String Parameters) | 9 out of 9 | Detected: 1-9 |
| Valid 200 Responses | HTTP POST (Body Parameters) | 9 out of 9 | Detected: 1-9 |
| Identical 200 Responses | HTTP GET (Query String Parameters) | 9 out of 9 | Detected: 1-9 |
| Identical 200 Responses | HTTP POST (Body Parameters) | 9 out of 9 | Detected: 1-9 |
| Redirect (302) Responses | HTTP GET (Query String Parameters) | 9 out of 9 | Detected: 1-9 |
| Redirect (302) Responses | HTTP POST (Body Parameters) | 9 out of 9 | Detected: 1-9 |
| Erroneous 404 Responses | HTTP GET (Query String Parameters) | 9 out of 9 | Detected: 1-9 |
| Erroneous 404 Responses | HTTP POST (Body Parameters) | 9 out of 9 | Detected: 1-9 |
| False Positive Rfi Test Cases | HTTP GET (Query String Parameters) | 0 out of 6 | Identifies 1,3,4 as file inclusion (most scanners do), currently treated as valid conclusion since its not classifed as RFI |
| I created a dedicated scan policy for each vulnerability (e.g. XSS, SQLi, etc), and only enabled plugins relevant for each exposure in the relevant policy. Most of the results were consistent from the root URL, but due to connection pooling issues or sheer URL numbers, I had to scan the LFI and SQL directories one by one to finish the scans in a reasonable time as well as make sure the results were not affected.
In the vast majority of scans I enabled the Scan with Javascript feature, while in all of them I enabled the Disable Website Duplication feature. I also reduced the amount of threads to 2-5, to make sure there won't be any load effects on the results. During the scans I identified one false positive results in LFI (case 1) which turned out to be a java specific security bug on windows XP, which actually caused the issue to behave just like an LFI. The false positive was not counted as one, since ? well, in that case, even though the code was actually a forward ? it behaved just like an LFI/traversal issue in terms of capabilities. |
| Detection Accuracy | Chart | ||
| 94.0% Detection Rate |
| I created a dedicated WIVET scan policy, and included the XSS plugins (just to give the engine an incentive to access to the pages), while enabling the current features - Scan with Javascript and Disable Website Duplication.
I also reduced the amount of threads to 2-5, to make sure there won't be any load effects on the results. To avoid the need to customize cookies and set URL restrictions through Tinfoil support, I used a local configuration of a chained burp and fiddler instances (burp was used to adjust link schemes in my internal lab, while fiddler was used to set a constant cookie), chained burp to fiddler and caused fiddler to forward the communication to the actual wivet website. Although initially I had some setbacks with this configuration model, eventually I got it to work and managed to crawl the relevant WIVET application and make sure the configuration didn't have any harmful effect on the results (used another scanner against it). |