WebCruiser Web Vulnerability Scanner Test Report

  • View
    218

  • Download
    0

Embed Size (px)

Text of WebCruiser Web Vulnerability Scanner Test Report

  • 7/25/2019 WebCruiser Web Vulnerability Scanner Test Report

    1/14

    WebCruiser Web Vulnerability Scanner Test ReportV3.4.0 Made by Janusec (http://www.janusec.com )

    1. Test Report

    1.1. SQL Injection Test Report

    Input Vector Test Cases Cases Count Report Pass Rate

    GET Input Vector

    Erroneous 500 Responses 19 19 100%

    Erroneous 200 Responses 19 19 100%

    200 Responses With

    Differentiation19 19 100%

    Identical 200 Responses 8 8 100%

    POST Input

    Vector

    Erroneous 500 Responses 19 19 100%

    Erroneous 200 Responses 19 19 100%

    200 Responses With

    Differentiation19 19 100%

    Identical 200 Responses 8 8 100%

    GET Input Vector

    ExperimentalInsert / Delete / Other 1 1 100%

    POST Input

    Vector -

    Experimental

    Insert / Delete / Other 1 1 100%

    1.2. XSS Test Report

    Input Vector Test Cases Cases Count Report Pass Rate

    GET Input Vector ReflectedXSS 32 32 100%

    POST Input

    Vector ReflectedXSS 32 32 100%

    Cookie Input

    Vector -

    Experimental

    ReflectedXSS 1 1 100%

    GET Input Vector

    - ExperimentalReflectedXSS 11 11 100%

    POST Input

    Vector -

    Experimental

    ReflectedXSS 11 11 100%

    GET Input Vector

    - ExperimentalDomXSS 4 4 100%

    http://www.janusec.com/http://www.janusec.com/http://www.janusec.com/http://www.janusec.com/
  • 7/25/2019 WebCruiser Web Vulnerability Scanner Test Report

    2/14

    1.3. LFI Test Report

    Input Vector Test Cases Cases Count Report Pass Rate

    Get Input Vector

    Erroneous HTTP 500

    Responses 68 68 100%

    Erroneous HTTP 404

    Responses68 68 100%

    Erroneous HTTP 200

    Responses68 68 100%

    HTTP 302 Redirect

    Responses68 68 100%

    HTTP 200 Responses With

    Differentiation68 68 100%

    HTTP 200 Responses with

    Default File on Error68 68 100%

    POST Input

    Vector

    Erroneous HTTP 500

    Responses68 68 100%

    Erroneous HTTP 404

    Responses68 68 100%

    Erroneous HTTP 200

    Responses68 68 100%

    HTTP 302 Redirect

    Responses

    68 68 100%

    HTTP 200 Responses With

    Differentiation68 68 100%

    HTTP 200 Responses with

    Default File on Error68 68 100%

    1.4. RFI Test Report

    Input Vector Test Cases Cases Count Report Pass Rate

    Get Input Vector

    Erroneous HTTP 500Responses

    9 9 100%

    Erroneous HTTP 404

    Responses9 9 100%

    Erroneous HTTP 200

    Responses9 9 100%

    HTTP 302 Redirect

    Responses9 9 100%

    HTTP 200 Responses With

    Differentiation

    9 9 100%

    HTTP 200 Responses with 9 9 100%

  • 7/25/2019 WebCruiser Web Vulnerability Scanner Test Report

    3/14

    Default File on Error

    POST Input

    Vector

    Erroneous HTTP 500

    Responses9 9 100%

    Erroneous HTTP 404

    Responses

    9 9 100%

    Erroneous HTTP 200

    Responses9 9 100%

    HTTP 302 Redirect

    Responses9 9 100%

    HTTP 200 Responses With

    Differentiation9 9 100%

    HTTP 200 Responses with

    Default File on Error9 9 100%

    1.5. Redirect Test Report

    Input Vector Test Cases Cases Count Report Pass Rate

    Get Input Vector

    HTTP 302 Redirect

    Responses15 15 100%

    HTTP 200 Responses With

    Javascript Redirect15 15 100%

    POST Input

    Vector

    HTTP 302 Redirect

    Responses15 15 100%

    HTTP 200 Responses With

    Javascript Redirect15 15 100%

    1.6. False Positive Test Report

    False Vuln Test Cases Cases Count Report Pass Rate

    SQL Injection False Positive 10 0 100%

    XSS False Positive 7 0 100%

    LFI False Positive 8 0 100%RFI False Positive 6 0 100%

    Redirect False Positive 9 0 100%

    Backup False Positive 4 0 100%

  • 7/25/2019 WebCruiser Web Vulnerability Scanner Test Report

    4/14

    2. Test Environment

    2.1. Product and Test Cases

    WAVSEP (Web Application Vulnerability Scanner Evaluation Project) v1.5

    WAVSEP Environment: Windows8.1 + XAMPP (Tomcat + MySQL)

    WebCruiser Web Vulnerability Scanner Enterprise Edition V3.4.0

    2.2. Test Scope

    This test report includes the following vulnerabilities:

    SQL Injection

    Cross-site Scripting(XSS)

    LFI(Local File Inclusion)

    RFI(Remote File Inclusion)

    Redirect

    Obsolete Backup

    Other test cases are not included.

  • 7/25/2019 WebCruiser Web Vulnerability Scanner Test Report

    5/14

    2.3. Test Method

    In order to get the test results quickly, we use a new feature of WebCruiser Web

    Vulnerability Scanner, which is Scan Page, which means it will scan all links in a page

    once a time. This function requires that the links locate under the same or sub directory,

    links under other directories will be skipped.

    When start a new page scan, click Reset Scannerto clear previous result, and navigate

    to new page, and then click ScanPage

    2.4. SQL Injection Test Details

    2.4.1. Get Input Vector

    Erroneous 500 Responses (19 cases)

  • 7/25/2019 WebCruiser Web Vulnerability Scanner Test Report

    6/14

    Erroneous 200 Responses (19 cases)

  • 7/25/2019 WebCruiser Web Vulnerability Scanner Test Report

    7/14

    200 Responses With Differentiation (19 cases)

  • 7/25/2019 WebCruiser Web Vulnerability Scanner Test Report

    8/14

    Identical 200 Responses (8 cases)

    2.4.2. Post Input Vector

    Erroneous 500 Responses (19 cases)

  • 7/25/2019 WebCruiser Web Vulnerability Scanner Test Report

    9/14

    Erroneous 200 Responses (19 cases)

  • 7/25/2019 WebCruiser Web Vulnerability Scanner Test Report

    10/14

    200 Responses With Differentiation (19 cases)

  • 7/25/2019 WebCruiser Web Vulnerability Scanner Test Report

    11/14

    Identical 200 Responses (xx cases)

    2.4.3. GET Input Vector Experimental

    Experimental 1 case

    2.4.4. POST Input Vector Experimental

    Experimental 1 case

  • 7/25/2019 WebCruiser Web Vulnerability Scanner Test Report

    12/14

    2.5. XSS Test Details

    2.5.1. Get Input Vector

  • 7/25/2019 WebCruiser Web Vulnerability Scanner Test Report

    13/14

    2.5.2. POST Input Vector

    2.5.3. Cookie Input Vector Experimental

    2.5.4. GET Input Vector Experimental

  • 7/25/2019 WebCruiser Web Vulnerability Scanner Test Report

    14/14

    2.5.5. POST Input Vector Experimental

    2.5.6. DomXSS GET Input Vector Experimental

    2.6. Other Test Details

    Test details not list here, test report please refer to the chapter 1: test report.

    http://www.janusec.comFeb 24, 2015

    http://www.janusec.com/http://www.janusec.com/http://www.janusec.com/