WebCruiser Web Vulnerability Scanner 3.1.0 测评
WebCruiser是一款轻量级的Web高危漏洞扫描器,相对于其它大型扫描器,WebCruiser的典型特点是只扫高危漏洞,并且可以只扫指定的漏洞类型,可以只扫指定的URL,可以只扫指定的页面。当然也可以进行全站扫描。其从3.1.0版本开始,通过WAVSEP(扫描器评估) v1.5进行检测评估,已经100%覆盖SQL注入和跨站的全部用例。
WebCruiser Web Vulnerability Scanner 3.1.0 Test Report
1. Test Report
1.1. SQL Injection Test Report
|
Input Vector |
Test Cases |
Cases Count |
Report |
Pass Rate |
|
GET Input Vector |
Erroneous 500 Responses |
19 |
19 |
100% |
|
Erroneous 200 Responses |
19 |
19 |
100% |
|
|
200 Responses With Differentiation |
19 |
19 |
100% |
|
|
Identical 200 Responses |
8 |
8 |
100% |
|
|
POST Input Vector |
Erroneous 500 Responses |
19 |
19 |
100% |
|
Erroneous 200 Responses |
19 |
19 |
100% |
|
|
200 Responses With Differentiation |
19 |
19 |
100% |
|
|
Identical 200 Responses |
8 |
8 |
100% |
|
|
GET Input Vector – Experimental |
Insert / Delete / Other |
1 |
1 |
100% |
|
POST Input Vector - Experimental |
Insert / Delete / Other |
1 |
1 |
100% |
1.2. XSS Test Report
|
Input Vector |
Test Cases |
Cases Count |
Report |
Pass Rate |
|
GET Input Vector |
ReflectedXSS |
32 |
32 |
100% |
|
POST Input Vector |
ReflectedXSS |
32 |
32 |
100% |
|
Cookie Input Vector - Experimental |
ReflectedXSS |
1 |
1 |
100% |
|
GET Input Vector - Experimental |
ReflectedXSS |
11 |
11 |
100% |
|
POST Input Vector - Experimental |
ReflectedXSS |
11 |
11 |
100% |
|
GET Input Vector - Experimental |
DomXSS |
4 |
4 |
100% |
1.3. LFI Test Report
|
Input Vector |
Test Cases |
Cases Count |
Report |
Pass Rate |
|
Get Input Vector |
Erroneous HTTP 500 Responses |
68 |
68 |
100% |
|
Erroneous HTTP 404 Responses |
68 |
68 |
100% |
|
|
Erroneous HTTP 200 Responses |
68 |
68 |
100% |
|
|
HTTP 302 Redirect Responses |
68 |
68 |
100% |
|
|
HTTP 200 Responses With Differentiation |
68 |
68 |
100% |
|
|
HTTP 200 Responses with Default File on Error |
68 |
68 |
100% |
|
|
POST Input Vector |
Erroneous HTTP 500 Responses |
68 |
68 |
100% |
|
Erroneous HTTP 404 Responses |
68 |
68 |
100% |
|
|
Erroneous HTTP 200 Responses |
68 |
68 |
100% |
|
|
HTTP 302 Redirect Responses |
68 |
68 |
100% |
|
|
HTTP 200 Responses With Differentiation |
68 |
68 |
100% |
|
|
HTTP 200 Responses with Default File on Error |
68 |
68 |
100% |
1.4. RFI Test Report
|
Input Vector |
Test Cases |
Cases Count |
Report |
Pass Rate |
|
Get Input Vector |
Erroneous HTTP 500 Responses |
9 |
9 |
100% |
|
Erroneous HTTP 404 Responses |
9 |
9 |
100% |
|
|
Erroneous HTTP 200 Responses |
9 |
9 |
100% |
|
|
HTTP 302 Redirect Responses |
9 |
9 |
100% |
|
|
HTTP 200 Responses With Differentiation |
9 |
9 |
100% |
|
|
HTTP 200 Responses with Default File on Error |
9 |
9 |
100% |
|
|
POST Input Vector |
Erroneous HTTP 500 Responses |
9 |
9 |
100% |
|
Erroneous HTTP 404 Responses |
9 |
9 |
100% |
|
|
Erroneous HTTP 200 Responses |
9 |
9 |
100% |
|
|
HTTP 302 Redirect Responses |
9 |
9 |
100% |
|
|
HTTP 200 Responses With Differentiation |
9 |
9 |
100% |
|
|
HTTP 200 Responses with Default File on Error |
9 |
9 |
100% |
1.5. Redirect Test Report
|
Input Vector |
Test Cases |
Cases Count |
Report |
Pass Rate |
|
Get Input Vector |
HTTP 302 Redirect Responses |
15 |
15 |
100% |
|
HTTP 200 Responses With Javascript Redirect |
15 |
15 |
100% |
|
|
POST Input Vector |
HTTP 302 Redirect Responses |
15 |
15 |
100% |
|
HTTP 200 Responses With Javascript Redirect |
15 |
15 |
100% |
1.6. False Positive Test Report
|
False Vuln |
Test Cases |
Cases Count |
Report |
Pass Rate |
|
SQL Injection |
False Positive |
10 |
0 |
100% |
|
XSS |
False Positive |
7 |
0 |
100% |
2. Test Environment
2.1. Product and Test Cases
WAVSEP (Web Application Vulnerability Scanner Evaluation Project) v1.5
WAVSEP Environment: Windows8.1 + XAMPP (Tomcat + MySQL)
WebCruiser Web Vulnerability Scanner Enterprise Edition V3.1.0
2.2. Test Scope
This test report includes the following vulnerabilities:
- SQL Injection
- Cross-site Scripting(XSS)
- LFI(Local File Inclusion)
- RFI(Remote File Inclusion)
- Redirect
Other test cases are not included.
2.3. Test Method
In order to get the test results quickly, we use a new feature of WebCruiser Web Vulnerability Scanner, which is “Scan Page”, which means it will scan all links in a page once a time. This function requires that the links locate under the same or sub directory, links under other directories will be skipped.
When start a new page scan, click “Reset Scanner” to clear previous result, and navigate to new page, and then click “ScanPage”
原始测试报告参见:http://www.janusec.com/download/WebCruiser_Web_Vulnerability_Scanner_Test_Report.pdf
郑重声明:本站内容如果来自互联网及其他传播媒体,其版权均属原媒体及文章作者所有。转载目的在于传递更多信息及用于网络分享,并不代表本站赞同其观点和对其真实性负责,也不构成任何其他建议。
