Webcruiser is a lightweight web high-risk vulnerability scanner, compared to other large scanners, the typical feature of Webcruiser is to only sweep high-risk vulnerabilities, and can only sweep the specified vulnerability type, can only sweep the specified URL, can only sweep the specified page. Of course, it is possible to scan the site completely. Starting with the 3.1.0 release, the WAVSEP (scanner evaluation) v1.5 for the detection evaluation, already 100% covers all SQL injection and cross-site use cases.
Webcruiser Web Vulnerability Scanner 3.1.0 Test report
1. Test Report1.1. SQL Injection Test Report
Input Vector |
Test Cases |
Cases Count |
Report |
Pass Rate |
GET Input Vector |
Erroneous responses |
19 |
19 |
100% |
Erroneous responses |
19 |
19 |
100% |
Responses with differentiation |
19 |
19 |
100% |
Identical responses |
8 |
8 |
100% |
POST Input Vector |
Erroneous responses |
19 |
19 |
100% |
Erroneous responses |
19 |
19 |
100% |
Responses with differentiation |
19 |
19 |
100% |
Identical responses |
8 |
8 |
100% |
GET Input Vector–experimental |
Insert/delete/other |
1 |
1 |
100% |
POST Input Vector-experimental |
Insert/delete/other |
1 |
1 |
100% |
1.2. XSS Test Report
Input Vector |
Test Cases |
Cases Count |
Report |
Pass Rate |
GET Input Vector |
Reflectedxss |
32 |
32 |
100% |
POST Input Vector |
Reflectedxss |
32 |
32 |
100% |
Cookie Input Vector-experimental |
Reflectedxss |
1 |
1 |
100% |
GET Input Vector-experimental |
Reflectedxss |
11 |
11 |
100% |
POST Input Vector-experimental |
Reflectedxss |
11 |
11 |
100% |
GET Input Vector-experimental |
Domxss |
4 |
4 |
100% |
1.3. LFI Test Report
Input Vector |
Test Cases |
Cases Count |
Report |
Pass Rate |
Get Input Vector |
Erroneous HTTP responses |
68 |
68 |
100% |
Erroneous HTTP 404 Responses |
68 |
68 |
100% |
Erroneous HTTP responses |
68 |
68 |
100% |
HTTP 302 Redirect Responses |
68 |
68 |
100% |
HTTP Responses with differentiation |
68 |
68 |
100% |
HTTP responses with Default File on Error |
68 |
68 |
100% |
POST Input Vector |
Erroneous HTTP responses |
68 |
68 |
100% |
Erroneous HTTP 404 Responses |
68 |
68 |
100% |
Erroneous HTTP responses |
68 |
68 |
100% |
HTTP 302 Redirect Responses |
68 |
68 |
100% |
HTTP Responses with differentiation |
68 |
68 |
100% |
HTTP responses with Default File on Error |
68 |
68 |
100% |
1.4. RFI Test Report
Input Vector |
Test Cases |
Cases Count |
Report |
Pass Rate |
Get Input Vector |
Erroneous HTTP responses |
9 |
9 |
100% |
Erroneous HTTP 404 Responses |
9 |
9 |
100% |
Erroneous HTTP responses |
9 |
9 |
100% |
HTTP 302 Redirect Responses |
9 |
9 |
100% |
HTTP Responses with differentiation |
9 |
9 |
100% |
HTTP responses with Default File on Error |
9 |
9 |
100% |
POST Input Vector |
Erroneous HTTP responses |
9 |
9 |
100% |
Erroneous HTTP 404 Responses |
9 |
9 |
100% |
Erroneous HTTP responses |
9 |
9 |
100% |
HTTP 302 Redirect Responses |
9 |
9 |
100% |
HTTP Responses with differentiation |
9 |
9 |
100% |
HTTP responses with Default File on Error |
9 |
9 |
100% |
1.5. Redirect Test Report
Input Vector |
Test Cases |
Cases Count |
Report |
Pass Rate |
Get Input Vector |
HTTP 302 Redirect Responses |
15 |
15 |
100% |
HTTP Responses with Javascript Redirect |
15 |
15 |
100% |
POST Input Vector |
HTTP 302 Redirect Responses |
15 |
15 |
100% |
HTTP Responses with Javascript Redirect |
15 |
15 |
100% |
1.6. False Positive Test Report
False Vuln |
Test Cases |
Cases Count |
Report |
Pass Rate |
SQL Injection |
False Positive |
10 |
0 |
100% |
Xss |
False Positive |
7 |
0 |
100% |
2. Test Environment2.1. Product and Test Cases
WAVSEP (WEB application Vulnerability Scanner Evaluation Project) v1.5
Wavsep environment:windows8.1 + XAMPP (Tomcat + MySQL)
Webcruiser Web Vulnerability Scanner Enterprise Edition V3.1.0
2.2. Test Scope
This test report includes the following vulnerabilities:
- SQL Injection
- Cross-site Scripting (XSS)
- LFI (Local File inclusion)
- RFI (Remote File inclusion)
- Redirect
Other test cases is not included.
2.3. Test Method
In order to get the test results quickly, we use a new feature of Webcruiser Web Vulnerability Scanner, which is "Scan Pag E ", which means it would scan all links in a page once a time. This function requires so the links locate under the same or sub directory, links under other directories would be Skippe D.
When start a new page scan, click on "Reset Scanner" to clear previous result, and navigate to New page, and then click "Scan Page "
Original test report See: Http://www.janusec.com/download/WebCruiser_Web_Vulnerability_Scanner_Test_Report.pdf
Go: webcruiser Web vulnerability Scanner 3.1.0 Assessment