转：WebCruiser Web Vulnerability Scanner 3 测评

WebCruiser是一款Web高危漏洞扫描器，相对于其它大型扫描器，WebCruiser的典型特点是聚焦高危漏洞，且可以只扫指定的漏洞类型，可以只扫指定的URL，可以只扫指定的页面。当然也可以进行全站扫描。其从3.0版本开始，通过WAVSEP（扫描器评估） v1.5进行检测评估，已经100%覆盖SQL注入和跨站的全部用例。

WebCruiser安全扫描工具使用手册V3下载

在线查看：

http://www.docin.com/p-1059883525.html

WebCruiser Web Vulnerability Scanner 3 Test Report

1. Test Report

1.1. SQL Injection Test Report

Input Vector	Test Cases	Cases Count	Report	Pass Rate
GET Input Vector	Erroneous 500 Responses	19	19	100%
	Erroneous 200 Responses	19	19	100%
	200 Responses With Differentiation	19	19	100%
	Identical 200 Responses	8	8	100%
POST Input Vector	Erroneous 500 Responses	19	19	100%
	Erroneous 200 Responses	19	19	100%
	200 Responses With Differentiation	19	19	100%
	Identical 200 Responses	8	8	100%
GET Input Vector – Experimental	Insert / Delete / Other	1	1	100%
POST Input Vector - Experimental	Insert / Delete / Other	1	1	100%

1.2. XSS Test Report

Input Vector	Test Cases	Cases Count	Report	Pass Rate
GET Input Vector	ReflectedXSS	32	32	100%
POST Input Vector	ReflectedXSS	32	32	100%
Cookie Input Vector - Experimental	ReflectedXSS	1	1	100%
GET Input Vector - Experimental	ReflectedXSS	11	11	100%
POST Input Vector - Experimental	ReflectedXSS	11	11	100%
GET Input Vector - Experimental	DomXSS	4	4	100%

1.3. LFI Test Report

Input Vector	Test Cases	Cases Count	Report	Pass Rate
Get Input Vector	Erroneous HTTP 500 Responses	68	68	100%
	Erroneous HTTP 404 Responses	68	68	100%
	Erroneous HTTP 200 Responses	68	68	100%
	HTTP 302 Redirect Responses	68	68	100%
	HTTP 200 Responses With Differentiation	68	68	100%
	HTTP 200 Responses with Default File on Error	68	68	100%
POST Input Vector	Erroneous HTTP 500 Responses	68	68	100%
	Erroneous HTTP 404 Responses	68	68	100%
	Erroneous HTTP 200 Responses	68	68	100%
	HTTP 302 Redirect Responses	68	68	100%
	HTTP 200 Responses With Differentiation	68	68	100%
	HTTP 200 Responses with Default File on Error	68	68	100%

1.4. RFI Test Report

Input Vector	Test Cases	Cases Count	Report	Pass Rate
Get Input Vector	Erroneous HTTP 500 Responses	9	9	100%
	Erroneous HTTP 404 Responses	9	9	100%
	Erroneous HTTP 200 Responses	9	9	100%
	HTTP 302 Redirect Responses	9	9	100%
	HTTP 200 Responses With Differentiation	9	9	100%
	HTTP 200 Responses with Default File on Error	9	9	100%
POST Input Vector	Erroneous HTTP 500 Responses	9	9	100%
	Erroneous HTTP 404 Responses	9	9	100%
	Erroneous HTTP 200 Responses	9	9	100%
	HTTP 302 Redirect Responses	9	9	100%
	HTTP 200 Responses With Differentiation	9	9	100%
	HTTP 200 Responses with Default File on Error	9	9	100%

1.5. Redirect Test Report

Input Vector	Test Cases	Cases Count	Report	Pass Rate
Get Input Vector	HTTP 302 Redirect Responses	15	15	100%
Get Input Vector	HTTP 200 Responses With Javascript Redirect	15	15	100%
POST Input Vector	HTTP 302 Redirect Responses	15	15	100%
POST Input Vector	HTTP 200 Responses With Javascript Redirect	15	15	100%

1.6. False Positive Test Report

False Vuln	Test Cases	Cases Count	Report	Pass Rate
SQL Injection	False Positive	10	0	100%
XSS	False Positive	7	0	100%

2. Test Environment

2.1. Product and Test Cases

WAVSEP (Web Application Vulnerability Scanner Evaluation Project) v1.5

WAVSEP Environment: Windows8.1 + XAMPP (Tomcat + MySQL)

WebCruiser Web Vulnerability Scanner Enterprise Edition V3.1.0

2.2. Test Scope

This test report includes the following vulnerabilities:

SQL Injection
Cross-site Scripting(XSS)
LFI(Local File Inclusion)
RFI(Remote File Inclusion)
Redirect

Other test cases are not included.

2.3. Test Method

In order to get the test results quickly, we use a new feature of WebCruiser Web Vulnerability Scanner, which is “Scan Page”, which means it will scan all links in a page once a time. This function requires that the links locate under the same or sub directory, links under other directories will be skipped.

When start a new page scan, click “Reset Scanner” to clear previous result, and navigate to new page, and then click “ScanPage”

原始测试报告参见：http://www.janusec.com/download/WebCruiser_Web_Vulnerability_Scanner_Test_Report.pdf