Run #11 — Full Report
http://192.168.50.138:8088
Suites: smoke,phishing,challenge,security,ai,analytics,browser_exploits,social_engineering,evasion,ai_redteam | Status: done | 2026-02-23 08:48:41 UTC
⚠ Vulnerabilities Found (3)
LOW
Potential XSS via URL reflection
Script tag in URL may be reflected
Fix: Ensure JSON responses have correct Content-Type
MEDIUM
Open Redirect Abuse
Trusted domain open redirects to malicious pages not flagged
Fix: Parse redirect destination URL and scan that too
HIGH
Evasion Technique Bypass
AI-generated evasion URLs bypassing GuardDex rule engine
Payload: https://paypa1.attacker.com/login.php https://appl3.attacker.domain/account?action=signin https://amaz0n.attacker.com/order-confirmation https://paypa1%2eattacker.com/login.php https://appl3.attacker%2edomain/account?action=signin
Fix: These bypassed URLs reveal specific gaps — add to regression tests
Smoke
(
6 pass / 0 fail / 6 total)
health_endpoint
API healthy | 44 brands | version 2.0.0
4ms
root_endpoint
API root OK: GuardDex API v2.0.0
2ms
docs_accessible
OpenAPI docs accessible at /docs
1ms
brands_endpoint
44 protected brands loaded
3ms
challenge_stats
Stats OK: 376 challenges issued
3ms
dashboard_accessible
Challenge screen HTML reachable
3ms
Phishing
(
12 pass / 0 fail / 12 total)
fake_paypal
CAUGHT → block | risk=critical | 3 signals | Would have saved David $200
4ms
fake_facebook
CAUGHT → block | Would have stopped the 2-year hack chain
3ms
real_paypal
Real PayPal correctly ALLOWED
3ms
ip_login
IP address login BLOCKED | signals: ['ip_address_login', 'brand_impersonation', 'http_login_page']
4ms
punycode
Punycode domain BLOCKED
2ms
official_sites_allow
All 10 official sites correctly ALLOWED
1056ms
phishing_bulk
All 24 phishing URLs caught (100% detection rate)
2489ms
37_brands_stress
All 37/37 brands detected (100%)
72718ms
long_subdomain_evasion
Deep subdomain attack caught: block
3ms
double_extension
Double extension caught: block
2ms
https_not_safe
HTTPS phishing site still blocked - good
2ms
signal_quality
3 well-formed signals returned: ['suspicious_tld', 'brand_impersonation', 'http_login_page']
2ms
Challenge
(
13 pass / 0 fail / 13 total)
correct_domain
Correct domain accepted | official_url=https://www.paypal.com
2ms
alternate_domain
https://paypal.com (no www) accepted
1ms
fake_domain
Fake domain correctly rejected: That is not an official login address for PayPal
1ms
http_rejected
HTTP (non-HTTPS) correctly rejected by challenge
1ms
ip_rejected
IP address correctly rejected by challenge
1ms
punycode_rejected
Punycode domain rejected by challenge
2ms
empty_input
Empty input rejected
2ms
wrong_brand
Cross-brand domain correctly rejected
24ms
subdomain_official
Official domain with path accepted
2ms
xss_input
XSS input rejected by challenge validator
2ms
sqli_brand
SQL injection in brand field rejected (HTTP 400)
2ms
google_challenge
Google challenge: correct domain accepted
2ms
apple_challenge
Apple ID challenge: correct domain accepted
2ms
Security
(
11 pass / 0 fail / 13 total)
cors_wildcard
CORS restricted to: https://evil.example.com
1ms
server_header
Server header: 'guarddex' (acceptable)
3ms
404_no_trace
404 response clean (HTTP 404)
2ms
malformed_json
Malformed JSON handled gracefully (HTTP 422)
2ms
empty_body
Empty body correctly rejected (422/400)
4ms
long_url
Very long URL rejected (HTTP 400)
2ms
null_bytes
Null byte URL rejected (HTTP 400)
2ms
js_protocol
javascript: URI rejected at HTTP level (400)
1ms
data_uri
data: URI rejected at HTTP level (400)
2ms
rate_limit
No rate limiting detected on scan endpoint (0/25 throttled) - OK for internal API
55ms
scan_get_rejected
GET on POST-only endpoint returns 405
2ms
brands_post_rejected
POST on GET-only brands endpoint returns 405
1ms
response_xss
URL with script tag reflected in response (check content-type header)
3ms
Ai
(
1 pass / 0 fail / 10 total)
v2_detection
v2.0 endpoints not yet on target (expected - they're being merged). Remaining AI tests will run in probe/compatibility mode.
5ms
ollama_reachable
AI analysis field in response (4704ms) - Ollama connected
4703ms
v2_register
v2.0 not yet on target
5ms
weak_password
v2.0 not yet on target
6ms
dupe_email
v2.0 not yet on target
7ms
wrong_password
v2.0 not yet on target
5ms
jwt_manipulation
v2.0 not yet on target
4ms
ai_typosquatting
v2.0 not yet on target
5ms
scan_performance
v2.0 not yet on target
7ms
user_enum
v2.0 not yet on target
5ms
Analytics
(
11 pass / 0 fail / 12 total)
dashboard_reachable
Analytics dashboard OK (HTTP 200)
3ms
dashboard_structure
All 5 required keys present
3ms
dashboard_stats_fields
Stats valid — 44 brands protected, 1648 total scans
2ms
dashboard_trend
30-day trend: 30 labels, correct MM-DD format
3ms
stats_consistency
Stats consistent: 1648 total = 781 blocked + 414 challenged + 453 allowed
3ms
ai_status_endpoint
Ollama available — model=phi3:mini loaded=['phi3:mini']
14ms
ai_fields_present
ai_used=False ai_analysis=null (expected for safe)
3ms
ai_triggers_challenge
AI ran in 4781ms — verdict=phishing confidence=90%
4780ms
ai_skips_safe
AI correctly skipped for official PayPal (action=allow, ai_used=False)
3ms
ai_verdict_structure
AI did not run (Ollama may be down)
2ms
stats_increment
total_scans incremented: 1655 → 1656
5ms
challenge_stats
Challenge stats OK — 417 challenged, 782 blocked, 1656 total
2ms
Browser_exploits
(
5 pass / 0 fail / 6 total)
fake_browser_updates
All 10 BeEF/fake-update delivery URLs caught (100%)
34390ms
drive_by_downloads
Caught 5/7 (71%) — missed: fake Flash update → allow; fake Java install → allow
19849ms
watering_hole
All 4 watering hole URLs caught
20367ms
browser_allow
All 3 legitimate browser sites correctly allowed
7ms
beef_running
BeEF is running on :3000 — live hook tests available
19ms
beef_hook_delivery
All 4 BeEF hook delivery URL patterns caught
21896ms
Social_engineering
(
5 pass / 0 fail / 7 total)
credential_harvesters
All 9 credential harvester URLs caught (100%)
12143ms
tech_support_scams
All 7 tech support scam URLs caught (100%)
15298ms
gov_impersonation
All 6 government impersonation URLs caught (100%)
5135ms
package_pretext
All 6 package/prize pretext URLs caught
26468ms
romance_scams
Caught 2/3 (67%) romance scam URLs — difficult without AI analysis of content
5014ms
gov_allow
All 4 legitimate government/service sites correctly allowed
9ms
set_available
SET not installed (optional). Install: sudo apt install set or: git clone https://github.com/trustedsec/social-engineer-toolkit
0ms
Evasion
(
5 pass / 0 fail / 8 total)
encoding_bypass
All 4 URL-encoded evasions caught
16429ms
subdomain_stacking
All 6 subdomain stacking attacks caught (100%)
16ms
homoglyph
All 5 homoglyph attacks caught
12846ms
open_redirect
Open redirect handling: 1 blocked, 0 challenged, 3 allowed — open redirects on trusted domains are hard to detect
12ms
shortener_challenge
3/4 URL shorteners allowed through without challenge — destination is unknown, risk cannot be assessed
10ms
typosquatting
Caught 6/8 (75%) — missed: google triple-o; facebook 00→oo
22027ms
combo_attacks
All 3 multi-technique evasion attacks caught
4329ms
evasion_fp_check
All 3 legitimate sites still correctly allowed after evasion tests
7ms
Ai_redteam
(
6 pass / 1 fail / 7 total)
attacker_model
Attacker model: dolphin-mistral:7b — adversarial generation ready
20ms
redteam_banks
Model: dolphin-mistral:7b | Generated 7 URLs in 19683ms | GuardDex caught 7/7 (100%)
32167ms
redteam_elderly
dolphin-mistral:7b | 8 elderly-targeted URLs | 8/8 caught (100%)
32782ms
redteam_evasion
dolphin-mistral:7b evasion | 8 URLs | 2/8 caught (25%) | BYPASSED: https://paypa1.attacker.com/login.php | https://appl3.attacker.domain/account?action=signin | https://amaz0n.attacker.com/order-confirmation
27468ms
gap_analysis
No bypass gaps found in test set — all 4 caught by GuardDex
17708ms
defender_ai_supplement
phi3:mini caught 4 ambiguous scam URLs that needed AI context
24059ms
stress_volume
15 AI-generated URLs | 15 caught (100%) | avg 3355ms/scan | total 50323ms
58020ms