Run #12 — Full Report
http://192.168.50.138:8088
Suites: smoke,phishing,challenge,security,ai,analytics,browser_exploits,social_engineering,evasion,ai_redteam | Status: done | 2026-02-23 08:48:49 UTC
⚠ Vulnerabilities Found (2)
LOW
Potential XSS via URL reflection
Script tag in URL may be reflected
Fix: Ensure JSON responses have correct Content-Type
MEDIUM
Open Redirect Abuse
Trusted domain open redirects to malicious pages not flagged
Fix: Parse redirect destination URL and scan that too
Smoke
(
6 pass / 0 fail / 6 total)
health_endpoint
API healthy | 44 brands | version 2.0.0
8ms
root_endpoint
API root OK: GuardDex API v2.0.0
2ms
docs_accessible
OpenAPI docs accessible at /docs
2ms
brands_endpoint
44 protected brands loaded
4ms
challenge_stats
Stats OK: 376 challenges issued
3ms
dashboard_accessible
Challenge screen HTML reachable
4ms
Phishing
(
12 pass / 0 fail / 12 total)
fake_paypal
CAUGHT → block | risk=critical | 3 signals | Would have saved David $200
8ms
fake_facebook
CAUGHT → block | Would have stopped the 2-year hack chain
16ms
real_paypal
Real PayPal correctly ALLOWED
3ms
ip_login
IP address login BLOCKED | signals: ['ip_address_login', 'brand_impersonation', 'http_login_page']
3ms
punycode
Punycode domain BLOCKED
4ms
official_sites_allow
All 10 official sites correctly ALLOWED
1038ms
phishing_bulk
All 24 phishing URLs caught (100% detection rate)
2507ms
37_brands_stress
All 37/37 brands detected (100%)
65686ms
long_subdomain_evasion
Deep subdomain attack caught: block
4ms
double_extension
Double extension caught: block
3ms
https_not_safe
HTTPS phishing site still blocked - good
2ms
signal_quality
3 well-formed signals returned: ['suspicious_tld', 'brand_impersonation', 'http_login_page']
2ms
Challenge
(
13 pass / 0 fail / 13 total)
correct_domain
Correct domain accepted | official_url=https://www.paypal.com
2ms
alternate_domain
https://paypal.com (no www) accepted
2ms
fake_domain
Fake domain correctly rejected: That is not an official login address for PayPal
2ms
http_rejected
HTTP (non-HTTPS) correctly rejected by challenge
1ms
ip_rejected
IP address correctly rejected by challenge
1ms
punycode_rejected
Punycode domain rejected by challenge
1ms
empty_input
Empty input rejected
2ms
wrong_brand
Cross-brand domain correctly rejected
1ms
subdomain_official
Official domain with path accepted
1ms
xss_input
XSS input rejected by challenge validator
1ms
sqli_brand
SQL injection in brand field rejected (HTTP 400)
1ms
google_challenge
Google challenge: correct domain accepted
2ms
apple_challenge
Apple ID challenge: correct domain accepted
2ms
Security
(
11 pass / 0 fail / 13 total)
cors_wildcard
CORS restricted to: https://evil.example.com
1ms
server_header
Server header: 'guarddex' (acceptable)
11ms
404_no_trace
404 response clean (HTTP 404)
2ms
malformed_json
Malformed JSON handled gracefully (HTTP 422)
2ms
empty_body
Empty body correctly rejected (422/400)
2ms
long_url
Very long URL rejected (HTTP 400)
2ms
null_bytes
Null byte URL rejected (HTTP 400)
3ms
js_protocol
javascript: URI rejected at HTTP level (400)
2ms
data_uri
data: URI rejected at HTTP level (400)
2ms
rate_limit
No rate limiting detected on scan endpoint (0/25 throttled) - OK for internal API
62ms
scan_get_rejected
GET on POST-only endpoint returns 405
1ms
brands_post_rejected
POST on GET-only brands endpoint returns 405
1ms
response_xss
URL with script tag reflected in response (check content-type header)
2ms
Ai
(
1 pass / 0 fail / 10 total)
v2_detection
v2.0 endpoints not yet on target (expected - they're being merged). Remaining AI tests will run in probe/compatibility mode.
6ms
ollama_reachable
AI analysis field in response (4562ms) - Ollama connected
4561ms
v2_register
v2.0 not yet on target
6ms
weak_password
v2.0 not yet on target
5ms
dupe_email
v2.0 not yet on target
6ms
wrong_password
v2.0 not yet on target
6ms
jwt_manipulation
v2.0 not yet on target
5ms
ai_typosquatting
v2.0 not yet on target
5ms
scan_performance
v2.0 not yet on target
5ms
user_enum
v2.0 not yet on target
6ms
Analytics
(
11 pass / 0 fail / 12 total)
dashboard_reachable
Analytics dashboard OK (HTTP 200)
3ms
dashboard_structure
All 5 required keys present
3ms
dashboard_stats_fields
Stats valid — 44 brands protected, 1650 total scans
3ms
dashboard_trend
30-day trend: 30 labels, correct MM-DD format
3ms
stats_consistency
Stats consistent: 1650 total = 781 blocked + 415 challenged + 454 allowed
2ms
ai_status_endpoint
Ollama available — model=phi3:mini loaded=['phi3:mini']
21ms
ai_fields_present
ai_used=False ai_analysis=null (expected for safe)
3ms
ai_triggers_challenge
AI ran in 4756ms — verdict=phishing confidence=90%
4755ms
ai_skips_safe
AI correctly skipped for official PayPal (action=allow, ai_used=False)
3ms
ai_verdict_structure
AI did not run (Ollama may be down)
3ms
stats_increment
total_scans incremented: 1659 → 1660
8ms
challenge_stats
Challenge stats OK — 418 challenged, 783 blocked, 1660 total
2ms
Browser_exploits
(
5 pass / 0 fail / 6 total)
fake_browser_updates
All 10 BeEF/fake-update delivery URLs caught (100%)
34468ms
drive_by_downloads
Caught 5/7 (71%) — missed: fake Flash update → allow; fake Java install → allow
19840ms
watering_hole
All 4 watering hole URLs caught
20392ms
browser_allow
All 3 legitimate browser sites correctly allowed
7ms
beef_running
BeEF is running on :3000 — live hook tests available
12ms
beef_hook_delivery
All 4 BeEF hook delivery URL patterns caught
22095ms
Social_engineering
(
5 pass / 0 fail / 7 total)
credential_harvesters
All 9 credential harvester URLs caught (100%)
12079ms
tech_support_scams
All 7 tech support scam URLs caught (100%)
15122ms
gov_impersonation
All 6 government impersonation URLs caught (100%)
5153ms
package_pretext
All 6 package/prize pretext URLs caught
26533ms
romance_scams
Caught 2/3 (67%) romance scam URLs — difficult without AI analysis of content
6354ms
gov_allow
All 4 legitimate government/service sites correctly allowed
12ms
set_available
SET not installed (optional). Install: sudo apt install set or: git clone https://github.com/trustedsec/social-engineer-toolkit
0ms
Evasion
(
5 pass / 0 fail / 8 total)
encoding_bypass
All 4 URL-encoded evasions caught
14805ms
subdomain_stacking
All 6 subdomain stacking attacks caught (100%)
24ms
homoglyph
All 5 homoglyph attacks caught
12853ms
open_redirect
Open redirect handling: 1 blocked, 0 challenged, 3 allowed — open redirects on trusted domains are hard to detect
23ms
shortener_challenge
3/4 URL shorteners allowed through without challenge — destination is unknown, risk cannot be assessed
11ms
typosquatting
Caught 6/8 (75%) — missed: google triple-o; facebook 00→oo
21936ms
combo_attacks
All 3 multi-technique evasion attacks caught
4338ms
evasion_fp_check
All 3 legitimate sites still correctly allowed after evasion tests
9ms
Ai_redteam
(
5 pass / 0 fail / 7 total)
attacker_model
Attacker model: dolphin-mistral:7b — adversarial generation ready
15ms
redteam_banks
Model: dolphin-mistral:7b | Generated 8 URLs in 21337ms | GuardDex caught 7/8 (88%) | Bypassed: http://secure-login.com
26754ms
redteam_elderly
dolphin-mistral:7b | 8 elderly-targeted URLs | 8/8 caught (100%)
31915ms
redteam_evasion
No parseable URLs:
paypal[.]hxxp://evilcompany[.]com/shop/cart/checkout/payment/info?p_a=1234&u_b=5678&c_d=9012
apple[.]hxxps://evilcompany[.]com/store/shopping/cart/items?item_id=1234&payment_method=creditc
16851ms
gap_analysis
No bypass gaps found in test set — all 4 caught by GuardDex
8775ms
defender_ai_supplement
phi3:mini caught 4 ambiguous scam URLs that needed AI context
26263ms
stress_volume
15 AI-generated URLs | 15 caught (100%) | avg 4770ms/scan | total 71550ms
78637ms