Run #18 — Full Report
http://192.168.50.138:8088
Suites: smoke,phishing,challenge,security,ai,analytics,browser_exploits,social_engineering,evasion,ai_redteam | Status: done | 2026-02-23 21:07:36 UTC
⚠ Vulnerabilities Found (3)
LOW
Potential XSS via URL reflection
Script tag in URL may be reflected
Fix: Ensure JSON responses have correct Content-Type
MEDIUM
Open Redirect Abuse
Trusted domain open redirects to malicious pages not flagged
Fix: Parse redirect destination URL and scan that too
HIGH
Evasion Technique Bypass
AI-generated evasion URLs bypassing GuardDex rule engine
Payload: https://www.googl3.com/accounts/Login https://www.amzng.com/your-account-here https://pypal90.com/signin?uid=abc123&pw=xyz789 https://www.googl45.com/accounts/Login
Fix: These bypassed URLs reveal specific gaps — add to regression tests
Smoke
(
5 pass / 1 fail / 6 total)
health_endpoint
API healthy | 44 brands | version 2.0.0
8ms
root_endpoint
Expecting value: line 1 column 1 (char 0)
5ms
docs_accessible
OpenAPI docs accessible at /docs
1ms
brands_endpoint
44 protected brands loaded
2ms
challenge_stats
Stats OK: 710 challenges issued
2ms
dashboard_accessible
Challenge screen HTML reachable
3ms
Phishing
(
11 pass / 0 fail / 12 total)
fake_paypal
CAUGHT → block | risk=critical | 3 signals | Would have saved David $200
47ms
fake_facebook
CAUGHT → block | Would have stopped the 2-year hack chain
8ms
real_paypal
Real PayPal correctly ALLOWED
3ms
ip_login
IP address login BLOCKED | signals: ['ip_address_login', 'brand_impersonation', 'http_login_page']
3ms
punycode
Punycode domain BLOCKED
6ms
official_sites_allow
All 10 official sites correctly ALLOWED
1037ms
phishing_bulk
All 24 phishing URLs caught (100% detection rate)
2540ms
37_brands_stress
36/37 brands detected (97%) | Missed: UPS
40415ms
long_subdomain_evasion
Deep subdomain attack caught: block
3ms
double_extension
Double extension caught: block
3ms
https_not_safe
HTTPS phishing site still blocked - good
3ms
signal_quality
3 well-formed signals returned: ['suspicious_tld', 'brand_impersonation', 'http_login_page']
3ms
Challenge
(
13 pass / 0 fail / 13 total)
correct_domain
Correct domain accepted | official_url=https://paypal.me
4ms
alternate_domain
https://paypal.com (no www) accepted
2ms
fake_domain
Fake domain correctly rejected: That is not an official login address for PayPal
1ms
http_rejected
HTTP (non-HTTPS) correctly rejected by challenge
2ms
ip_rejected
IP address correctly rejected by challenge
1ms
punycode_rejected
Punycode domain rejected by challenge
1ms
empty_input
Empty input rejected
1ms
wrong_brand
Cross-brand domain correctly rejected
1ms
subdomain_official
Official domain with path accepted
1ms
xss_input
XSS input rejected by challenge validator
1ms
sqli_brand
SQL injection in brand field rejected (HTTP 400)
1ms
google_challenge
Google challenge: correct domain accepted
1ms
apple_challenge
Apple ID challenge: correct domain accepted
1ms
Security
(
11 pass / 0 fail / 13 total)
cors_wildcard
CORS restricted to: https://evil.example.com
1ms
server_header
Server header: 'guarddex' (acceptable)
13ms
404_no_trace
404 response clean (HTTP 404)
2ms
malformed_json
Malformed JSON handled gracefully (HTTP 422)
2ms
empty_body
Empty body correctly rejected (422/400)
2ms
long_url
Very long URL rejected (HTTP 400)
2ms
null_bytes
Null byte URL rejected (HTTP 400)
2ms
js_protocol
javascript: URI rejected at HTTP level (400)
1ms
data_uri
data: URI rejected at HTTP level (400)
1ms
rate_limit
No rate limiting detected on scan endpoint (0/25 throttled) - OK for internal API
60ms
scan_get_rejected
GET on POST-only endpoint returns 405
1ms
brands_post_rejected
POST on GET-only brands endpoint returns 405
2ms
response_xss
URL with script tag reflected in response (check content-type header)
2ms
Ai
(
9 pass / 0 fail / 10 total)
v2_detection
v2.0 auth endpoints detected on target - AI tests will run fully
2ms
ollama_reachable
AI analysis field in response (1713ms) - Ollama connected
1713ms
v2_register
v2.0 registration successful - got JWT
358ms
weak_password
All 4 weak passwords rejected
20ms
dupe_email
Duplicate email rejected (HTTP 400)
9ms
wrong_password
Invalid credentials rejected (HTTP 422)
12ms
jwt_manipulation
'none' algorithm JWT rejected (401/403)
3ms
ai_typosquatting
AI caught 1/3 typosquatting URLs
1686ms
scan_performance
v2.0 scan completed in 5ms
7ms
user_enum
Same error for valid/invalid email (no enumeration)
13ms
Analytics
(
11 pass / 0 fail / 12 total)
dashboard_reachable
Analytics dashboard OK (HTTP 200)
2ms
dashboard_structure
All 5 required keys present
2ms
dashboard_stats_fields
Stats valid — 44 brands protected, 2513 total scans
2ms
dashboard_trend
30-day trend: 30 labels, correct MM-DD format
2ms
stats_consistency
Stats consistent: 2513 total = 1126 blocked + 725 challenged + 662 allowed
2ms
ai_status_endpoint
Ollama available — model=phi3:mini loaded=['phi3:mini']
14ms
ai_fields_present
ai_used=False ai_analysis=null (expected for safe)
2ms
ai_triggers_challenge
AI ran in 1712ms — verdict=phishing confidence=85%
1712ms
ai_skips_safe
AI correctly skipped for official PayPal (action=allow, ai_used=False)
3ms
ai_verdict_structure
AI did not run (Ollama may be down)
3ms
stats_increment
total_scans incremented: 2517 → 2518
9ms
challenge_stats
Challenge stats OK — 726 challenged, 1127 blocked, 2518 total
1ms
Browser_exploits
(
5 pass / 0 fail / 6 total)
fake_browser_updates
All 10 BeEF/fake-update delivery URLs caught (100%)
12943ms
drive_by_downloads
Caught 5/7 (71%) — missed: fake Flash update → allow; fake Java install → allow
7594ms
watering_hole
All 4 watering hole URLs caught
6788ms
browser_allow
All 3 legitimate browser sites correctly allowed
7ms
beef_running
BeEF is running on :3000 — live hook tests available
23ms
beef_hook_delivery
All 4 BeEF hook delivery URL patterns caught
8200ms
Social_engineering
(
5 pass / 0 fail / 7 total)
credential_harvesters
All 9 credential harvester URLs caught (100%)
3857ms
tech_support_scams
All 7 tech support scam URLs caught (100%)
5277ms
gov_impersonation
All 6 government impersonation URLs caught (100%)
2159ms
package_pretext
All 6 package/prize pretext URLs caught
9318ms
romance_scams
Caught 2/3 (67%) romance scam URLs — difficult without AI analysis of content
2023ms
gov_allow
All 4 legitimate government/service sites correctly allowed
10ms
set_available
SET not installed (optional). Install: sudo apt install set or: git clone https://github.com/trustedsec/social-engineer-toolkit
0ms
Evasion
(
5 pass / 0 fail / 8 total)
encoding_bypass
All 4 URL-encoded evasions caught
4559ms
subdomain_stacking
All 6 subdomain stacking attacks caught (100%)
27ms
homoglyph
All 5 homoglyph attacks caught
4734ms
open_redirect
Open redirect handling: 1 blocked, 0 challenged, 3 allowed — open redirects on trusted domains are hard to detect
10ms
shortener_challenge
3/4 URL shorteners allowed through without challenge — destination is unknown, risk cannot be assessed
11ms
typosquatting
Caught 6/8 (75%) — missed: google triple-o; facebook 00→oo
8018ms
combo_attacks
All 3 multi-technique evasion attacks caught
1575ms
evasion_fp_check
All 3 legitimate sites still correctly allowed after evasion tests
8ms
Ai_redteam
(
5 pass / 1 fail / 7 total)
attacker_model
Attacker model: dolphin-mistral:7b — adversarial generation ready
13ms
redteam_banks
Model: dolphin-mistral:7b | Generated 8 URLs in 16833ms | GuardDex caught 8/8 (100%)
18789ms
redteam_elderly
dolphin-mistral:7b | 8 elderly-targeted URLs | 7/8 caught (88%) | Bypassed: https://techsupportvirusalert.com/
7624ms
redteam_evasion
dolphin-mistral:7b evasion | 8 URLs | 4/8 caught (50%) | BYPASSED: https://www.googl3.com/accounts/Login | https://www.amzng.com/your-account-here | https://pypal90.com/signin?uid=abc123&pw=xyz789
4089ms
gap_analysis
No bypass gaps found in test set — all 4 caught by GuardDex
3883ms
defender_ai_supplement
phi3:mini caught 4 ambiguous scam URLs that needed AI context
8071ms
stress_volume
15 AI-generated URLs | 15 caught (100%) | avg 558ms/scan | total 8367ms
15025ms