Run #3 — Full Report
http://localhost:8088
Suites: smoke,phishing,challenge,security,ai | Status: done | 2026-02-21 18:57:33 UTC
⚠ Vulnerabilities Found (4)
LOW
Information Disclosure
Server header reveals framework version
Fix: Remove or mask the Server header
MEDIUM
JavaScript URI Not Blocked
javascript: URI not flagged as malicious
Fix: Block javascript: and data: URI schemes
MEDIUM
Data URI Not Blocked
data: URI phishing page not flagged
Fix: Block data: URIs - they bypass domain checks
LOW
Potential XSS via URL reflection
Script tag in URL may be reflected
Fix: Ensure JSON responses have correct Content-Type
Smoke
(
6 pass / 0 fail / 6 total)
health_endpoint
API healthy | 37 brands | version 1.1.0
4ms
root_endpoint
API root OK: GuardDex API v1.1.0
1ms
docs_accessible
OpenAPI docs accessible at /docs
1ms
brands_endpoint
37 protected brands loaded
3ms
challenge_stats
Stats OK: 16 challenges issued
3ms
dashboard_accessible
Challenge screen HTML reachable
5ms
Phishing
(
12 pass / 0 fail / 12 total)
fake_paypal
CAUGHT → block | risk=critical | 3 signals | Would have saved David $200
6ms
fake_facebook
CAUGHT → block | Would have stopped the 2-year hack chain
2ms
real_paypal
Real PayPal correctly ALLOWED
2ms
ip_login
IP address login BLOCKED | signals: ['ip_address_login', 'brand_impersonation', 'http_login_page']
2ms
punycode
Punycode domain BLOCKED
2ms
official_sites_allow
All 10 official sites correctly ALLOWED
1032ms
phishing_bulk
All 24 phishing URLs caught (100% detection rate)
2484ms
37_brands_stress
All 37/37 brands detected (100%)
37776ms
long_subdomain_evasion
Deep subdomain attack caught: block
3ms
double_extension
Double extension caught: block
3ms
https_not_safe
HTTPS phishing site still blocked - good
2ms
signal_quality
3 well-formed signals returned: ['suspicious_tld', 'brand_impersonation', 'http_login_page']
1ms
Challenge
(
13 pass / 0 fail / 13 total)
correct_domain
Correct domain accepted | official_url=https://www.paypal.com
2ms
alternate_domain
https://paypal.com (no www) accepted
1ms
fake_domain
Fake domain correctly rejected: That is not an official login address for PayPal
1ms
http_rejected
HTTP (non-HTTPS) correctly rejected by challenge
1ms
ip_rejected
IP address correctly rejected by challenge
2ms
punycode_rejected
Punycode domain rejected by challenge
1ms
empty_input
Empty input rejected
2ms
wrong_brand
Cross-brand domain correctly rejected
2ms
subdomain_official
Official domain with path accepted
23ms
xss_input
XSS input rejected by challenge validator
2ms
sqli_brand
SQL injection in brand field rejected (HTTP 400)
2ms
google_challenge
Google challenge: correct domain accepted
2ms
apple_challenge
Apple ID challenge: correct domain accepted
2ms
Security
(
6 pass / 0 fail / 13 total)
cors_wildcard
CORS restricted to: https://evil.example.com
2ms
server_header
Server header reveals tech stack: uvicorn
1ms
404_no_trace
404 response clean (HTTP 404)
1ms
malformed_json
Malformed JSON handled gracefully (HTTP 422)
1ms
empty_body
Empty body correctly rejected (422/400)
3ms
long_url
5000-char URL accepted - consider length limits
3ms
null_bytes
Null byte in URL not rejected - action=block
2ms
js_protocol
javascript: URI action=allow - should be blocked
2ms
data_uri
data: URI not blocked: allow
2ms
rate_limit
No rate limiting detected on scan endpoint (0/25 throttled) - OK for internal API
52ms
scan_get_rejected
GET on POST-only endpoint returns 405
1ms
brands_post_rejected
POST on GET-only brands endpoint returns 405
1ms
response_xss
URL with script tag reflected in response (check content-type header)
2ms
Ai
(
1 pass / 0 fail / 10 total)
v2_detection
v2.0 endpoints not yet on target (expected - they're being merged). Remaining AI tests will run in probe/compatibility mode.
8ms
ollama_reachable
AI analysis field in response (1666ms) - Ollama connected
1666ms
v2_register
v2.0 not yet on target
6ms
weak_password
v2.0 not yet on target
4ms
dupe_email
v2.0 not yet on target
4ms
wrong_password
v2.0 not yet on target
4ms
jwt_manipulation
v2.0 not yet on target
5ms
ai_typosquatting
v2.0 not yet on target
4ms
scan_performance
v2.0 not yet on target
4ms
user_enum
v2.0 not yet on target
5ms