Run #4 Report | GuardDex TestBench

49passed 0failed 9skipped 66total 74% pass rate

⚠ Vulnerabilities Found (4)

LOW Information Disclosure

Server header reveals framework version

Fix: Remove or mask the Server header

MEDIUM JavaScript URI Not Blocked

javascript: URI not flagged as malicious

Fix: Block javascript: and data: URI schemes

MEDIUM Data URI Not Blocked

data: URI phishing page not flagged

Fix: Block data: URIs - they bypass domain checks

LOW Potential XSS via URL reflection

Script tag in URL may be reflected

Fix: Ensure JSON responses have correct Content-Type

Smoke ( 6 pass / 0 fail / 6 total)

✔ health_endpoint API healthy | 37 brands | version 1.1.0 8ms

✔ root_endpoint API root OK: GuardDex API v1.1.0 2ms

✔ docs_accessible OpenAPI docs accessible at /docs 1ms

✔ brands_endpoint 37 protected brands loaded 4ms

✔ challenge_stats Stats OK: 31 challenges issued 3ms

✔ dashboard_accessible Challenge screen HTML reachable 4ms

Phishing ( 12 pass / 0 fail / 12 total)

✔ fake_paypal CAUGHT → block | risk=critical | 3 signals | Would have saved David $200 5ms

✔ fake_facebook CAUGHT → block | Would have stopped the 2-year hack chain 4ms

✔ real_paypal Real PayPal correctly ALLOWED 3ms

✔ ip_login IP address login BLOCKED | signals: ['ip_address_login', 'brand_impersonation', 'http_login_page'] 3ms

✔ punycode Punycode domain BLOCKED 3ms

✔ official_sites_allow All 10 official sites correctly ALLOWED 1055ms

✔ phishing_bulk All 24 phishing URLs caught (100% detection rate) 2553ms

✔ 37_brands_stress All 37/37 brands detected (100%) 35428ms

✔ long_subdomain_evasion Deep subdomain attack caught: block 3ms

✔ double_extension Double extension caught: block 3ms

✔ https_not_safe HTTPS phishing site still blocked - good 3ms

✔ signal_quality 3 well-formed signals returned: ['suspicious_tld', 'brand_impersonation', 'http_login_page'] 3ms

Challenge ( 13 pass / 0 fail / 13 total)

✔ correct_domain Correct domain accepted | official_url=https://www.paypal.com 3ms

✔ alternate_domain https://paypal.com (no www) accepted 1ms

✔ fake_domain Fake domain correctly rejected: That is not an official login address for PayPal 2ms

✔ http_rejected HTTP (non-HTTPS) correctly rejected by challenge 2ms

✔ ip_rejected IP address correctly rejected by challenge 2ms

✔ punycode_rejected Punycode domain rejected by challenge 2ms

✔ empty_input Empty input rejected 1ms

✔ wrong_brand Cross-brand domain correctly rejected 1ms

✔ subdomain_official Official domain with path accepted 2ms

✔ xss_input XSS input rejected by challenge validator 1ms

✔ sqli_brand SQL injection in brand field rejected (HTTP 400) 1ms

✔ google_challenge Google challenge: correct domain accepted 16ms

✔ apple_challenge Apple ID challenge: correct domain accepted 2ms

Security ( 6 pass / 0 fail / 13 total)

✔ cors_wildcard CORS restricted to: https://evil.example.com 2ms

⚠ server_header Server header reveals tech stack: uvicorn 1ms

✔ 404_no_trace 404 response clean (HTTP 404) 2ms

✔ malformed_json Malformed JSON handled gracefully (HTTP 422) 1ms

✔ empty_body Empty body correctly rejected (422/400) 1ms

⚠ long_url 5000-char URL accepted - consider length limits 3ms

⚠ null_bytes Null byte in URL not rejected - action=block 2ms

⚠ js_protocol javascript: URI action=allow - should be blocked 3ms

⚠ data_uri data: URI not blocked: allow 2ms

⚠ rate_limit No rate limiting detected on scan endpoint (0/25 throttled) - OK for internal API 53ms

✔ scan_get_rejected GET on POST-only endpoint returns 405 1ms

✔ brands_post_rejected POST on GET-only brands endpoint returns 405 2ms

⚠ response_xss URL with script tag reflected in response (check content-type header) 2ms

Ai ( 1 pass / 0 fail / 10 total)

ℹ v2_detection v2.0 endpoints not yet on target (expected - they're being merged). Remaining AI tests will run in probe/compatibility mode. 7ms

✔ ollama_reachable AI analysis field in response (1680ms) - Ollama connected 1680ms

– v2_register v2.0 not yet on target 7ms

– weak_password v2.0 not yet on target 6ms

– dupe_email v2.0 not yet on target 6ms

– wrong_password v2.0 not yet on target 6ms

– jwt_manipulation v2.0 not yet on target 7ms

– ai_typosquatting v2.0 not yet on target 6ms

– scan_performance v2.0 not yet on target 6ms

– user_enum v2.0 not yet on target 5ms

Analytics ( 11 pass / 0 fail / 12 total)

✔ dashboard_reachable Analytics dashboard OK (HTTP 200) 3ms

✔ dashboard_structure All 5 required keys present 3ms

✔ dashboard_stats_fields Stats valid — 37 brands protected, 336 total scans 2ms

✔ dashboard_trend 30-day trend: 30 labels, correct MM-DD format 2ms

✔ stats_consistency Stats consistent: 336 total = 172 blocked + 46 challenged + 118 allowed 2ms

✔ ai_status_endpoint Ollama available — model=phi3:mini loaded=['phi3:mini'] 19ms

✔ ai_fields_present ai_used=False ai_analysis=null (expected for safe) 3ms

✔ ai_triggers_challenge AI ran in 1672ms — verdict=phishing confidence=90% 1672ms

✔ ai_skips_safe AI correctly skipped for official PayPal (action=allow, ai_used=False) 3ms

– ai_verdict_structure AI did not run (Ollama may be down) 3ms

✔ stats_increment total_scans incremented: 340 → 341 9ms

✔ challenge_stats Challenge stats OK — 47 challenged, 173 blocked, 341 total 1ms

Run #4 — Full Report

⚠ Vulnerabilities Found (4)