Run #5 — Full Report

http://localhost:8088

Suites: smoke,phishing,challenge,security,ai,analytics  |  Status: done  | 2026-02-22 07:09:05 UTC

New Run History
54passed 0failed 9skipped 66total 81% pass rate

⚠ Vulnerabilities Found (1)

LOW Potential XSS via URL reflection

Script tag in URL may be reflected

Fix: Ensure JSON responses have correct Content-Type

Smoke ( 6 pass / 0 fail / 6 total)
health_endpoint API healthy | 37 brands | version 1.1.0 3ms
root_endpoint API root OK: GuardDex API v1.1.0 2ms
docs_accessible OpenAPI docs accessible at /docs 1ms
brands_endpoint 37 protected brands loaded 2ms
challenge_stats Stats OK: 47 challenges issued 2ms
dashboard_accessible Challenge screen HTML reachable 9ms
Phishing ( 12 pass / 0 fail / 12 total)
fake_paypal CAUGHT → block | risk=critical | 3 signals | Would have saved David $200 38ms
fake_facebook CAUGHT → block | Would have stopped the 2-year hack chain 3ms
real_paypal Real PayPal correctly ALLOWED 3ms
ip_login IP address login BLOCKED | signals: ['ip_address_login', 'brand_impersonation', 'http_login_page'] 2ms
punycode Punycode domain BLOCKED 5ms
official_sites_allow All 10 official sites correctly ALLOWED 1036ms
phishing_bulk All 24 phishing URLs caught (100% detection rate) 2490ms
37_brands_stress All 37/37 brands detected (100%) 36431ms
long_subdomain_evasion Deep subdomain attack caught: block 3ms
double_extension Double extension caught: block 2ms
https_not_safe HTTPS phishing site still blocked - good 3ms
signal_quality 3 well-formed signals returned: ['suspicious_tld', 'brand_impersonation', 'http_login_page'] 2ms
Challenge ( 13 pass / 0 fail / 13 total)
correct_domain Correct domain accepted | official_url=https://paypal.me 4ms
alternate_domain https://paypal.com (no www) accepted 2ms
fake_domain Fake domain correctly rejected: That is not an official login address for PayPal 1ms
http_rejected HTTP (non-HTTPS) correctly rejected by challenge 2ms
ip_rejected IP address correctly rejected by challenge 2ms
punycode_rejected Punycode domain rejected by challenge 2ms
empty_input Empty input rejected 2ms
wrong_brand Cross-brand domain correctly rejected 1ms
subdomain_official Official domain with path accepted 1ms
xss_input XSS input rejected by challenge validator 2ms
sqli_brand SQL injection in brand field rejected (HTTP 400) 2ms
google_challenge Google challenge: correct domain accepted 1ms
apple_challenge Apple ID challenge: correct domain accepted 1ms
Security ( 11 pass / 0 fail / 13 total)
cors_wildcard CORS restricted to: https://evil.example.com 2ms
server_header Server header: 'guarddex' (acceptable) 1ms
404_no_trace 404 response clean (HTTP 404) 1ms
malformed_json Malformed JSON handled gracefully (HTTP 422) 2ms
empty_body Empty body correctly rejected (422/400) 4ms
long_url Very long URL rejected (HTTP 400) 9ms
null_bytes Null byte URL rejected (HTTP 400) 2ms
js_protocol javascript: URI rejected at HTTP level (400) 2ms
data_uri data: URI rejected at HTTP level (400) 2ms
rate_limit No rate limiting detected on scan endpoint (0/25 throttled) - OK for internal API 52ms
scan_get_rejected GET on POST-only endpoint returns 405 1ms
brands_post_rejected POST on GET-only brands endpoint returns 405 1ms
response_xss URL with script tag reflected in response (check content-type header) 3ms
Ai ( 1 pass / 0 fail / 10 total)
v2_detection v2.0 endpoints not yet on target (expected - they're being merged). Remaining AI tests will run in probe/compatibility mode. 7ms
ollama_reachable AI analysis field in response (1646ms) - Ollama connected 1646ms
v2_register v2.0 not yet on target 6ms
weak_password v2.0 not yet on target 7ms
dupe_email v2.0 not yet on target 5ms
wrong_password v2.0 not yet on target 8ms
jwt_manipulation v2.0 not yet on target 8ms
ai_typosquatting v2.0 not yet on target 5ms
scan_performance v2.0 not yet on target 5ms
user_enum v2.0 not yet on target 6ms
Analytics ( 11 pass / 0 fail / 12 total)
dashboard_reachable Analytics dashboard OK (HTTP 200) 14ms
dashboard_structure All 5 required keys present 4ms
dashboard_stats_fields Stats valid — 37 brands protected, 448 total scans 2ms
dashboard_trend 30-day trend: 30 labels, correct MM-DD format 2ms
stats_consistency Stats consistent: 448 total = 228 blocked + 62 challenged + 158 allowed 2ms
ai_status_endpoint Ollama available — model=phi3:mini loaded=['phi3:mini'] 18ms
ai_fields_present ai_used=False ai_analysis=null (expected for safe) 3ms
ai_triggers_challenge AI ran in 1700ms — verdict=phishing confidence=90% 1700ms
ai_skips_safe AI correctly skipped for official PayPal (action=allow, ai_used=False) 3ms
ai_verdict_structure AI did not run (Ollama may be down) 4ms
stats_increment total_scans incremented: 452 → 453 6ms
challenge_stats Challenge stats OK — 63 challenged, 229 blocked, 453 total 1ms