Run #6 — Full Report

http://localhost:8088

Suites: browser_exploits,social_engineering,evasion,ai_redteam  |  Status: done  | 2026-02-22 07:54:12 UTC

New Run History
15passed 1failed 0skipped 28total 53% pass rate

⚠ Vulnerabilities Found (2)

MEDIUM Open Redirect Abuse

Trusted domain open redirects to malicious pages not flagged

Fix: Parse redirect destination URL and scan that too

CRITICAL Elderly-Targeted Attack Bypass

AI-generated elderly-targeting URLs not caught by GuardDex

Payload: https://www-irs-gov-us-.com/taxnotice https://www-medicaregov-us-.com/renewal https://www-socialsecuritygov-us-.com/suspension https://www-lotterywin-org-au/.xyz/winner https://www-grandparentemergency-support-us-.com/assistance

Fix: Add IRS/SSA/Medicare to brand list; add lottery/grandparent signals

Browser_exploits ( 4 pass / 0 fail / 6 total)
fake_browser_updates Caught 9/10 (90%) — missed: fake Firefox update → allow 15176ms
drive_by_downloads Caught 5/7 (71%) — missed: fake Flash update → allow; fake Java install → allow 7187ms
watering_hole All 4 watering hole URLs caught 8169ms
browser_allow All 3 legitimate browser sites correctly allowed 7ms
beef_running BeEF is running on :3000 — live hook tests available 39ms
beef_hook_delivery All 4 BeEF hook delivery URL patterns caught 8015ms
Social_engineering ( 3 pass / 0 fail / 7 total)
credential_harvesters All 9 credential harvester URLs caught (100%) 5463ms
tech_support_scams Caught 6/7 (86%) — missed: Fake Norton renewal 3546ms
gov_impersonation Caught 5/6 (83%) — missed: IRS refund scam 5986ms
package_pretext All 6 package/prize pretext URLs caught 10200ms
romance_scams Caught 2/3 (67%) romance scam URLs — difficult without AI analysis of content 3459ms
gov_allow All 4 legitimate government/service sites correctly allowed 10ms
set_available SET not installed (optional). Install: sudo apt install set or: git clone https://github.com/trustedsec/social-engineer-toolkit 0ms
Evasion ( 5 pass / 0 fail / 8 total)
encoding_bypass All 4 URL-encoded evasions caught 4529ms
subdomain_stacking All 6 subdomain stacking attacks caught (100%) 3133ms
homoglyph All 5 homoglyph attacks caught 4615ms
open_redirect Open redirect handling: 1 blocked, 0 challenged, 3 allowed — open redirects on trusted domains are hard to detect 10ms
shortener_challenge 3/4 URL shorteners allowed through without challenge — destination is unknown, risk cannot be assessed 9ms
typosquatting Caught 6/8 (75%) — missed: google triple-o; facebook 00→oo 7648ms
combo_attacks All 3 multi-technique evasion attacks caught 1584ms
evasion_fp_check All 3 legitimate sites still correctly allowed after evasion tests 6ms
Ai_redteam ( 3 pass / 1 fail / 7 total)
attacker_model Attacker model: dolphin-mistral:7b — adversarial generation ready 24ms
redteam_banks Model generated text but no parseable URLs: chase-bank-lgn.com boa-verification.ru wellsfargo-secured.tk paypal-account-access.xyz citibank-secure-login.net chase-online-access.biz bankofamerica-verify-login.info paypa-account-access.xyz These 17196ms
redteam_elderly dolphin-mistral:7b | 8 elderly-targeted URLs | 0/8 caught (0%) | BYPASSED: https://www-irs-gov-us-.com/taxnotice | https://www-medicaregov-us-.com/renewal | https://www-socialsecuritygov-us-.com/suspension | https://www-lotterywin-org-au/.xyz/winner 4367ms
redteam_evasion No parseable URLs: paypal.abcd123.defg456.ghij789.klmn0pqr.stuvwxyz.com apple.abcde12345.fghi67890.jklm.nopqr.stuvwx.yz123.net microsoft.abcd123.efgh456.ijkl789.mnop1011.qrstu123.vwxyz.com google.abcde123.fghi456.jklm78 4813ms
gap_analysis No bypass gaps found in test set — all 4 caught by GuardDex 6711ms
defender_ai_supplement phi3:mini caught 3 ambiguous scam URLs that needed AI context 8274ms
stress_volume Only 0 URLs generated (expected 15+) 5055ms