Run #7 — Full Report
http://localhost:8088
Suites: browser_exploits,social_engineering,evasion,ai_redteam | Status: done | 2026-02-22 08:05:18 UTC
⚠ Vulnerabilities Found (1)
MEDIUM
Open Redirect Abuse
Trusted domain open redirects to malicious pages not flagged
Fix: Parse redirect destination URL and scan that too
Browser_exploits
(
5 pass / 0 fail / 6 total)
fake_browser_updates
All 10 BeEF/fake-update delivery URLs caught (100%)
13797ms
drive_by_downloads
Caught 5/7 (71%) — missed: fake Flash update → allow; fake Java install → allow
8544ms
watering_hole
All 4 watering hole URLs caught
6775ms
browser_allow
All 3 legitimate browser sites correctly allowed
8ms
beef_running
BeEF is running on :3000 — live hook tests available
33ms
beef_hook_delivery
All 4 BeEF hook delivery URL patterns caught
7729ms
Social_engineering
(
5 pass / 0 fail / 7 total)
credential_harvesters
All 9 credential harvester URLs caught (100%)
5361ms
tech_support_scams
All 7 tech support scam URLs caught (100%)
6348ms
gov_impersonation
All 6 government impersonation URLs caught (100%)
2471ms
package_pretext
All 6 package/prize pretext URLs caught
9081ms
romance_scams
Caught 2/3 (67%) romance scam URLs — difficult without AI analysis of content
1799ms
gov_allow
All 4 legitimate government/service sites correctly allowed
11ms
set_available
SET not installed (optional). Install: sudo apt install set or: git clone https://github.com/trustedsec/social-engineer-toolkit
2ms
Evasion
(
5 pass / 0 fail / 8 total)
encoding_bypass
All 4 URL-encoded evasions caught
4573ms
subdomain_stacking
All 6 subdomain stacking attacks caught (100%)
1653ms
homoglyph
All 5 homoglyph attacks caught
4668ms
open_redirect
Open redirect handling: 1 blocked, 0 challenged, 3 allowed — open redirects on trusted domains are hard to detect
10ms
shortener_challenge
3/4 URL shorteners allowed through without challenge — destination is unknown, risk cannot be assessed
10ms
typosquatting
Caught 6/8 (75%) — missed: google triple-o; facebook 00→oo
7306ms
combo_attacks
All 3 multi-technique evasion attacks caught
1595ms
evasion_fp_check
All 3 legitimate sites still correctly allowed after evasion tests
9ms
Ai_redteam
(
5 pass / 0 fail / 7 total)
attacker_model
Attacker model: dolphin-mistral:7b — adversarial generation ready
26ms
redteam_banks
Model: dolphin-mistral:7b | Generated 8 URLs in 13538ms | GuardDex caught 8/8 (100%)
16800ms
redteam_elderly
dolphin-mistral:7b | 8 elderly-targeted URLs | 8/8 caught (100%)
11225ms
redteam_evasion
No parseable URLs:
apple.com/apple/apple-store/app/apple.com/apple%3A0day%2F0day
paypal.com/payp4l/payp4l%3A1ayers/1ayers.php?payp4l=1
microsoft.com/micros0ft/office/office%3Aned%2Fned
google.com/googl/drive/drive%3Anin
5001ms
gap_analysis
No bypass gaps found in test set — all 4 caught by GuardDex
3591ms
defender_ai_supplement
phi3:mini caught 4 ambiguous scam URLs that needed AI context
7741ms
stress_volume
Only 0 URLs generated (expected 15+)
3743ms