Run #8 — Full Report

http://localhost:8088

Suites: smoke,phishing,challenge,security,ai,analytics,browser_exploits,social_engineering,evasion,ai_redteam  |  Status: done  | 2026-02-23 07:24:26 UTC

New Run History
74passed 0failed 9skipped 94total 78% pass rate

⚠ Vulnerabilities Found (2)

LOW Potential XSS via URL reflection

Script tag in URL may be reflected

Fix: Ensure JSON responses have correct Content-Type

MEDIUM Open Redirect Abuse

Trusted domain open redirects to malicious pages not flagged

Fix: Parse redirect destination URL and scan that too

Smoke ( 6 pass / 0 fail / 6 total)
health_endpoint API healthy | 43 brands | version 2.0.0 19ms
root_endpoint API root OK: GuardDex API v2.0.0 2ms
docs_accessible OpenAPI docs accessible at /docs 1ms
brands_endpoint 43 protected brands loaded 3ms
challenge_stats Stats OK: 176 challenges issued 2ms
dashboard_accessible Challenge screen HTML reachable 11ms
Phishing ( 12 pass / 0 fail / 12 total)
fake_paypal CAUGHT → block | risk=critical | 3 signals | Would have saved David $200 4ms
fake_facebook CAUGHT → block | Would have stopped the 2-year hack chain 3ms
real_paypal Real PayPal correctly ALLOWED 7ms
ip_login IP address login BLOCKED | signals: ['ip_address_login', 'brand_impersonation', 'http_login_page'] 2ms
punycode Punycode domain BLOCKED 6ms
official_sites_allow All 10 official sites correctly ALLOWED 1036ms
phishing_bulk All 24 phishing URLs caught (100% detection rate) 2491ms
37_brands_stress All 37/37 brands detected (100%) 39396ms
long_subdomain_evasion Deep subdomain attack caught: block 3ms
double_extension Double extension caught: block 4ms
https_not_safe HTTPS phishing site still blocked - good 2ms
signal_quality 3 well-formed signals returned: ['suspicious_tld', 'brand_impersonation', 'http_login_page'] 2ms
Challenge ( 13 pass / 0 fail / 13 total)
correct_domain Correct domain accepted | official_url=https://paypal.com 9ms
alternate_domain https://paypal.com (no www) accepted 3ms
fake_domain Fake domain correctly rejected: That is not an official login address for PayPal 3ms
http_rejected HTTP (non-HTTPS) correctly rejected by challenge 2ms
ip_rejected IP address correctly rejected by challenge 2ms
punycode_rejected Punycode domain rejected by challenge 2ms
empty_input Empty input rejected 2ms
wrong_brand Cross-brand domain correctly rejected 2ms
subdomain_official Official domain with path accepted 2ms
xss_input XSS input rejected by challenge validator 2ms
sqli_brand SQL injection in brand field rejected (HTTP 400) 17ms
google_challenge Google challenge: correct domain accepted 2ms
apple_challenge Apple ID challenge: correct domain accepted 2ms
Security ( 11 pass / 0 fail / 13 total)
cors_wildcard CORS restricted to: https://evil.example.com 3ms
server_header Server header: 'guarddex' (acceptable) 7ms
404_no_trace 404 response clean (HTTP 404) 2ms
malformed_json Malformed JSON handled gracefully (HTTP 422) 2ms
empty_body Empty body correctly rejected (422/400) 4ms
long_url Very long URL rejected (HTTP 400) 1ms
null_bytes Null byte URL rejected (HTTP 400) 1ms
js_protocol javascript: URI rejected at HTTP level (400) 1ms
data_uri data: URI rejected at HTTP level (400) 1ms
rate_limit No rate limiting detected on scan endpoint (0/25 throttled) - OK for internal API 56ms
scan_get_rejected GET on POST-only endpoint returns 405 2ms
brands_post_rejected POST on GET-only brands endpoint returns 405 1ms
response_xss URL with script tag reflected in response (check content-type header) 8ms
Ai ( 1 pass / 0 fail / 10 total)
v2_detection v2.0 endpoints not yet on target (expected - they're being merged). Remaining AI tests will run in probe/compatibility mode. 9ms
ollama_reachable AI analysis field in response (1666ms) - Ollama connected 1665ms
v2_register v2.0 not yet on target 7ms
weak_password v2.0 not yet on target 5ms
dupe_email v2.0 not yet on target 5ms
wrong_password v2.0 not yet on target 7ms
jwt_manipulation v2.0 not yet on target 7ms
ai_typosquatting v2.0 not yet on target 9ms
scan_performance v2.0 not yet on target 6ms
user_enum v2.0 not yet on target 7ms
Analytics ( 11 pass / 0 fail / 12 total)
dashboard_reachable Analytics dashboard OK (HTTP 200) 2ms
dashboard_structure All 5 required keys present 3ms
dashboard_stats_fields Stats valid — 43 brands protected, 805 total scans 4ms
dashboard_trend 30-day trend: 30 labels, correct MM-DD format 3ms
stats_consistency Stats consistent: 805 total = 363 blocked + 191 challenged + 251 allowed 2ms
ai_status_endpoint Ollama available — model=phi3:mini loaded=['phi3:mini'] 23ms
ai_fields_present ai_used=False ai_analysis=null (expected for safe) 2ms
ai_triggers_challenge AI ran in 1705ms — verdict=phishing confidence=85% 1705ms
ai_skips_safe AI correctly skipped for official PayPal (action=allow, ai_used=False) 3ms
ai_verdict_structure AI did not run (Ollama may be down) 2ms
stats_increment total_scans incremented: 809 → 810 9ms
challenge_stats Challenge stats OK — 192 challenged, 364 blocked, 810 total 2ms
Browser_exploits ( 5 pass / 0 fail / 6 total)
fake_browser_updates All 10 BeEF/fake-update delivery URLs caught (100%) 12390ms
drive_by_downloads Caught 5/7 (71%) — missed: fake Flash update → allow; fake Java install → allow 7195ms
watering_hole All 4 watering hole URLs caught 8091ms
browser_allow All 3 legitimate browser sites correctly allowed 7ms
beef_running BeEF is running on :3000 — live hook tests available 23ms
beef_hook_delivery All 4 BeEF hook delivery URL patterns caught 10706ms
Social_engineering ( 5 pass / 0 fail / 7 total)
credential_harvesters All 9 credential harvester URLs caught (100%) 5317ms
tech_support_scams All 7 tech support scam URLs caught (100%) 5172ms
gov_impersonation All 6 government impersonation URLs caught (100%) 1773ms
package_pretext All 6 package/prize pretext URLs caught 9009ms
romance_scams Caught 2/3 (67%) romance scam URLs — difficult without AI analysis of content 1974ms
gov_allow All 4 legitimate government/service sites correctly allowed 9ms
set_available SET not installed (optional). Install: sudo apt install set or: git clone https://github.com/trustedsec/social-engineer-toolkit 6ms
Evasion ( 5 pass / 0 fail / 8 total)
encoding_bypass All 4 URL-encoded evasions caught 4503ms
subdomain_stacking All 6 subdomain stacking attacks caught (100%) 1536ms
homoglyph All 5 homoglyph attacks caught 4735ms
open_redirect Open redirect handling: 1 blocked, 0 challenged, 3 allowed — open redirects on trusted domains are hard to detect 10ms
shortener_challenge 3/4 URL shorteners allowed through without challenge — destination is unknown, risk cannot be assessed 9ms
typosquatting Caught 6/8 (75%) — missed: google triple-o; facebook 00→oo 7658ms
combo_attacks All 3 multi-technique evasion attacks caught 1537ms
evasion_fp_check All 3 legitimate sites still correctly allowed after evasion tests 9ms
Ai_redteam ( 5 pass / 0 fail / 7 total)
attacker_model Attacker model: dolphin-mistral:7b — adversarial generation ready 15ms
redteam_banks Model: dolphin-mistral:7b | Generated 8 URLs in 20373ms | GuardDex caught 6/8 (75%) | Bypassed: http://bankofamerica-secure.co | http://citibank-secure.io 21972ms
redteam_elderly dolphin-mistral:7b | 8 elderly-targeted URLs | 8/8 caught (100%) 9604ms
redteam_evasion dolphin-mistral:7b evasion | 6 URLs | 6/6 caught (100%) 3630ms
gap_analysis No bypass gaps found in test set — all 4 caught by GuardDex 3388ms
defender_ai_supplement phi3:mini caught 4 ambiguous scam URLs that needed AI context 7686ms
stress_volume Only 0 URLs generated (expected 15+) 4284ms