Scanner results

vulnlab.dev · what off-the-shelf scanners caught

Each lab on vulnlab.dev declares its ground truth at /meta/<slug> — what CWE applies, what sinks are involved, and what payload would prove it. This page runs that ground truth against output from real scanners, lab by lab. Results are static snapshots; numbers update when we re-run the scanners against the deployed labs.

Tools currently profiled:

Semgrep (SAST) — community rule packs p/security-audit, p/python, p/flask, run against apps/. A lab counts as caught if any rule fired in its source file.
Nuclei (DAST) — default templates filtered to ssrf,xss,sqli,ssti,injection,rce tags, run against the live subdomain. A lab counts as caught if any template fired on its URL.

Raw outputs live in scanner-results/ in the repo. Totals across the run: 19 Semgrep findings, 1 Nuclei findings.

Server-Side Request Forgery Semgrep 10/12 · Nuclei 0/12

ssrf.vulnlab.dev

Lab	Subtype	Semgrep	Nuclei	Detail
basic	unvalidated-url-fetch	✓	✗	semgrep: python.flask.security.injection.ssrf-requests.ssrf-requests
blocklist	substring-blocklist-bypass	✓	✗	semgrep: python.lang.security.audit.dynamic-urllib-use-detected.dynamic-urllib-use-detected
allowlist	substring-allowlist-bypass	✓	✗	semgrep: python.flask.security.injection.ssrf-requests.ssrf-requests
parser	url-parser-disagreement	✓	✗	semgrep: python.flask.security.injection.ssrf-requests.ssrf-requests
redirect	follow-redirect-on-allowlisted-host	✓	✗	semgrep: python.flask.security.injection.ssrf-requests.ssrf-requests
scheme	unrestricted-url-scheme	✓	✗	semgrep: python.lang.security.audit.dynamic-urllib-use-detected.dynamic-urllib-use-detected
blind	blind-no-response-feedback	✗	✗	no scanner caught this
webhook	semi-blind-header-leak	✓	✗	semgrep: python.flask.security.injection.ssrf-requests.ssrf-requests
metadata	cloud-metadata-aws-imdsv1	✓	✗	semgrep: python.flask.security.injection.ssrf-requests.ssrf-requests
metadata-gcp	cloud-metadata-gcp	✓	✗	semgrep: python.flask.security.injection.ssrf-requests.ssrf-requests
metadata-azure	cloud-metadata-azure	✓	✗	semgrep: python.flask.security.injection.ssrf-requests.ssrf-requests
gopher	gopher-protocol-smuggling	✗	✗	no scanner caught this

Cross-Site Scripting Semgrep 0/5 · Nuclei 0/5

xss.vulnlab.dev

Lab	Subtype	Semgrep	Nuclei	Detail
reflected	reflected-html-context	✗	✗	no scanner caught this
stored	stored-persistent	✗	✗	no scanner caught this
dom	dom-based	✗	✗	no scanner caught this
csp-bypass	csp-bypass-via-same-origin-jsonp	✗	✗	no scanner caught this
mxss	mutation-xss-via-innerhtml-reparse	✗	✗	no scanner caught this

SQL Injection Semgrep 3/5 · Nuclei 1/5

sqli.vulnlab.dev

Lab	Subtype	Semgrep	Nuclei	Detail
union	in-band-union-based	✓	✓	semgrep: python.django.security.injection.sql.sql-injection-using-db-cursor-execute.sql-injection-db-cursor-execute, python.flask.security.injection.tainted-sql-string.tainted-sql-string nuclei: sqli-error-based
error	error-based	✗	✗	no scanner caught this
blind-bool	blind-boolean	✓	✗	semgrep: python.django.security.injection.sql.sql-injection-using-db-cursor-execute.sql-injection-db-cursor-execute, python.flask.security.injection.tainted-sql-string.tainted-sql-string
blind-time	blind-time-based	✓	✗	semgrep: python.django.security.injection.sql.sql-injection-using-db-cursor-execute.sql-injection-db-cursor-execute, python.flask.security.injection.tainted-sql-string.tainted-sql-string
second-order	second-order-stored-input	✗	✗	no scanner caught this

Server-Side Template Injection Semgrep 3/5 · Nuclei 0/5

ssti.vulnlab.dev

Lab	Subtype	Semgrep	Nuclei	Detail
basic	jinja2-render-template-string	✓	✗	semgrep: python.flask.security.audit.render-template-string.render-template-string
format	python-str-format-attribute-walk	✗	✗	no scanner caught this
filtered	jinja2-ssti-substring-blocklist-bypass	✓	✗	semgrep: python.flask.security.audit.render-template-string.render-template-string
sandboxed	jinja2-sandbox-bypass-via-exposed-global	✗	✗	no scanner caught this
second-order	second-order-stored-template	✓	✗	semgrep: python.flask.security.audit.render-template-string.render-template-string

Reading the table

✓ means the scanner produced at least one finding whose location pointed at this lab (file for SAST, URL for DAST). It does not mean the scanner correctly identified the CWE or the exact subtype — only that it flagged the right place.
✗ means no finding from this scanner pointed at this lab. The bug is real (every lab is exploitable; see /meta/<slug> for the canonical payload) — the scanner just didn't catch it.
This is a first-pass benchmark with default rule packs. Tighter rules, paid editions, or running with the right configuration would change these numbers.