The meaning of the diagonal
I don't think it's fair to call the diagonal line in the FPR/TPR chart a "random guess" line. The FPR == TPR equation translates to FP/(FP+TN) == TP/(TP+FN), meaning FP*FN == TN*TP, or FP/TP == TN/FN. The FPR > TPR area below the line does not put the tool into a "worse than guessing" shame list. The formulas suggests a different interpretation of that area, "the noise rate in reporting non-issues exceeds the sensitivity about real issues".
The "worse than guessing" interpretation seems to come from the following scenario. We have n real and m fake vulnerabilities. For each of these vulnerabilities let the tool (or a monkey) decide if it is real. I guess this scenario ignores that the tool does not get the list of these vulnerabilities as its input. --Eelgheez (talk) 20:24, 13 July 2016 (CDT)
Request headers in XSS attacks
The Test Case Details tab says that out of all possible request headers only Referer can act as tainted input in the XSS scenario. Indeed, a malicious site can host a page at a malicioously crafted URL replying to HTTP requests such as
GET /foo<script>alert(1)</script>. On visiting such pages and clicking a link in them victim users' browsers will carry the crafted URL in their Referer header. --Eelgheez (talk) 07:37, 17 July 2017 (CDT)
- When the target site resides behind a caching server, the server's dropping request headers from its cache key and the application's reflecting unconventional request headers result in a cache poisoning vulnerability, https://blog.cloudflare.com/cache-poisoning-protection/ . 10:40, 14 November 2018 (CST)