1.77b: Further minor documentation and presentation tweaks.

2010-11-21 20:21:25 -05:00 · 2010-11-21 20:21:25 -05:00 · 39cfa696da
parent 806e8eedea
commit 39cfa696da
7 changed files with 39 additions and 30 deletions
--- a/5
+++ b/5
@ -1,3 +1,8 @@
+Version 1.77b:
+--------------
+
+  - Further minor documentation and presentation tweaks.
+
 Version 1.76b:
 --------------

--- a/2
+++ b/2
@ -20,7 +20,7 @@
 #

 PROGNAME   = skipfish
-VERSION    = 1.76b
+VERSION    = 1.77b

 OBJFILES   = http_client.c database.c crawler.c analysis.c report.c
 INCFILES   = alloc-inl.h string-inl.h debug.h types.h http_client.h \
--- a/4
+++ b/4
@ -98,7 +98,7 @@ A rough list of the security checks offered by the tool is outlined below.

  * High risk flaws (potentially leading to system compromise):

-    * Server-side SQL injection (including blind vectors, numerical parameters).
+    * Server-side query injection (including blind vectors, numerical parameters).
    * Explicit SQL-like syntax in GET or POST parameters.
    * Server-side shell command injection (including blind vectors).
    * Server-side XML / XPath injection (including blind vectors).
@ -111,7 +111,7 @@ A rough list of the security checks offered by the tool is outlined below.
    * Stored and reflected XSS vectors in document body (minimal JS XSS support).
    * Stored and reflected XSS vectors via HTTP redirects.
    * Stored and reflected XSS vectors via HTTP header splitting.
-    * Directory traversal (including constrained vectors).
+    * Directory traversal / RFI (including constrained vectors).
    * Assorted file POIs (server-side sources, configs, etc).
    * Attacker-supplied script and CSS inclusion vectors (stored and reflected).
    * External untrusted script and CSS inclusion vectors.
--- a/analysis.c
+++ b/analysis.c
@ -2276,7 +2276,9 @@ static void check_for_stuff(struct http_request* req,
    return;
  }

-  if (strstr((char*)res->payload, "<b>Fatal error</b>:")) {
+  if (strstr((char*)res->payload, "<b>Fatal error</b>:") ||
+      strstr((char*)res->payload, "<b>Parse error</b>:") ||
+      strstr((char*)res->payload, "</b> on line <b>")) {
    problem(PROB_ERROR_POI, req, res, (u8*)"PHP error", req->pivot, 0);
    return;
  }
--- a/assets/index.html
+++ b/assets/index.html
@ -310,13 +310,13 @@ var issue_desc= {
  "40305": "Conflicting MIME / charset info (higher risk)",
  "40401": "Interesting file",
  "40402": "Interesting server message",
-  "40501": "Directory traversal possible",
+  "40501": "Directory traversal / file inclusion possible",
  "40601": "Incorrect caching directives (higher risk)",
  "40701": "Password form submits from or to non-HTTPS page",

  "50101": "Server-side XML injection vector",
  "50102": "Shell injection vector",
-  "50103": "SQL injection vector",
+  "50103": "Query injection vector",
  "50104": "Format string vector",
  "50105": "Integer overflow vector",
  "50201": "SQL query or similar syntax in parameters",
--- a/crawler.c
+++ b/crawler.c
@ -1183,7 +1183,7 @@ static u8 inject_check7_callback(struct http_request* req,
     If misc[0] == misc[1], but misc[0] != misc[2], probable (numeric) SQL
     injection. Ditto for misc[2] == misc[6], but misc[6] != misc[7]. 

-     If misc[3] != misc[4] and misc[4] != misc[5], probable text SQL 
+     If misc[3] != misc[4] and misc[3] != misc[5], probable text SQL 
     injection.

   */
--- a/dictionaries/README-FIRST
+++ b/dictionaries/README-FIRST
@ -57,8 +57,9 @@ The basic modes you should be aware of (in order of request cost):

     complete  - all-inclusive dictionary, over 150,000 requests.

-   This mode is recommended when doing thorough assessments of reasonably
-   responsive servers.
+   Normal fuzzing mode is recommended when doing thorough assessments of
+   reasonably responsive servers; but it may be prohibitively expensive
+   when dealing with very large or very slow sites.

 As should be obvious, the -W option points to a dictionary to be used; the
 scanner updates the file based on scan results, so please always make a
@ -83,7 +84,8 @@ Additional options supported by the aforementioned modes:

  -Y      - inhibits full ${filename}.${extension} brute-force: the scanner
            will only brute-force one component at a time. This greatly
-            improves scan times, but reduces coverage.
+            improves scan times, but reduces coverage. Modes 2 and 3
+            shown above make use of this flag.

  -R num  - purges all dictionary entries that had no non-404 hits for
            the last <num> scans. Prevents dictionary creep in repeated
@ -93,37 +95,37 @@ Additional options supported by the aforementioned modes:
 More about dictionary design:
 -----------------------------

-Each dictionary may consist of a number of extensions, and a number of
-"regular" keywords. Extensions are considered just a special subset of
-the keyword list.
+Each dictionary may consist of a number of extensions, and a number of 
+"regular" keywords. Extensions are considered just a special subset of the
+keyword list.

 You can create custom dictionaries, conforming to this format:

 type hits total_age last_age keyword

-...where 'type' is either 'e' or 'w' (extension or wordlist); 'hits'
-is the total number of times this keyword resulted in a non-404 hit
-in all previous scans; 'total_age' is the number of scan cycles this
-word is in the dictionary; 'last_age' is the number of scan cycles
-since the last 'hit'; and 'keyword' is the actual keyword.
+...where 'type' is either 'e' or 'w' (extension or wordlist); 'hits' is the
+total number of times this keyword resulted in a non-404 hit in all previous
+scans; 'total_age' is the number of scan cycles this word is in the dictionary;
+'last_age' is the number of scan cycles since the last 'hit'; and 'keyword' is
+the actual keyword.

-Do not duplicate extensions as keywords - if you already have 'html' as
-an 'e' entry, there is no need to also create a 'w' one.
+Do not duplicate extensions as keywords - if you already have 'html' as an 'e'
+entry, there is no need to also create a 'w' one.

-There must be no empty or malformed lines, comments in the wordlist
-file. Extension keywords must have no leading dot (e.g., 'exe', not '.exe'),
-and all keywords should be NOT url-encoded (e.g., 'Program Files', not
+There must be no empty or malformed lines, comments in the wordlist file.
+Extension keywords must have no leading dot (e.g., 'exe', not '.exe'), and all
+keywords should be NOT url-encoded (e.g., 'Program Files', not 
 'Program%20Files'). No keyword should exceed 64 characters.

-If you omit -W in the command line, 'skipfish.wl' is assumed. This
-file does not exist by default; this is by design.
+If you omit -W in the command line, 'skipfish.wl' is assumed. This file does
+not exist by default; this is by design.

-The scanner will automatically learn new keywords and extensions based on
-any links discovered during the scan; and will also analyze pages and
-extract words to use as keyword candidates.
+The scanner will automatically learn new keywords and extensions based on any
+links discovered during the scan; and will also analyze pages and extract
+words to use as keyword candidates.

 Tread carefully; poor wordlists are one of the reasons why some web security
 scanners perform worse than expected. You will almost always be better off
 narrowing down or selectively extending the supplied set (and possibly
-contributing back your changes upstream!), than importing a giant
-wordlist scored elsewhere.
+contributing back your changes upstream!), than importing a giant wordlist
+scored elsewhere.