From 39cfa696da4bccc8fe110ad13643f7cd74ef9c29 Mon Sep 17 00:00:00 2001 From: Steve Pinkham Date: Sun, 21 Nov 2010 20:21:25 -0500 Subject: [PATCH] 1.77b: Further minor documentation and presentation tweaks. --- ChangeLog | 5 ++++ Makefile | 2 +- README | 4 ++-- analysis.c | 4 +++- assets/index.html | 4 ++-- crawler.c | 2 +- dictionaries/README-FIRST | 48 ++++++++++++++++++++------------------- 7 files changed, 39 insertions(+), 30 deletions(-) diff --git a/ChangeLog b/ChangeLog index e23428a..5238fe6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +Version 1.77b: +-------------- + + - Further minor documentation and presentation tweaks. + Version 1.76b: -------------- diff --git a/Makefile b/Makefile index dcb3a46..1322430 100644 --- a/Makefile +++ b/Makefile @@ -20,7 +20,7 @@ # PROGNAME = skipfish -VERSION = 1.76b +VERSION = 1.77b OBJFILES = http_client.c database.c crawler.c analysis.c report.c INCFILES = alloc-inl.h string-inl.h debug.h types.h http_client.h \ diff --git a/README b/README index d98e5cc..06bc52b 100644 --- a/README +++ b/README @@ -98,7 +98,7 @@ A rough list of the security checks offered by the tool is outlined below. * High risk flaws (potentially leading to system compromise): - * Server-side SQL injection (including blind vectors, numerical parameters). + * Server-side query injection (including blind vectors, numerical parameters). * Explicit SQL-like syntax in GET or POST parameters. * Server-side shell command injection (including blind vectors). * Server-side XML / XPath injection (including blind vectors). @@ -111,7 +111,7 @@ A rough list of the security checks offered by the tool is outlined below. * Stored and reflected XSS vectors in document body (minimal JS XSS support). * Stored and reflected XSS vectors via HTTP redirects. * Stored and reflected XSS vectors via HTTP header splitting. - * Directory traversal (including constrained vectors). + * Directory traversal / RFI (including constrained vectors). * Assorted file POIs (server-side sources, configs, etc). * Attacker-supplied script and CSS inclusion vectors (stored and reflected). * External untrusted script and CSS inclusion vectors. diff --git a/analysis.c b/analysis.c index 1418409..01d0e62 100644 --- a/analysis.c +++ b/analysis.c @@ -2276,7 +2276,9 @@ static void check_for_stuff(struct http_request* req, return; } - if (strstr((char*)res->payload, "Fatal error:")) { + if (strstr((char*)res->payload, "Fatal error:") || + strstr((char*)res->payload, "Parse error:") || + strstr((char*)res->payload, " on line ")) { problem(PROB_ERROR_POI, req, res, (u8*)"PHP error", req->pivot, 0); return; } diff --git a/assets/index.html b/assets/index.html index 1732289..ce1ebda 100644 --- a/assets/index.html +++ b/assets/index.html @@ -310,13 +310,13 @@ var issue_desc= { "40305": "Conflicting MIME / charset info (higher risk)", "40401": "Interesting file", "40402": "Interesting server message", - "40501": "Directory traversal possible", + "40501": "Directory traversal / file inclusion possible", "40601": "Incorrect caching directives (higher risk)", "40701": "Password form submits from or to non-HTTPS page", "50101": "Server-side XML injection vector", "50102": "Shell injection vector", - "50103": "SQL injection vector", + "50103": "Query injection vector", "50104": "Format string vector", "50105": "Integer overflow vector", "50201": "SQL query or similar syntax in parameters", diff --git a/crawler.c b/crawler.c index f93ad1c..83f0ce0 100644 --- a/crawler.c +++ b/crawler.c @@ -1183,7 +1183,7 @@ static u8 inject_check7_callback(struct http_request* req, If misc[0] == misc[1], but misc[0] != misc[2], probable (numeric) SQL injection. Ditto for misc[2] == misc[6], but misc[6] != misc[7]. - If misc[3] != misc[4] and misc[4] != misc[5], probable text SQL + If misc[3] != misc[4] and misc[3] != misc[5], probable text SQL injection. */ diff --git a/dictionaries/README-FIRST b/dictionaries/README-FIRST index 46ec3e6..7c7b9b4 100644 --- a/dictionaries/README-FIRST +++ b/dictionaries/README-FIRST @@ -57,8 +57,9 @@ The basic modes you should be aware of (in order of request cost): complete - all-inclusive dictionary, over 150,000 requests. - This mode is recommended when doing thorough assessments of reasonably - responsive servers. + Normal fuzzing mode is recommended when doing thorough assessments of + reasonably responsive servers; but it may be prohibitively expensive + when dealing with very large or very slow sites. As should be obvious, the -W option points to a dictionary to be used; the scanner updates the file based on scan results, so please always make a @@ -83,7 +84,8 @@ Additional options supported by the aforementioned modes: -Y - inhibits full ${filename}.${extension} brute-force: the scanner will only brute-force one component at a time. This greatly - improves scan times, but reduces coverage. + improves scan times, but reduces coverage. Modes 2 and 3 + shown above make use of this flag. -R num - purges all dictionary entries that had no non-404 hits for the last scans. Prevents dictionary creep in repeated @@ -93,37 +95,37 @@ Additional options supported by the aforementioned modes: More about dictionary design: ----------------------------- -Each dictionary may consist of a number of extensions, and a number of -"regular" keywords. Extensions are considered just a special subset of -the keyword list. +Each dictionary may consist of a number of extensions, and a number of +"regular" keywords. Extensions are considered just a special subset of the +keyword list. You can create custom dictionaries, conforming to this format: type hits total_age last_age keyword -...where 'type' is either 'e' or 'w' (extension or wordlist); 'hits' -is the total number of times this keyword resulted in a non-404 hit -in all previous scans; 'total_age' is the number of scan cycles this -word is in the dictionary; 'last_age' is the number of scan cycles -since the last 'hit'; and 'keyword' is the actual keyword. +...where 'type' is either 'e' or 'w' (extension or wordlist); 'hits' is the +total number of times this keyword resulted in a non-404 hit in all previous +scans; 'total_age' is the number of scan cycles this word is in the dictionary; +'last_age' is the number of scan cycles since the last 'hit'; and 'keyword' is +the actual keyword. -Do not duplicate extensions as keywords - if you already have 'html' as -an 'e' entry, there is no need to also create a 'w' one. +Do not duplicate extensions as keywords - if you already have 'html' as an 'e' +entry, there is no need to also create a 'w' one. -There must be no empty or malformed lines, comments in the wordlist -file. Extension keywords must have no leading dot (e.g., 'exe', not '.exe'), -and all keywords should be NOT url-encoded (e.g., 'Program Files', not +There must be no empty or malformed lines, comments in the wordlist file. +Extension keywords must have no leading dot (e.g., 'exe', not '.exe'), and all +keywords should be NOT url-encoded (e.g., 'Program Files', not 'Program%20Files'). No keyword should exceed 64 characters. -If you omit -W in the command line, 'skipfish.wl' is assumed. This -file does not exist by default; this is by design. +If you omit -W in the command line, 'skipfish.wl' is assumed. This file does +not exist by default; this is by design. -The scanner will automatically learn new keywords and extensions based on -any links discovered during the scan; and will also analyze pages and -extract words to use as keyword candidates. +The scanner will automatically learn new keywords and extensions based on any +links discovered during the scan; and will also analyze pages and extract +words to use as keyword candidates. Tread carefully; poor wordlists are one of the reasons why some web security scanners perform worse than expected. You will almost always be better off narrowing down or selectively extending the supplied set (and possibly -contributing back your changes upstream!), than importing a giant -wordlist scored elsewhere. +contributing back your changes upstream!), than importing a giant wordlist +scored elsewhere.