crt0mega
/
skipfish
1
0
Fork 0
Code Issues 1 Pull Requests Projects Releases Wiki Activity

1.77b: Further minor documentation and presentation tweaks.

This commit is contained in:
Steve Pinkham 2010-11-21 20:21:25 -05:00
parent 806e8eedea
commit 39cfa696da
7 changed files with 39 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
ChangeLog
View File

@ -1,3 +1,8 @@
Version 1.77b:
--------------
- Further minor documentation and presentation tweaks.
Version 1.76b: Version 1.76b:
-------------- --------------

2
Makefile
View File

@ -20,7 +20,7 @@
# #
PROGNAME = skipfish PROGNAME = skipfish
VERSION = 1.76b VERSION = 1.77b
OBJFILES = http_client.c database.c crawler.c analysis.c report.c OBJFILES = http_client.c database.c crawler.c analysis.c report.c
INCFILES = alloc-inl.h string-inl.h debug.h types.h http_client.h \ INCFILES = alloc-inl.h string-inl.h debug.h types.h http_client.h \

4
README
View File

@ -98,7 +98,7 @@ A rough list of the security checks offered by the tool is outlined below.
* High risk flaws (potentially leading to system compromise): * High risk flaws (potentially leading to system compromise):
* Server-side SQL injection (including blind vectors, numerical parameters). * Server-side query injection (including blind vectors, numerical parameters).
* Explicit SQL-like syntax in GET or POST parameters. * Explicit SQL-like syntax in GET or POST parameters.
* Server-side shell command injection (including blind vectors). * Server-side shell command injection (including blind vectors).
* Server-side XML / XPath injection (including blind vectors). * Server-side XML / XPath injection (including blind vectors).
@ -111,7 +111,7 @@ A rough list of the security checks offered by the tool is outlined below.
* Stored and reflected XSS vectors in document body (minimal JS XSS support). * Stored and reflected XSS vectors in document body (minimal JS XSS support).
* Stored and reflected XSS vectors via HTTP redirects. * Stored and reflected XSS vectors via HTTP redirects.
* Stored and reflected XSS vectors via HTTP header splitting. * Stored and reflected XSS vectors via HTTP header splitting.
* Directory traversal (including constrained vectors). * Directory traversal / RFI (including constrained vectors).
* Assorted file POIs (server-side sources, configs, etc). * Assorted file POIs (server-side sources, configs, etc).
* Attacker-supplied script and CSS inclusion vectors (stored and reflected). * Attacker-supplied script and CSS inclusion vectors (stored and reflected).
* External untrusted script and CSS inclusion vectors. * External untrusted script and CSS inclusion vectors.

4
analysis.c
View File

@ -2276,7 +2276,9 @@ static void check_for_stuff(struct http_request* req,
return; return;
} }
if (strstr((char*)res->payload, "<b>Fatal error</b>:")) { if (strstr((char*)res->payload, "<b>Fatal error</b>:") ||
strstr((char*)res->payload, "<b>Parse error</b>:") ||
strstr((char*)res->payload, "</b> on line <b>")) {
problem(PROB_ERROR_POI, req, res, (u8*)"PHP error", req->pivot, 0); problem(PROB_ERROR_POI, req, res, (u8*)"PHP error", req->pivot, 0);
return; return;
} }

4
assets/index.html
View File

@ -310,13 +310,13 @@ var issue_desc= {
"40305": "Conflicting MIME / charset info (higher risk)", "40305": "Conflicting MIME / charset info (higher risk)",
"40401": "Interesting file", "40401": "Interesting file",
"40402": "Interesting server message", "40402": "Interesting server message",
"40501": "Directory traversal possible", "40501": "Directory traversal / file inclusion possible",
"40601": "Incorrect caching directives (higher risk)", "40601": "Incorrect caching directives (higher risk)",
"40701": "Password form submits from or to non-HTTPS page", "40701": "Password form submits from or to non-HTTPS page",
"50101": "Server-side XML injection vector", "50101": "Server-side XML injection vector",
"50102": "Shell injection vector", "50102": "Shell injection vector",
"50103": "SQL injection vector", "50103": "Query injection vector",
"50104": "Format string vector", "50104": "Format string vector",
"50105": "Integer overflow vector", "50105": "Integer overflow vector",
"50201": "SQL query or similar syntax in parameters", "50201": "SQL query or similar syntax in parameters",

2
crawler.c
View File

@ -1183,7 +1183,7 @@ static u8 inject_check7_callback(struct http_request* req,
If misc[0] == misc[1], but misc[0] != misc[2], probable (numeric) SQL If misc[0] == misc[1], but misc[0] != misc[2], probable (numeric) SQL
injection. Ditto for misc[2] == misc[6], but misc[6] != misc[7]. injection. Ditto for misc[2] == misc[6], but misc[6] != misc[7].
If misc[3] != misc[4] and misc[4] != misc[5], probable text SQL If misc[3] != misc[4] and misc[3] != misc[5], probable text SQL
injection. injection.
*/ */

48
dictionaries/README-FIRST
View File

@ -57,8 +57,9 @@ The basic modes you should be aware of (in order of request cost):
complete - all-inclusive dictionary, over 150,000 requests. complete - all-inclusive dictionary, over 150,000 requests.
This mode is recommended when doing thorough assessments of reasonably Normal fuzzing mode is recommended when doing thorough assessments of
responsive servers. reasonably responsive servers; but it may be prohibitively expensive
when dealing with very large or very slow sites.
As should be obvious, the -W option points to a dictionary to be used; the As should be obvious, the -W option points to a dictionary to be used; the
scanner updates the file based on scan results, so please always make a scanner updates the file based on scan results, so please always make a
@ -83,7 +84,8 @@ Additional options supported by the aforementioned modes:
-Y - inhibits full ${filename}.${extension} brute-force: the scanner -Y - inhibits full ${filename}.${extension} brute-force: the scanner
will only brute-force one component at a time. This greatly will only brute-force one component at a time. This greatly
improves scan times, but reduces coverage. improves scan times, but reduces coverage. Modes 2 and 3
shown above make use of this flag.
-R num - purges all dictionary entries that had no non-404 hits for -R num - purges all dictionary entries that had no non-404 hits for
the last <num> scans. Prevents dictionary creep in repeated the last <num> scans. Prevents dictionary creep in repeated
@ -93,37 +95,37 @@ Additional options supported by the aforementioned modes:
More about dictionary design: More about dictionary design:
----------------------------- -----------------------------
Each dictionary may consist of a number of extensions, and a number of Each dictionary may consist of a number of extensions, and a number of
"regular" keywords. Extensions are considered just a special subset of "regular" keywords. Extensions are considered just a special subset of the
the keyword list. keyword list.
You can create custom dictionaries, conforming to this format: You can create custom dictionaries, conforming to this format:
type hits total_age last_age keyword type hits total_age last_age keyword
...where 'type' is either 'e' or 'w' (extension or wordlist); 'hits' ...where 'type' is either 'e' or 'w' (extension or wordlist); 'hits' is the
is the total number of times this keyword resulted in a non-404 hit total number of times this keyword resulted in a non-404 hit in all previous
in all previous scans; 'total_age' is the number of scan cycles this scans; 'total_age' is the number of scan cycles this word is in the dictionary;
word is in the dictionary; 'last_age' is the number of scan cycles 'last_age' is the number of scan cycles since the last 'hit'; and 'keyword' is
since the last 'hit'; and 'keyword' is the actual keyword. the actual keyword.
Do not duplicate extensions as keywords - if you already have 'html' as Do not duplicate extensions as keywords - if you already have 'html' as an 'e'
an 'e' entry, there is no need to also create a 'w' one. entry, there is no need to also create a 'w' one.
There must be no empty or malformed lines, comments in the wordlist There must be no empty or malformed lines, comments in the wordlist file.
file. Extension keywords must have no leading dot (e.g., 'exe', not '.exe'), Extension keywords must have no leading dot (e.g., 'exe', not '.exe'), and all
and all keywords should be NOT url-encoded (e.g., 'Program Files', not keywords should be NOT url-encoded (e.g., 'Program Files', not
'Program%20Files'). No keyword should exceed 64 characters. 'Program%20Files'). No keyword should exceed 64 characters.
If you omit -W in the command line, 'skipfish.wl' is assumed. This If you omit -W in the command line, 'skipfish.wl' is assumed. This file does
file does not exist by default; this is by design. not exist by default; this is by design.
The scanner will automatically learn new keywords and extensions based on The scanner will automatically learn new keywords and extensions based on any
any links discovered during the scan; and will also analyze pages and links discovered during the scan; and will also analyze pages and extract
extract words to use as keyword candidates. words to use as keyword candidates.
Tread carefully; poor wordlists are one of the reasons why some web security Tread carefully; poor wordlists are one of the reasons why some web security
scanners perform worse than expected. You will almost always be better off scanners perform worse than expected. You will almost always be better off
narrowing down or selectively extending the supplied set (and possibly narrowing down or selectively extending the supplied set (and possibly
contributing back your changes upstream!), than importing a giant contributing back your changes upstream!), than importing a giant wordlist
wordlist scored elsewhere. scored elsewhere.