1.77b: Further minor documentation and presentation tweaks.
This commit is contained in:
parent
806e8eedea
commit
39cfa696da
|
@ -1,3 +1,8 @@
|
|||
Version 1.77b:
|
||||
--------------
|
||||
|
||||
- Further minor documentation and presentation tweaks.
|
||||
|
||||
Version 1.76b:
|
||||
--------------
|
||||
|
||||
|
|
2
Makefile
2
Makefile
|
@ -20,7 +20,7 @@
|
|||
#
|
||||
|
||||
PROGNAME = skipfish
|
||||
VERSION = 1.76b
|
||||
VERSION = 1.77b
|
||||
|
||||
OBJFILES = http_client.c database.c crawler.c analysis.c report.c
|
||||
INCFILES = alloc-inl.h string-inl.h debug.h types.h http_client.h \
|
||||
|
|
4
README
4
README
|
@ -98,7 +98,7 @@ A rough list of the security checks offered by the tool is outlined below.
|
|||
|
||||
* High risk flaws (potentially leading to system compromise):
|
||||
|
||||
* Server-side SQL injection (including blind vectors, numerical parameters).
|
||||
* Server-side query injection (including blind vectors, numerical parameters).
|
||||
* Explicit SQL-like syntax in GET or POST parameters.
|
||||
* Server-side shell command injection (including blind vectors).
|
||||
* Server-side XML / XPath injection (including blind vectors).
|
||||
|
@ -111,7 +111,7 @@ A rough list of the security checks offered by the tool is outlined below.
|
|||
* Stored and reflected XSS vectors in document body (minimal JS XSS support).
|
||||
* Stored and reflected XSS vectors via HTTP redirects.
|
||||
* Stored and reflected XSS vectors via HTTP header splitting.
|
||||
* Directory traversal (including constrained vectors).
|
||||
* Directory traversal / RFI (including constrained vectors).
|
||||
* Assorted file POIs (server-side sources, configs, etc).
|
||||
* Attacker-supplied script and CSS inclusion vectors (stored and reflected).
|
||||
* External untrusted script and CSS inclusion vectors.
|
||||
|
|
|
@ -2276,7 +2276,9 @@ static void check_for_stuff(struct http_request* req,
|
|||
return;
|
||||
}
|
||||
|
||||
if (strstr((char*)res->payload, "<b>Fatal error</b>:")) {
|
||||
if (strstr((char*)res->payload, "<b>Fatal error</b>:") ||
|
||||
strstr((char*)res->payload, "<b>Parse error</b>:") ||
|
||||
strstr((char*)res->payload, "</b> on line <b>")) {
|
||||
problem(PROB_ERROR_POI, req, res, (u8*)"PHP error", req->pivot, 0);
|
||||
return;
|
||||
}
|
||||
|
|
|
@ -310,13 +310,13 @@ var issue_desc= {
|
|||
"40305": "Conflicting MIME / charset info (higher risk)",
|
||||
"40401": "Interesting file",
|
||||
"40402": "Interesting server message",
|
||||
"40501": "Directory traversal possible",
|
||||
"40501": "Directory traversal / file inclusion possible",
|
||||
"40601": "Incorrect caching directives (higher risk)",
|
||||
"40701": "Password form submits from or to non-HTTPS page",
|
||||
|
||||
"50101": "Server-side XML injection vector",
|
||||
"50102": "Shell injection vector",
|
||||
"50103": "SQL injection vector",
|
||||
"50103": "Query injection vector",
|
||||
"50104": "Format string vector",
|
||||
"50105": "Integer overflow vector",
|
||||
"50201": "SQL query or similar syntax in parameters",
|
||||
|
|
|
@ -1183,7 +1183,7 @@ static u8 inject_check7_callback(struct http_request* req,
|
|||
If misc[0] == misc[1], but misc[0] != misc[2], probable (numeric) SQL
|
||||
injection. Ditto for misc[2] == misc[6], but misc[6] != misc[7].
|
||||
|
||||
If misc[3] != misc[4] and misc[4] != misc[5], probable text SQL
|
||||
If misc[3] != misc[4] and misc[3] != misc[5], probable text SQL
|
||||
injection.
|
||||
|
||||
*/
|
||||
|
|
|
@ -57,8 +57,9 @@ The basic modes you should be aware of (in order of request cost):
|
|||
|
||||
complete - all-inclusive dictionary, over 150,000 requests.
|
||||
|
||||
This mode is recommended when doing thorough assessments of reasonably
|
||||
responsive servers.
|
||||
Normal fuzzing mode is recommended when doing thorough assessments of
|
||||
reasonably responsive servers; but it may be prohibitively expensive
|
||||
when dealing with very large or very slow sites.
|
||||
|
||||
As should be obvious, the -W option points to a dictionary to be used; the
|
||||
scanner updates the file based on scan results, so please always make a
|
||||
|
@ -83,7 +84,8 @@ Additional options supported by the aforementioned modes:
|
|||
|
||||
-Y - inhibits full ${filename}.${extension} brute-force: the scanner
|
||||
will only brute-force one component at a time. This greatly
|
||||
improves scan times, but reduces coverage.
|
||||
improves scan times, but reduces coverage. Modes 2 and 3
|
||||
shown above make use of this flag.
|
||||
|
||||
-R num - purges all dictionary entries that had no non-404 hits for
|
||||
the last <num> scans. Prevents dictionary creep in repeated
|
||||
|
@ -93,37 +95,37 @@ Additional options supported by the aforementioned modes:
|
|||
More about dictionary design:
|
||||
-----------------------------
|
||||
|
||||
Each dictionary may consist of a number of extensions, and a number of
|
||||
"regular" keywords. Extensions are considered just a special subset of
|
||||
the keyword list.
|
||||
Each dictionary may consist of a number of extensions, and a number of
|
||||
"regular" keywords. Extensions are considered just a special subset of the
|
||||
keyword list.
|
||||
|
||||
You can create custom dictionaries, conforming to this format:
|
||||
|
||||
type hits total_age last_age keyword
|
||||
|
||||
...where 'type' is either 'e' or 'w' (extension or wordlist); 'hits'
|
||||
is the total number of times this keyword resulted in a non-404 hit
|
||||
in all previous scans; 'total_age' is the number of scan cycles this
|
||||
word is in the dictionary; 'last_age' is the number of scan cycles
|
||||
since the last 'hit'; and 'keyword' is the actual keyword.
|
||||
...where 'type' is either 'e' or 'w' (extension or wordlist); 'hits' is the
|
||||
total number of times this keyword resulted in a non-404 hit in all previous
|
||||
scans; 'total_age' is the number of scan cycles this word is in the dictionary;
|
||||
'last_age' is the number of scan cycles since the last 'hit'; and 'keyword' is
|
||||
the actual keyword.
|
||||
|
||||
Do not duplicate extensions as keywords - if you already have 'html' as
|
||||
an 'e' entry, there is no need to also create a 'w' one.
|
||||
Do not duplicate extensions as keywords - if you already have 'html' as an 'e'
|
||||
entry, there is no need to also create a 'w' one.
|
||||
|
||||
There must be no empty or malformed lines, comments in the wordlist
|
||||
file. Extension keywords must have no leading dot (e.g., 'exe', not '.exe'),
|
||||
and all keywords should be NOT url-encoded (e.g., 'Program Files', not
|
||||
There must be no empty or malformed lines, comments in the wordlist file.
|
||||
Extension keywords must have no leading dot (e.g., 'exe', not '.exe'), and all
|
||||
keywords should be NOT url-encoded (e.g., 'Program Files', not
|
||||
'Program%20Files'). No keyword should exceed 64 characters.
|
||||
|
||||
If you omit -W in the command line, 'skipfish.wl' is assumed. This
|
||||
file does not exist by default; this is by design.
|
||||
If you omit -W in the command line, 'skipfish.wl' is assumed. This file does
|
||||
not exist by default; this is by design.
|
||||
|
||||
The scanner will automatically learn new keywords and extensions based on
|
||||
any links discovered during the scan; and will also analyze pages and
|
||||
extract words to use as keyword candidates.
|
||||
The scanner will automatically learn new keywords and extensions based on any
|
||||
links discovered during the scan; and will also analyze pages and extract
|
||||
words to use as keyword candidates.
|
||||
|
||||
Tread carefully; poor wordlists are one of the reasons why some web security
|
||||
scanners perform worse than expected. You will almost always be better off
|
||||
narrowing down or selectively extending the supplied set (and possibly
|
||||
contributing back your changes upstream!), than importing a giant
|
||||
wordlist scored elsewhere.
|
||||
contributing back your changes upstream!), than importing a giant wordlist
|
||||
scored elsewhere.
|
||||
|
|
Loading…
Reference in New Issue