1.58b: Descendant limit checks added.
This commit is contained in:
parent
768867c93b
commit
42d17c7921
|
@ -1,3 +1,8 @@
|
|||
Version 1.58b:
|
||||
--------------
|
||||
|
||||
- Descendant limit checks added.
|
||||
|
||||
Version 1.57b:
|
||||
--------------
|
||||
|
||||
|
|
2
Makefile
2
Makefile
|
@ -20,7 +20,7 @@
|
|||
#
|
||||
|
||||
PROGNAME = skipfish
|
||||
VERSION = 1.57b
|
||||
VERSION = 1.58b
|
||||
|
||||
OBJFILES = http_client.c database.c crawler.c analysis.c report.c
|
||||
INCFILES = alloc-inl.h string-inl.h debug.h types.h http_client.h \
|
||||
|
|
530
README
530
README
|
@ -6,249 +6,259 @@ skipfish - web application security scanner
|
|||
|
||||
* Written and maintained by Michal Zalewski <lcamtuf@google.com>.
|
||||
* Copyright 2009, 2010 Google Inc, rights reserved.
|
||||
* Released under terms and conditions of the Apache License, version 2.0.
|
||||
* Released under terms and conditions of the Apache License, version 2.0.
|
||||
|
||||
--------------------
|
||||
1. What is skipfish?
|
||||
--------------------
|
||||
|
||||
Skipfish is an active web application security reconnaissance tool. It prepares
|
||||
an interactive sitemap for the targeted site by carrying out a recursive crawl
|
||||
and dictionary-based probes. The resulting map is then annotated with the
|
||||
output from a number of active (but hopefully non-disruptive) security checks.
|
||||
The final report generated by the tool is meant to serve as a foundation for
|
||||
professional web application security assessments.
|
||||
Why should I bother with this particular tool?
|
||||
Skipfish is an active web application security reconnaissance tool. It
|
||||
prepares an interactive sitemap for the targeted site by carrying out a
|
||||
recursive crawl and dictionary-based probes. The resulting map is then
|
||||
annotated with the output from a number of active (but hopefully
|
||||
non-disruptive) security checks. The final report generated by the tool is
|
||||
meant to serve as a foundation for professional web application security
|
||||
assessments.
|
||||
|
||||
-------------------------------------------------
|
||||
2. Why should I bother with this particular tool?
|
||||
-------------------------------------------------
|
||||
|
||||
A number of commercial and open source tools with analogous functionality is
|
||||
readily available (e.g., Nikto, Nessus); stick to the one that suits you best.
|
||||
That said, skipfish tries to address some of the common problems associated
|
||||
with web security scanners. Specific advantages include:
|
||||
readily available (e.g., Nikto, Nessus); stick to the one that suits you
|
||||
best. That said, skipfish tries to address some of the common problems
|
||||
associated with web security scanners. Specific advantages include:
|
||||
|
||||
* High performance: 500+ requests per second against responsive Internet
|
||||
targets, 2000+ requests per second on LAN / MAN networks, and 7000+ requests
|
||||
against local instances has been observed, with a very modest CPU, network,
|
||||
against local instances have been observed, with a very modest CPU, network,
|
||||
and memory footprint. This can be attributed to:
|
||||
|
||||
- Multiplexing single-thread, fully asynchronous network I/O and data
|
||||
* Multiplexing single-thread, fully asynchronous network I/O and data
|
||||
processing model that eliminates memory management, scheduling, and IPC
|
||||
inefficiencies present in some multi-threaded clients.
|
||||
|
||||
- Advanced HTTP/1.1 features such as range requests, content
|
||||
compression, and keep-alive connections, as well as forced response size
|
||||
limiting, to keep network-level overhead in check.
|
||||
* Advanced HTTP/1.1 features such as range requests, content compression,
|
||||
and keep-alive connections, as well as forced response size limiting, to
|
||||
keep network-level overhead in check.
|
||||
|
||||
- Smart response caching and advanced server behavior heuristics are
|
||||
used to minimize unnecessary traffic.
|
||||
* Smart response caching and advanced server behavior heuristics are used to
|
||||
minimize unnecessary traffic.
|
||||
|
||||
- Performance-oriented, pure C implementation, including a custom
|
||||
* Performance-oriented, pure C implementation, including a custom
|
||||
HTTP stack.
|
||||
|
||||
* Ease of use: skipfish is highly adaptive and reliable. The scanner
|
||||
features:
|
||||
* Ease of use: skipfish is highly adaptive and reliable. The scanner features:
|
||||
|
||||
- Heuristic recognition of obscure path- and query-based parameter
|
||||
handling schemes.
|
||||
* Heuristic recognition of obscure path- and query-based parameter handling
|
||||
schemes.
|
||||
|
||||
- Graceful handling of multi-framework sites where certain paths obey
|
||||
a completely different semantics, or are subject to different filtering
|
||||
* Graceful handling of multi-framework sites where certain paths obey
|
||||
completely different semantics, or are subject to different filtering
|
||||
rules.
|
||||
|
||||
- Automatic wordlist construction based on site content analysis.
|
||||
* Automatic wordlist construction based on site content analysis.
|
||||
|
||||
- Probabilistic scanning features to allow periodic, time-bound
|
||||
assessments of arbitrarily complex sites.
|
||||
* Probabilistic scanning features to allow periodic, time-bound assessments
|
||||
of arbitrarily complex sites.
|
||||
|
||||
* Well-designed security checks: the tool is meant to provide accurate and
|
||||
meaningful results:
|
||||
* Well-designed security checks: the tool is meant to provide accurate
|
||||
and meaningful results:
|
||||
|
||||
- Three-step differential probes are preferred to signature checks
|
||||
for detecting vulnerabilities.
|
||||
* Handcrafted dictionaries offer excellent coverage and permit thorough
|
||||
$keyword.$extension testing in a reasonable timeframe.
|
||||
|
||||
- Ratproxy-style logic is used to spot subtle security problems:
|
||||
cross-site request forgery, cross-site script inclusion, mixed content,
|
||||
issues MIME- and charset mismatches, incorrect caching directive, etc.
|
||||
* Three-step differential probes are preferred to signature checks for
|
||||
detecting vulnerabilities.
|
||||
|
||||
- Bundled security checks are designed to handle tricky scenarios:
|
||||
stored XSS (path, parameters, headers), blind SQL or XML injection, or
|
||||
blind shell injection.
|
||||
* Ratproxy-style logic is used to spot subtle security problems:
|
||||
cross-site request forgery, cross-site script inclusion, mixed content,
|
||||
issues MIME- and charset mismatches, incorrect caching directives, etc.
|
||||
|
||||
- Report post-processing drastically reduces the noise caused by any
|
||||
remaining false positives or server gimmicks by identifying repetitive
|
||||
patterns.
|
||||
* Bundled security checks are designed to handle tricky scenarios:
|
||||
stored XSS (path, parameters, headers), blind SQL or XML injection,
|
||||
or blind shell injection.
|
||||
|
||||
* Report post-processing drastically reduces the noise caused by any
|
||||
remaining false positives or server gimmicks by identifying repetitive
|
||||
patterns.
|
||||
|
||||
That said, skipfish is not a silver bullet, and may be unsuitable for certain
|
||||
purposes. For example, it does not satisfy most of the requirements outlined in
|
||||
WASC Web Application Security Scanner Evaluation Criteria (some of them on
|
||||
purposes. For example, it does not satisfy most of the requirements outlined
|
||||
in WASC Web Application Security Scanner Evaluation Criteria (some of them on
|
||||
purpose, some out of necessity); and unlike most other projects of this type,
|
||||
it does not come with an extensive database of known vulnerabilities for
|
||||
banner-type checks.
|
||||
|
||||
-----------------------------------------------------
|
||||
2. Most curious! What specific tests are implemented?
|
||||
3. Most curious! What specific tests are implemented?
|
||||
-----------------------------------------------------
|
||||
|
||||
A rough list of the security checks offered by the tool is outlined below.
|
||||
|
||||
* High risk flaws (potentially leading to system compromise):
|
||||
|
||||
- Server-side SQL injection (including blind vectors, numerical
|
||||
parameters).
|
||||
- Explicit SQL-like syntax in GET or POST parameters.
|
||||
- Server-side shell command injection (including blind vectors).
|
||||
- Server-side XML / XPath injection (including blind vectors).
|
||||
- Format string vulnerabilities.
|
||||
- Integer overflow vulnerabilities.
|
||||
- Locations accepting HTTP PUT.
|
||||
* Server-side SQL injection (including blind vectors, numerical parameters).
|
||||
* Explicit SQL-like syntax in GET or POST parameters.
|
||||
* Server-side shell command injection (including blind vectors).
|
||||
* Server-side XML / XPath injection (including blind vectors).
|
||||
* Format string vulnerabilities.
|
||||
* Integer overflow vulnerabilities.
|
||||
* Locations accepting HTTP PUT.
|
||||
|
||||
* Medium risk flaws (potentially leading to data compromise):
|
||||
|
||||
- Stored and reflected XSS vectors in document body (minimal JS XSS
|
||||
support present).
|
||||
- Stored and reflected XSS vectors via HTTP redirects.
|
||||
- Stored and reflected XSS vectors via HTTP header splitting.
|
||||
- Directory traversal (including constrained vectors).
|
||||
- Assorted file POIs (server-side sources, configs, etc).
|
||||
- Attacker-supplied script and CSS inclusion vectors (stored and
|
||||
reflected).
|
||||
- External untrusted script and CSS inclusion vectors.
|
||||
- Mixed content problems on script and CSS resources (optional).
|
||||
- Incorrect or missing MIME types on renderables.
|
||||
- Generic MIME types on renderables.
|
||||
- Incorrect or missing charsets on renderables.
|
||||
- Conflicting MIME / charset info on renderables.
|
||||
- Bad caching directives on cookie setting responses.
|
||||
* Stored and reflected XSS vectors in document body (minimal JS XSS support).
|
||||
* Stored and reflected XSS vectors via HTTP redirects.
|
||||
* Stored and reflected XSS vectors via HTTP header splitting.
|
||||
* Directory traversal (including constrained vectors).
|
||||
* Assorted file POIs (server-side sources, configs, etc).
|
||||
* Attacker-supplied script and CSS inclusion vectors (stored and reflected).
|
||||
* External untrusted script and CSS inclusion vectors.
|
||||
* Mixed content problems on script and CSS resources (optional).
|
||||
* Incorrect or missing MIME types on renderables.
|
||||
* Generic MIME types on renderables.
|
||||
* Incorrect or missing charsets on renderables.
|
||||
* Conflicting MIME / charset info on renderables.
|
||||
* Bad caching directives on cookie setting responses.
|
||||
|
||||
* Low risk issues (limited impact or low specificity):
|
||||
|
||||
- Directory listing bypass vectors.
|
||||
- Redirection to attacker-supplied URLs (stored and reflected).
|
||||
- Attacker-supplied embedded content (stored and reflected).
|
||||
- External untrusted embedded content.
|
||||
- Mixed content on non-scriptable subresources (optional).
|
||||
- HTTP credentials in URLs.
|
||||
- Expired or not-yet-valid SSL certificates.
|
||||
- HTML forms with no XSRF protection.
|
||||
- Self-signed SSL certificates.
|
||||
- SSL certificate host name mismatches.
|
||||
- Bad caching directives on less sensitive content.
|
||||
* Directory listing bypass vectors.
|
||||
* Redirection to attacker-supplied URLs (stored and reflected).
|
||||
* Attacker-supplied embedded content (stored and reflected).
|
||||
* External untrusted embedded content.
|
||||
* Mixed content on non-scriptable subresources (optional).
|
||||
* HTTP credentials in URLs.
|
||||
* Expired or not-yet-valid SSL certificates.
|
||||
* HTML forms with no XSRF protection.
|
||||
* Self-signed SSL certificates.
|
||||
* SSL certificate host name mismatches.
|
||||
* Bad caching directives on less sensitive content.
|
||||
|
||||
* Internal warnings:
|
||||
|
||||
- Failed resource fetch attempts.
|
||||
- Exceeded crawl limits.
|
||||
- Failed 404 behavior checks.
|
||||
- IPS filtering detected.
|
||||
- Unexpected response variations.
|
||||
- Seemingly misclassified crawl nodes.
|
||||
* Failed resource fetch attempts.
|
||||
* Exceeded crawl limits.
|
||||
* Failed 404 behavior checks.
|
||||
* IPS filtering detected.
|
||||
* Unexpected response variations.
|
||||
* Seemingly misclassified crawl nodes.
|
||||
|
||||
* Non-specific informational entries:
|
||||
|
||||
- General SSL certificate information.
|
||||
- Significantly changing HTTP cookies.
|
||||
- Changing Server, Via, or X-... headers.
|
||||
- New 404 signatures.
|
||||
- Resources that cannot be accessed.
|
||||
- Resources requiring HTTP authentication.
|
||||
- Broken links.
|
||||
- Server errors.
|
||||
- All external links not classified otherwise (optional).
|
||||
- All external e-mails (optional).
|
||||
- All external URL redirectors (optional).
|
||||
- Links to unknown protocols.
|
||||
- Form fields that could not be autocompleted.
|
||||
- Password entry forms (for external brute-force).
|
||||
- File upload forms.
|
||||
- All other HTML forms detected.
|
||||
- Numerical file names (for external brute-force).
|
||||
- User-supplied links otherwise rendered on a page.
|
||||
- Incorrect or missing MIME type on less significant content.
|
||||
- Generic MIME type on less significant content.
|
||||
- Incorrect or missing charset on less significant content.
|
||||
- Conflicting MIME / charset information on less significant content.
|
||||
- OGNL-like parameter passing conventions.
|
||||
* General SSL certificate information.
|
||||
* Significantly changing HTTP cookies.
|
||||
* Changing Server, Via, or X-... headers.
|
||||
* New 404 signatures.
|
||||
* Resources that cannot be accessed.
|
||||
* Resources requiring HTTP authentication.
|
||||
* Broken links.
|
||||
* Server errors.
|
||||
* All external links not classified otherwise (optional).
|
||||
* All external e-mails (optional).
|
||||
* All external URL redirectors (optional).
|
||||
* Links to unknown protocols.
|
||||
* Form fields that could not be autocompleted.
|
||||
* Password entry forms (for external brute-force).
|
||||
* File upload forms.
|
||||
* Other HTML forms (not classified otherwise).
|
||||
* Numerical file names (for external brute-force).
|
||||
* User-supplied links otherwise rendered on a page.
|
||||
* Incorrect or missing MIME type on less significant content.
|
||||
* Generic MIME type on less significant content.
|
||||
* Incorrect or missing charset on less significant content.
|
||||
* Conflicting MIME / charset information on less significant content.
|
||||
* OGNL-like parameter passing conventions.
|
||||
|
||||
Along with a list of identified issues, skipfish also provides summary
|
||||
overviews of document types and issue types found; and an interactive sitemap,
|
||||
with nodes discovered through brute-force denoted in a distinctive way.
|
||||
overviews of document types and issue types found; and an interactive
|
||||
sitemap, with nodes discovered through brute-force denoted in a distinctive
|
||||
way.
|
||||
|
||||
NOTE: As a conscious design decision, skipfish will not redundantly complain
|
||||
NOTE: As a conscious design decision, skipfish will not redundantly complain
|
||||
about highly non-specific issues, including but not limited to:
|
||||
|
||||
* Non-`httponly` cookies,
|
||||
* Non-HTTPS or `autocomplete`-enabled forms,
|
||||
* Non-httponly or non-secure cookies,
|
||||
* Non-HTTPS or autocomplete-enabled forms,
|
||||
* HTML comments detected on a page,
|
||||
* Filesystem path disclosure in error messages,
|
||||
* Server of framework version disclosure,
|
||||
* Mere presence of certain technologies, such as WebDAV.
|
||||
* Servers supporting TRACE or OPTIONS requests,
|
||||
* Mere presence of certain technologies, such as WebDAV.
|
||||
|
||||
Most of these aspects are easy to inspect in a report if so desired - for
|
||||
example, all the HTML forms are listed separately, so are new cookies or
|
||||
interesting HTTP headers - and the expectation is that the auditor may opt to
|
||||
make certain design recommendations based on this data where appropriate. That
|
||||
said, these occurrences are not highlighted as a specific security flaw.
|
||||
Most of these aspects are easy to inspect in a report if so desired - for
|
||||
example, all the HTML forms are listed separately, so are new cookies or
|
||||
interesting HTTP headers - and the expectation is that the auditor may opt to
|
||||
make certain design recommendations based on this data where appropriate.
|
||||
That said, these occurrences are not highlighted as a specific security flaw.
|
||||
|
||||
-----------------------------------------------------------
|
||||
3. All right, I want to try it out. What do I need to know?
|
||||
4. All right, I want to try it out. What do I need to know?
|
||||
-----------------------------------------------------------
|
||||
|
||||
First and foremost, please do not be evil. Use skipfish only against services
|
||||
you own, or have a permission to test.
|
||||
|
||||
Keep in mind that all types of security testing can be disruptive. Although the
|
||||
scanner is designed not to carry out malicious attacks, it may accidentally
|
||||
interfere with the operations of the site. You must accept the risk, and plan
|
||||
accordingly. Run the scanner against test instances where feasible, and be
|
||||
prepared to deal with the consequences if things go wrong.
|
||||
Keep in mind that all types of security testing can be disruptive. Although
|
||||
the scanner is designed not to carry out malicious attacks, it may
|
||||
accidentally interfere with the operations of the site. You must accept the
|
||||
risk, and plan accordingly. Run the scanner against test instances where
|
||||
feasible, and be prepared to deal with the consequences if things go wrong.
|
||||
|
||||
Also note that the tool is meant to be used by security professionals, and is
|
||||
experimental in nature. It may return false positives or miss obvious security
|
||||
problems - and even when it operates perfectly, it is simply not meant to be a
|
||||
point-and-click application. Do not rely on its output at face value.
|
||||
experimental in nature. It may return false positives or miss obvious
|
||||
security problems - and even when it operates perfectly, it is simply not
|
||||
meant to be a point-and-click application. Do not take its output at face
|
||||
value.
|
||||
|
||||
Running the tool against vendor-supplied demo sites is not a good way to
|
||||
evaluate it, as they usually approximate vulnerabilities very imperfectly; we
|
||||
Running the tool against vendor-supplied demo sites is not a good way to
|
||||
evaluate it, as they usually approximate vulnerabilities very imperfectly; we
|
||||
made no effort to accommodate these cases.
|
||||
|
||||
Lastly, the scanner is simply not designed for dealing with rogue and
|
||||
misbehaving HTTP servers - and offers no guarantees of safe (or sane) behavior
|
||||
there.
|
||||
Lastly, the scanner is simply not designed for dealing with rogue and
|
||||
misbehaving HTTP servers - and offers no guarantees of safe (or sane)
|
||||
behavior there.
|
||||
|
||||
--------------------------
|
||||
4. How to run the scanner?
|
||||
5. How to run the scanner?
|
||||
--------------------------
|
||||
|
||||
To compile it, simply unpack the archive and try make. Chances are, you will
|
||||
need to install libidn first.
|
||||
|
||||
Next, you need to copy the desired dictionary file from dictionaries/ to
|
||||
skipfish.wl. Please read dictionaries/README-FIRST carefully to make the right
|
||||
choice. This step has a profound impact on the quality of scan results later on.
|
||||
skipfish.wl. Please read dictionaries/README-FIRST carefully to make the
|
||||
right choice. This step has a profound impact on the quality of scan results
|
||||
later on.
|
||||
|
||||
Once you have the dictionary selected, you can try:
|
||||
|
||||
$ ./skipfish -o output_dir http://www.example.com/some/starting/path.txt
|
||||
|
||||
Note that you can provide more than one starting URL if so desired; all of them
|
||||
will be crawled.
|
||||
Note that you can provide more than one starting URL if so desired; all of
|
||||
them will be crawled.
|
||||
|
||||
The tool will display some helpful stats while the scan is in progress. You
|
||||
The tool will display some helpful stats while the scan is in progress. You
|
||||
can also switch to a list of in-flight HTTP requests by pressing return.
|
||||
|
||||
In the example above, skipfish will scan the entire www.example.com (including
|
||||
services on other ports, if linked to from the main page), and write a report
|
||||
to output_dir/index.html. You can then view this report with your favorite
|
||||
browser (JavaScript must be enabled). The index.html file is static; actual
|
||||
results are stored as a hierarchy of JSON files, suitable for machine
|
||||
processing if needs be.
|
||||
In the example above, skipfish will scan the entire www.example.com
|
||||
(including services on other ports, if linked to from the main page), and
|
||||
write a report to output_dir/index.html. You can then view this report with
|
||||
your favorite browser (JavaScript must be enabled; and because of recent
|
||||
file:/// security improvements in certain browsers, you might need to access
|
||||
results over HTTP). The index.html file is static; actual results are stored
|
||||
as a hierarchy of JSON files, suitable for machine processing or different
|
||||
presentation frontends if needs be.
|
||||
|
||||
Some sites may require authentication; for simple HTTP credentials, you can try:
|
||||
Some sites may require authentication; for simple HTTP credentials, you can
|
||||
try:
|
||||
|
||||
$ ./skipfish -A user:pass ...other parameters...
|
||||
|
||||
Alternatively, if the site relies on HTTP cookies instead, log in in your
|
||||
browser or using a simple curl script, and then provide skipfish with a session
|
||||
cookie:
|
||||
browser or using a simple curl script, and then provide skipfish with a
|
||||
session cookie:
|
||||
|
||||
$ ./skipfish -C name=val ...other parameters...
|
||||
|
||||
|
@ -263,20 +273,20 @@ $ ./skipfish -X /logout/logout.aspx ...other parameters...
|
|||
|
||||
The -X option is also useful for speeding up your scans by excluding /icons/,
|
||||
/doc/, /manuals/, and other standard, mundane locations along these lines. In
|
||||
general, you can use -X, plus -I (only spider URLs matching a substring) and -S
|
||||
(ignore links on pages where a substring appears in response body) to limit the
|
||||
scope of a scan any way you like - including restricting it only to a specific
|
||||
protocol and port:
|
||||
general, you can use -X, plus -I (only spider URLs matching a substring) and
|
||||
-S (ignore links on pages where a substring appears in response body) to
|
||||
limit the scope of a scan any way you like - including restricting it only to
|
||||
a specific protocol and port:
|
||||
|
||||
$ ./skipfish -I http://example.com:1234/ ...other parameters...
|
||||
|
||||
A related function, -K, allows you to specify parameter names not to fuzz
|
||||
A related function, -K, allows you to specify parameter names not to fuzz
|
||||
(useful for applications that put session IDs in the URL, to minimize noise).
|
||||
|
||||
Another useful scoping option is -D - allowing you to specify additional hosts
|
||||
or domains to consider in-scope for the test. By default, all hosts appearing
|
||||
in the command-line URLs are added to the list - but you can use -D to broaden
|
||||
these rules, for example:
|
||||
Another useful scoping option is -D - allowing you to specify additional
|
||||
hosts or domains to consider in-scope for the test. By default, all hosts
|
||||
appearing in the command-line URLs are added to the list - but you can use -D
|
||||
to broaden these rules, for example:
|
||||
|
||||
$ ./skipfish -D test2.example.com -o output-dir http://test1.example.com/
|
||||
|
||||
|
@ -284,120 +294,124 @@ $ ./skipfish -D test2.example.com -o output-dir http://test1.example.com/
|
|||
|
||||
$ ./skipfish -D .example.com -o output-dir http://test1.example.com/
|
||||
|
||||
In some cases, you do not want to actually crawl a third-party domain, but you
|
||||
trust the owner of that domain enough not to worry about cross-domain content
|
||||
inclusion from that location. To suppress warnings, you can use the -B option,
|
||||
for example:
|
||||
In some cases, you do not want to actually crawl a third-party domain, but
|
||||
you trust the owner of that domain enough not to worry about cross-domain
|
||||
content inclusion from that location. To suppress warnings, you can use the
|
||||
-B option, for example:
|
||||
|
||||
$ ./skipfish -B .google-analytics.com -B .googleapis.com ...other parameters...
|
||||
$ ./skipfish -B .google-analytics.com -B .googleapis.com ...other
|
||||
parameters...
|
||||
|
||||
By default, skipfish sends minimalistic HTTP headers to reduce the amount of
|
||||
data exchanged over the wire; some sites examine User-Agent strings or header
|
||||
ordering to reject unsupported clients, however. In such a case, you can use -b
|
||||
ie or -b ffox to mimic one of the two popular browsers.
|
||||
ordering to reject unsupported clients, however. In such a case, you can use
|
||||
-b ie or -b ffox to mimic one of the two popular browsers.
|
||||
|
||||
When it comes to customizing your HTTP requests, you can also use the -H option
|
||||
to insert any additional, non-standard headers; or -F to define a custom
|
||||
mapping between a host and an IP (bypassing the resolver). The latter feature
|
||||
is particularly useful for not-yet-launched or legacy services.
|
||||
When it comes to customizing your HTTP requests, you can also use the -H
|
||||
option to insert any additional, non-standard headers; or -F to define a
|
||||
custom mapping between a host and an IP (bypassing the resolver). The latter
|
||||
feature is particularly useful for not-yet-launched or legacy services.
|
||||
|
||||
Some sites may be too big to scan in a reasonable timeframe. If the site
|
||||
features well-defined tarpits - for example, 100,000 nearly identical user
|
||||
profiles as a part of a social network - these specific locations can be
|
||||
excluded with -X or -S. In other cases, you may need to resort to other
|
||||
settings: -d limits crawl depth to a specified number of subdirectories; -c
|
||||
limits the number of children per directory; and -r limits the total number of
|
||||
requests to send in a scan.
|
||||
limits the number of children per directory; -x limits the total number of
|
||||
descendants per crawl tree branch; and -r limits the total number of requests
|
||||
to send in a scan.
|
||||
|
||||
An interesting option is available for repeated assessments: -p. By specifying
|
||||
a percentage between 1 and 100%, it is possible to tell the crawler to follow
|
||||
fewer than 100% of all links, and try fewer than 100% of all dictionary
|
||||
entries. This - naturally - limits the completeness of a scan, but unlike most
|
||||
other settings, it does so in a balanced, non-deterministic manner. It is
|
||||
extremely useful when you are setting up time-bound, but periodic assessments
|
||||
of your infrastructure. Another related option is -q, which sets the initial
|
||||
random seed for the crawler to a specified value. This can be used to exactly
|
||||
reproduce a previous scan to compare results. Randomness is relied upon most
|
||||
heavily in the -p mode, but also for making a couple of other scan management
|
||||
decisions elsewhere.
|
||||
An interesting option is available for repeated assessments: -p. By
|
||||
specifying a percentage between 1 and 100%, it is possible to tell the
|
||||
crawler to follow fewer than 100% of all links, and try fewer than 100% of
|
||||
all dictionary entries. This - naturally - limits the completeness of a scan,
|
||||
but unlike most other settings, it does so in a balanced, non-deterministic
|
||||
manner. It is extremely useful when you are setting up time-bound, but
|
||||
periodic assessments of your infrastructure. Another related option is -q,
|
||||
which sets the initial random seed for the crawler to a specified value. This
|
||||
can be used to exactly reproduce a previous scan to compare results.
|
||||
Randomness is relied upon most heavily in the -p mode, but also for making a
|
||||
couple of other scan management decisions elsewhere.
|
||||
|
||||
Some particularly complex (or broken) services may involve a very high number
|
||||
of identical or nearly identical pages. Although these occurrences are by
|
||||
default grayed out in the report, they still use up some screen estate and take
|
||||
a while to process on JavaScript level. In such extreme cases, you may use the
|
||||
-Q option to suppress reporting of duplicate nodes altogether, before the
|
||||
report is written. This may give you a less comprehensive understanding of how
|
||||
the site is organized, but has no impact on test coverage.
|
||||
default grayed out in the report, they still use up some screen estate and
|
||||
take a while to process on JavaScript level. In such extreme cases, you may
|
||||
use the -Q option to suppress reporting of duplicate nodes altogether, before
|
||||
the report is written. This may give you a less comprehensive understanding
|
||||
of how the site is organized, but has no impact on test coverage.
|
||||
|
||||
In certain quick assessments, you might also have no interest in paying any
|
||||
particular attention to the desired functionality of the site - hoping to
|
||||
explore non-linked secrets only. In such a case, you may specify -P to inhibit
|
||||
all HTML parsing. This limits the coverage and takes away the ability for the
|
||||
scanner to learn new keywords by looking at the HTML, but speeds up the test
|
||||
dramatically. Another similarly crippling option that reduces the risk of
|
||||
persistent effects of a scan is -O, which inhibits all form parsing and
|
||||
submission steps.
|
||||
explore non-linked secrets only. In such a case, you may specify -P to
|
||||
inhibit all HTML parsing. This limits the coverage and takes away the ability
|
||||
for the scanner to learn new keywords by looking at the HTML, but speeds up
|
||||
the test dramatically. Another similarly crippling option that reduces the
|
||||
risk of persistent effects of a scan is -O, which inhibits all form parsing
|
||||
and submission steps.
|
||||
|
||||
By default, skipfish complains loudly about all MIME or character set
|
||||
mismatches on renderable documents, and classifies many of them as "medium
|
||||
risk"; this is because, if any user-controlled content is returned, the
|
||||
situation could lead to cross-site scripting attacks in certain browsers. On
|
||||
some poorly designed and maintained sites, this may contribute too much noise;
|
||||
if so, you may use -J to mark these issues as "low risk" unless the scanner can
|
||||
explicitly sees its own user input being echoed back on the resulting page.
|
||||
This may miss many subtle attack vectors, though.
|
||||
some poorly designed and maintained sites, this may contribute too much
|
||||
noise; if so, you may use -J to mark these issues as "low risk" unless the
|
||||
scanner can explicitly sees its own user input being echoed back on the
|
||||
resulting page. This may miss many subtle attack vectors, though.
|
||||
|
||||
Some sites that handle sensitive user data care about SSL - and about getting
|
||||
it right. Skipfish may optionally assist you in figuring out problematic mixed
|
||||
content scenarios - use the -M option to enable this. The scanner will complain
|
||||
about situations such as http:// scripts being loaded on https:// pages - but
|
||||
will disregard non-risk scenarios such as images.
|
||||
it right. Skipfish may optionally assist you in figuring out problematic
|
||||
mixed content scenarios - use the -M option to enable this. The scanner will
|
||||
complain about situations such as http:// scripts being loaded on https://
|
||||
pages - but will disregard non-risk scenarios such as images.
|
||||
|
||||
Likewise, certain pedantic sites may care about cases where caching is
|
||||
restricted on HTTP/1.1 level, but no explicit HTTP/1.0 caching directive is
|
||||
given on specifying -E in the command-line causes skipfish to log all such
|
||||
cases carefully.
|
||||
|
||||
Lastly, in some assessments that involve self-contained sites without extensive
|
||||
user content, the auditor may care about any external e-mails or HTTP links
|
||||
seen, even if they have no immediate security impact. Use the -U option to have
|
||||
these logged.
|
||||
Lastly, in some assessments that involve self-contained sites without
|
||||
extensive user content, the auditor may care about any external e-mails or
|
||||
HTTP links seen, even if they have no immediate security impact. Use the -U
|
||||
option to have these logged.
|
||||
|
||||
Dictionary management is a special topic, and - as mentioned - is covered in
|
||||
more detail in dictionaries/README-FIRST. Please read that file before
|
||||
proceeding. Some of the relevant options include -W to specify a custom
|
||||
wordlist, -L to suppress auto-learning, -V to suppress dictionary updates, -G
|
||||
to limit the keyword guess jar size, -R to drop old dictionary entries, and -Y
|
||||
to inhibit expensive $keyword.$extension fuzzing.
|
||||
to limit the keyword guess jar size, -R to drop old dictionary entries, and
|
||||
-Y to inhibit expensive $keyword.$extension fuzzing.
|
||||
|
||||
Skipfish also features a form auto-completion mechanism in order to maximize
|
||||
scan coverage. The values should be non-malicious, as they are not meant to
|
||||
implement security checks - but rather, to get past input validation logic. You
|
||||
can define additional rules, or override existing ones, with the -T option (-T
|
||||
form_field_name=field_value, e.g. -T login=test123 -T password=test321 -
|
||||
although note that -C and -A are a much better method of logging in).
|
||||
implement security checks - but rather, to get past input validation logic.
|
||||
You can define additional rules, or override existing ones, with the -T
|
||||
option (-T form_field_name=field_value, e.g. -T login=test123 -T
|
||||
password=test321 - although note that -C and -A are a much better method of
|
||||
logging in).
|
||||
|
||||
There is also a handful of performance-related options. Use -g to set the
|
||||
maximum number of connections to maintain, globally, to all targets (it is
|
||||
sensible to keep this under 50 or so to avoid overwhelming the TCP/IP stack on
|
||||
your system or on the nearby NAT / firewall devices); and -m to set the per-IP
|
||||
limit (experiment a bit: 2-4 is usually good for localhost, 4-8 for local
|
||||
networks, 10-20 for external targets, 30+ for really lagged or non-keep-alive
|
||||
hosts). You can also use -w to set the I/O timeout (i.e., skipfish will wait
|
||||
only so long for an individual read or write), and -t to set the total request
|
||||
timeout, to account for really slow or really fast sites.
|
||||
sensible to keep this under 50 or so to avoid overwhelming the TCP/IP stack
|
||||
on your system or on the nearby NAT / firewall devices); and -m to set the
|
||||
per-IP limit (experiment a bit: 2-4 is usually good for localhost, 4-8 for
|
||||
local networks, 10-20 for external targets, 30+ for really lagged or
|
||||
non-keep-alive hosts). You can also use -w to set the I/O timeout (i.e.,
|
||||
skipfish will wait only so long for an individual read or write), and -t to
|
||||
set the total request timeout, to account for really slow or really fast
|
||||
sites.
|
||||
|
||||
Lastly, -f controls the maximum number of consecutive HTTP errors you are
|
||||
willing to see before aborting the scan; and -s sets the maximum length of a
|
||||
response to fetch and parse (longer responses will be truncated).
|
||||
|
||||
Further rate-limiting is available through third-party user mode tools such as
|
||||
trickle, or kernel-level traffic shaping.
|
||||
Further rate-limiting is available through third-party user mode tools such
|
||||
as trickle, or kernel-level traffic shaping.
|
||||
|
||||
Oh, and runtime stats can be suppressed with -u to run skipfish in quiet mode.
|
||||
Oh, and real-time scan statistics can be suppressed with -u.
|
||||
|
||||
--------------------------------
|
||||
5. But seriously, how to run it?
|
||||
6. But seriously, how to run it?
|
||||
--------------------------------
|
||||
|
||||
A standard, authenticated scan of a well-designed and self-contained site
|
||||
|
@ -407,52 +421,53 @@ issues):
|
|||
$ ./skipfish -MEU -C "AuthCookie=value" -X /logout.aspx -o output_dir \
|
||||
http://www.example.com/
|
||||
|
||||
Five-connection crawl, but no brute-force; pretending to be MSIE, caring
|
||||
less about ambiguous MIME or character set mismatches, and trusting
|
||||
Five-connection crawl, but no brute-force; pretending to be MSIE and caring
|
||||
less about ambiguous MIME or character set mismatches, and trusting
|
||||
example.com links:
|
||||
|
||||
$ ./skipfish -m 5 -LVJ -W /dev/null -o output_dir -b ie -B example.com \
|
||||
http://www.example.com/
|
||||
|
||||
Brute force only (no HTML link extraction), limited to a specific
|
||||
directory, timing out after 5 seconds:
|
||||
Brute force only (no HTML link extraction), limited to a single directory and
|
||||
timing out after 5 seconds:
|
||||
|
||||
$ ./skipfish -P -I http://www.example.com/dir1/ -O -o output_dir -t 5 \
|
||||
$ ./skipfish -P -I http://www.example.com/dir1/ -o output_dir -t 5 -I \
|
||||
http://www.example.com/dir1/
|
||||
|
||||
For a short list of all command-line options, try ./skipfish -h.
|
||||
|
||||
----------------------------------------------------
|
||||
6. How to interpret and address the issues reported?
|
||||
7. How to interpret and address the issues reported?
|
||||
----------------------------------------------------
|
||||
|
||||
Most of the problems reported by skipfish should self-explanatory, assuming you
|
||||
have a good gasp of the fundamentals of web security. If you need a quick
|
||||
refresher on some of the more complicated topics, such as MIME sniffing, you
|
||||
Most of the problems reported by skipfish should self-explanatory, assuming you
|
||||
have a good gasp of the fundamentals of web security. If you need a quick
|
||||
refresher on some of the more complicated topics, such as MIME sniffing, you
|
||||
may enjoy our comprehensive Browser Security Handbook as a starting point:
|
||||
|
||||
http://code.google.com/p/browsersec/
|
||||
|
||||
If you still need assistance, there are several organizations that put a
|
||||
considerable effort into documenting and explaining many of the common web
|
||||
security threats, and advising the public on how to address them. I encourage
|
||||
you to refer to the materials published by OWASP and Web Application Security
|
||||
If you still need assistance, there are several organizations that put a
|
||||
considerable effort into documenting and explaining many of the common web
|
||||
security threats, and advising the public on how to address them. I encourage
|
||||
you to refer to the materials published by OWASP and Web Application Security
|
||||
Consortium, amongst others:
|
||||
|
||||
* http://www.owasp.org/index.php/Category:Principle
|
||||
* http://www.owasp.org/index.php/Category:OWASP_Guide_Project
|
||||
* http://www.webappsec.org/projects/articles/
|
||||
|
||||
Although I am happy to diagnose problems with the scanner itself, I regrettably
|
||||
cannot offer any assistance with the inner wokings of third-party web
|
||||
Although I am happy to diagnose problems with the scanner itself, I regrettably
|
||||
cannot offer any assistance with the inner wokings of third-party web
|
||||
applications.
|
||||
|
||||
---------------------------------------
|
||||
7. Known limitations / feature wishlist
|
||||
8. Known limitations / feature wishlist
|
||||
---------------------------------------
|
||||
|
||||
Below is a list of features currently missing in skipfish. If you wish to
|
||||
improve the tool by contributing code in one of these areas, please let me know:
|
||||
improve the tool by contributing code in one of these areas, please let me
|
||||
know:
|
||||
|
||||
* Buffer overflow checks: after careful consideration, I suspect there is
|
||||
no reliable way to test for buffer overflows remotely. Much like the actual
|
||||
|
@ -468,24 +483,24 @@ improve the tool by contributing code in one of these areas, please let me know:
|
|||
problems seem to be largely addressed on browser level at this point, so
|
||||
they were much lower priority at the time of this writing.
|
||||
|
||||
* Security checks and link extraction for third-party, plugin-based content
|
||||
(Flash, Java, PDF, etc).
|
||||
* Security checks and link extraction for third-party, plugin-based
|
||||
content (Flash, Java, PDF, etc).
|
||||
|
||||
* Password brute-force and numerical filename brute-force probes.
|
||||
|
||||
* Search engine integration (vhosts, starting paths).
|
||||
|
||||
* More specific PHP tests (eval injection, RFI).
|
||||
|
||||
* VIEWSTATE decoding.
|
||||
* VIEWSTATE decoding.
|
||||
|
||||
* NTLM and digest authentication.
|
||||
|
||||
* Proxy support: somewhat incompatible with performance control features
|
||||
currently employed by skipfish; but in the long run, should be provided as
|
||||
a last-resort option.
|
||||
* More specific PHP tests (eval injection, RFI).
|
||||
|
||||
* Scan resume option.
|
||||
* Proxy support: somewhat incompatible with performance control features
|
||||
currently employed by skipfish; but in the long run, should be provided
|
||||
as a last-resort option.
|
||||
|
||||
* Scan resume option.
|
||||
|
||||
* Option to limit document sampling or save samples directly to disk.
|
||||
|
||||
|
@ -493,16 +508,17 @@ improve the tool by contributing code in one of these areas, please let me know:
|
|||
|
||||
* Config file support.
|
||||
|
||||
* A database for banner / version checks?
|
||||
* A database for banner / version checks?
|
||||
|
||||
-------------------------------------
|
||||
8. Oy! Something went horribly wrong!
|
||||
9. Oy! Something went horribly wrong!
|
||||
-------------------------------------
|
||||
|
||||
There is no web crawler so good that there wouldn't be a web framework to one
|
||||
day set it on fire. If you encounter what appears to be bad behavior (e.g., a
|
||||
scan that takes forever and generates too many requests, completely bogus nodes
|
||||
in scan output, or outright crashes), please first check this page:
|
||||
scan that takes forever and generates too many requests, completely bogus
|
||||
nodes in scan output, or outright crashes), please first check our known
|
||||
issues page:
|
||||
|
||||
http://code.google.com/p/skipfish/wiki/KnownIssues
|
||||
|
||||
|
@ -526,12 +542,12 @@ $ gdb --batch -ex back ./skipfish core
|
|||
|
||||
...and be sure to send the author the output of that last command as well.
|
||||
|
||||
-----------------------
|
||||
9. Credits and feedback
|
||||
-----------------------
|
||||
------------------------
|
||||
10. Credits and feedback
|
||||
------------------------
|
||||
|
||||
Skipfish is made possible thanks to the contributions of, and valuable feedback
|
||||
from, Google's information security engineering team.
|
||||
Skipfish is made possible thanks to the contributions of, and valuable
|
||||
feedback from, Google's information security engineering team.
|
||||
|
||||
If you have any bug reports, questions, suggestions, or concerns regarding the
|
||||
application, the author can be reached at lcamtuf@google.com.
|
||||
If you have any bug reports, questions, suggestions, or concerns regarding
|
||||
the application, the author can be reached at lcamtuf@google.com.
|
||||
|
|
3
config.h
3
config.h
|
@ -70,7 +70,8 @@
|
|||
/* Configurable settings for crawl database (cmdline override): */
|
||||
|
||||
#define MAX_DEPTH 16 /* Maximum crawl tree depth */
|
||||
#define MAX_CHILDREN 1024 /* Maximum children per tree node */
|
||||
#define MAX_CHILDREN 512 /* Maximum children per tree node */
|
||||
#define MAX_DESCENDANTS 8192 /* Maximum descendants per branch */
|
||||
#define MAX_SAMENAME 3 /* Identically named path nodes */
|
||||
|
||||
/* Crawl / analysis constants: */
|
||||
|
|
22
crawler.c
22
crawler.c
|
@ -1654,7 +1654,7 @@ static void crawl_par_numerical_init(struct pivot_desc* pv) {
|
|||
|
||||
DEBUG_HELPER(pv);
|
||||
|
||||
if (pv->child_cnt >= max_children) goto schedule_next;
|
||||
if (!descendants_ok(pv)) goto schedule_next;
|
||||
|
||||
/* Skip to the first digit, then to first non-digit. */
|
||||
|
||||
|
@ -1754,7 +1754,7 @@ static u8 par_numerical_callback(struct http_request* req,
|
|||
!((is_c_sens(req->pivot) ? strcmp : strcasecmp)((char*)TPAR(req),
|
||||
(char*)req->pivot->child[i]->name))) goto schedule_next;
|
||||
|
||||
if (req->pivot->child_cnt >= max_children) goto schedule_next;
|
||||
if (!descendants_ok(req->pivot)) goto schedule_next;
|
||||
|
||||
/* Hmm, looks like we're onto something. Let's manually create a dummy
|
||||
pivot and attach it to current node, without any activity planned.
|
||||
|
@ -1777,6 +1777,8 @@ static u8 par_numerical_callback(struct http_request* req,
|
|||
|
||||
req->pivot->child[req->pivot->child_cnt++] = n;
|
||||
|
||||
add_descendant(req->pivot);
|
||||
|
||||
req->pivot = n;
|
||||
|
||||
RESP_CHECKS(req, res);
|
||||
|
@ -1814,7 +1816,7 @@ static void crawl_par_dict_init(struct pivot_desc* pv) {
|
|||
|
||||
restart_dict:
|
||||
|
||||
if (pv->child_cnt >= max_children) {
|
||||
if (!descendants_ok(pv)) {
|
||||
crawl_par_trylist_init(pv);
|
||||
return;
|
||||
}
|
||||
|
@ -1945,7 +1947,7 @@ static u8 par_dict_callback(struct http_request* req,
|
|||
!((is_c_sens(req->pivot) ? strcmp : strcasecmp)((char*)TPAR(req),
|
||||
(char*)req->pivot->child[i]->name))) goto schedule_next;
|
||||
|
||||
if (req->pivot->child_cnt >= max_children) goto schedule_next;
|
||||
if (!descendants_ok(req->pivot)) goto schedule_next;
|
||||
|
||||
n = ck_alloc(sizeof(struct pivot_desc));
|
||||
|
||||
|
@ -1963,6 +1965,9 @@ static u8 par_dict_callback(struct http_request* req,
|
|||
* sizeof(struct pivot_desc*));
|
||||
|
||||
req->pivot->child[req->pivot->child_cnt++] = n;
|
||||
|
||||
add_descendant(req->pivot);
|
||||
|
||||
req->pivot = n;
|
||||
|
||||
keep = 1;
|
||||
|
@ -1992,7 +1997,7 @@ void crawl_par_trylist_init(struct pivot_desc* pv) {
|
|||
no point in going through the try list if restarted. */
|
||||
|
||||
if (pv->fuzz_par == -1 || pv->bogus_par || pv->res_varies
|
||||
|| pv->child_cnt >= max_children) {
|
||||
|| !descendants_ok(pv)) {
|
||||
pv->state = PSTATE_DONE;
|
||||
return;
|
||||
} else
|
||||
|
@ -2078,7 +2083,7 @@ static u8 par_trylist_callback(struct http_request* req,
|
|||
!((is_c_sens(req->pivot) ? strcmp : strcasecmp)((char*)TPAR(req),
|
||||
(char*)req->pivot->child[i]->name))) goto schedule_next;
|
||||
|
||||
if (req->pivot->child_cnt >= max_children) goto schedule_next;
|
||||
if (!descendants_ok(req->pivot)) goto schedule_next;
|
||||
|
||||
n = ck_alloc(sizeof(struct pivot_desc));
|
||||
|
||||
|
@ -2096,6 +2101,9 @@ static u8 par_trylist_callback(struct http_request* req,
|
|||
* sizeof(struct pivot_desc*));
|
||||
|
||||
req->pivot->child[req->pivot->child_cnt++] = n;
|
||||
|
||||
add_descendant(req->pivot);
|
||||
|
||||
req->pivot = n;
|
||||
|
||||
RESP_CHECKS(req, res);
|
||||
|
@ -2634,7 +2642,7 @@ static void crawl_dir_dict_init(struct pivot_desc* pv) {
|
|||
if (in_dict_init || pv->pending > DICT_BATCH || pv->state != PSTATE_CHILD_DICT)
|
||||
return;
|
||||
|
||||
if (pv->child_cnt >= max_children) {
|
||||
if (!descendants_ok(pv)) {
|
||||
crawl_parametric_init(pv);
|
||||
return;
|
||||
}
|
||||
|
|
47
database.c
47
database.c
|
@ -52,9 +52,10 @@ u32 num_deny_urls,
|
|||
num_trust_domains,
|
||||
num_skip_params;
|
||||
|
||||
u32 max_depth = MAX_DEPTH,
|
||||
max_children = MAX_CHILDREN,
|
||||
max_guesses = MAX_GUESSES;
|
||||
u32 max_depth = MAX_DEPTH,
|
||||
max_children = MAX_CHILDREN,
|
||||
max_descendants = MAX_DESCENDANTS,
|
||||
max_guesses = MAX_GUESSES;
|
||||
|
||||
u8 dont_add_words; /* No auto dictionary building */
|
||||
|
||||
|
@ -84,6 +85,31 @@ static u32 cur_xss_id, scan_id; /* Stored XSS manager IDs */
|
|||
static struct http_request** xss_req; /* Stored XSS manager req cache */
|
||||
|
||||
|
||||
/* Checks descendant counts. */
|
||||
|
||||
u8 descendants_ok(struct pivot_desc* pv) {
|
||||
|
||||
if (pv->child_cnt > max_children) return 0;
|
||||
|
||||
while (pv) {
|
||||
if (pv->desc_cnt > max_descendants) return 0;
|
||||
pv = pv->parent;
|
||||
}
|
||||
|
||||
return 1;
|
||||
|
||||
}
|
||||
|
||||
|
||||
void add_descendant(struct pivot_desc* pv) {
|
||||
|
||||
while (pv) {
|
||||
pv->desc_cnt++;
|
||||
pv = pv->parent;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
/* Maps a parsed URL (in req) to the pivot tree, creating or modifying nodes
|
||||
as necessary, and scheduling them for crawl. This should be called only
|
||||
on requests that were *not* yet retrieved. */
|
||||
|
@ -167,6 +193,8 @@ void maybe_add_pivot(struct http_request* req, struct http_response* res,
|
|||
|
||||
root_pivot.child[root_pivot.child_cnt++] = cur;
|
||||
|
||||
add_descendant(&root_pivot);
|
||||
|
||||
cur->type = PIVOT_SERV;
|
||||
cur->state = PSTATE_FETCH;
|
||||
cur->linked = 2;
|
||||
|
@ -234,7 +262,7 @@ void maybe_add_pivot(struct http_request* req, struct http_response* res,
|
|||
|
||||
/* Enforce user limits. */
|
||||
|
||||
if ((i + 1) >= max_depth || cur->child_cnt > max_children) {
|
||||
if ((i + 1) >= max_depth || !descendants_ok(cur)) {
|
||||
problem(PROB_LIMITS, req, res, (u8*)"Child node limit exceeded", cur,
|
||||
0);
|
||||
return;
|
||||
|
@ -261,6 +289,8 @@ void maybe_add_pivot(struct http_request* req, struct http_response* res,
|
|||
|
||||
cur->child[cur->child_cnt++] = n;
|
||||
|
||||
add_descendant(cur);
|
||||
|
||||
n->parent = cur;
|
||||
n->linked = via_link;
|
||||
n->name = ck_strdup(pname);
|
||||
|
@ -427,7 +457,7 @@ void maybe_add_pivot(struct http_request* req, struct http_response* res,
|
|||
|
||||
/* Enforce user limits. */
|
||||
|
||||
if (cur->child_cnt > max_children) {
|
||||
if (!descendants_ok(cur)) {
|
||||
problem(PROB_LIMITS, req, res, (u8*)"Child node limit exceeded", cur, 0);
|
||||
return;
|
||||
}
|
||||
|
@ -441,6 +471,8 @@ void maybe_add_pivot(struct http_request* req, struct http_response* res,
|
|||
|
||||
cur->child[cur->child_cnt++] = n;
|
||||
|
||||
add_descendant(cur);
|
||||
|
||||
n->parent = cur;
|
||||
n->type = PIVOT_PARAM;
|
||||
n->linked = via_link;
|
||||
|
@ -1236,8 +1268,9 @@ void dump_pivots(struct pivot_desc* cur, u8 nest) {
|
|||
}
|
||||
|
||||
SAY(cGRA "%sFlags : " cNOR "linked %u, case %u/%u, fuzz_par %d, ips %u, "
|
||||
"sigs %u, reqs %u\n", indent, cur->linked, cur->csens, cur->c_checked,
|
||||
cur->fuzz_par, cur->uses_ips, cur->r404_cnt, cur->pending);
|
||||
"sigs %u, reqs %u, desc %u/%u\n", indent, cur->linked, cur->csens, cur->c_checked,
|
||||
cur->fuzz_par, cur->uses_ips, cur->r404_cnt, cur->pending, cur->child_cnt,
|
||||
cur->desc_cnt);
|
||||
|
||||
if (cur->req) {
|
||||
url = serialize_path(cur->req, 1, 0);
|
||||
|
|
10
database.h
10
database.h
|
@ -96,6 +96,7 @@ struct pivot_desc {
|
|||
struct pivot_desc* parent; /* Parent pivot, if any */
|
||||
struct pivot_desc** child; /* List of children */
|
||||
u32 child_cnt; /* Number of children */
|
||||
u32 desc_cnt; /* Number of descendants */
|
||||
|
||||
struct issue_desc* issue; /* List of issues found */
|
||||
u32 issue_cnt; /* Number of issues */
|
||||
|
@ -153,6 +154,14 @@ struct pivot_desc {
|
|||
|
||||
extern struct pivot_desc root_pivot;
|
||||
|
||||
/* Checks child / descendant limits. */
|
||||
|
||||
u8 descendants_ok(struct pivot_desc* pv);
|
||||
|
||||
/* Increases descendant count. */
|
||||
|
||||
void add_descendant(struct pivot_desc* pv);
|
||||
|
||||
/* Maps a parsed URL (in req) to the pivot tree, creating or modifying nodes
|
||||
as necessary, and scheduling them for crawl; via_link should be 1 if the
|
||||
URL came from an explicit link or user input, 0 if brute-forced.
|
||||
|
@ -332,6 +341,7 @@ extern u32 num_deny_urls,
|
|||
|
||||
extern u32 max_depth,
|
||||
max_children,
|
||||
max_descendants,
|
||||
max_trylist,
|
||||
max_guesses;
|
||||
|
||||
|
|
|
@ -40,7 +40,10 @@ do not accept any new cookies
|
|||
maximum crawl tree depth (default: 16)
|
||||
.TP
|
||||
.B \-c max_child
|
||||
maximum children to index per node (default: 1024)
|
||||
maximum children to index per node (default: 512)
|
||||
.TP
|
||||
.B \-x max_desc
|
||||
maximum descendants to index per crawl tree branch (default: 8192)
|
||||
.TP
|
||||
.B \-r r_limit
|
||||
max total number of requests to send (default: 100000000)
|
||||
|
|
14
skipfish.c
14
skipfish.c
|
@ -89,6 +89,7 @@ static void usage(char* argv0) {
|
|||
|
||||
" -d max_depth - maximum crawl tree depth (%u)\n"
|
||||
" -c max_child - maximum children to index per node (%u)\n"
|
||||
" -x max_desc - maximum descendants to index per branch (%u)\n"
|
||||
" -r r_limit - max total number of requests to send (%u)\n"
|
||||
" -p crawl%% - node and link crawl probability (100%%)\n"
|
||||
" -q hex - repeat probabilistic scan with given seed\n"
|
||||
|
@ -133,9 +134,9 @@ static void usage(char* argv0) {
|
|||
" -s s_limit - response size limit (%u B)\n\n"
|
||||
|
||||
"Send comments and complaints to <lcamtuf@google.com>.\n", argv0,
|
||||
max_depth, max_children, max_requests, DEF_WORDLIST, MAX_GUESSES,
|
||||
max_connections, max_conn_host, max_fail, resp_tmout, rw_tmout,
|
||||
idle_tmout, size_limit);
|
||||
max_depth, max_children, max_descendants, max_requests, DEF_WORDLIST,
|
||||
MAX_GUESSES, max_connections, max_conn_host, max_fail, resp_tmout,
|
||||
rw_tmout, idle_tmout, size_limit);
|
||||
|
||||
exit(1);
|
||||
}
|
||||
|
@ -214,7 +215,7 @@ int main(int argc, char** argv) {
|
|||
SAY("skipfish version " VERSION " by <lcamtuf@google.com>\n");
|
||||
|
||||
while ((opt = getopt(argc, argv,
|
||||
"+A:F:C:H:b:Nd:c:r:p:I:X:S:D:PJOYQMZUEK:W:LVT:G:R:B:q:g:m:f:t:w:i:s:o:hu")) > 0)
|
||||
"+A:F:C:H:b:Nd:c:x:r:p:I:X:S:D:PJOYQMZUEK:W:LVT:G:R:B:q:g:m:f:t:w:i:s:o:hu")) > 0)
|
||||
|
||||
switch (opt) {
|
||||
|
||||
|
@ -362,6 +363,11 @@ int main(int argc, char** argv) {
|
|||
if (!max_children) FATAL("Invalid value '%s'.", optarg);
|
||||
break;
|
||||
|
||||
case 'x':
|
||||
max_descendants = atoi(optarg);
|
||||
if (!max_descendants) FATAL("Invalid value '%s'.", optarg);
|
||||
break;
|
||||
|
||||
case 'p':
|
||||
crawl_prob = atoi(optarg);
|
||||
if (!crawl_prob) FATAL("Invalid value '%s'.", optarg);
|
||||
|
|
Loading…
Reference in New Issue