1.58b: Descendant limit checks added.

2010-08-21 15:56:47 -04:00 · 2010-08-21 15:56:47 -04:00 · 42d17c7921
parent 768867c93b
commit 42d17c7921
9 changed files with 360 additions and 278 deletions
--- a/5
+++ b/5
@ -1,3 +1,8 @@
 Version 1.58b:
 --------------
  - Descendant limit checks added.
 Version 1.57b:
 --------------
--- a/2
+++ b/2
@ -20,7 +20,7 @@
 #
 PROGNAME   = skipfish
-VERSION    = 1.57b
+VERSION    = 1.58b
 OBJFILES   = http_client.c database.c crawler.c analysis.c report.c
 INCFILES   = alloc-inl.h string-inl.h debug.h types.h http_client.h \
--- a/530
+++ b/530
@ -6,249 +6,259 @@ skipfish - web application security scanner
  * Written and maintained by Michal Zalewski <lcamtuf@google.com>.
  * Copyright 2009, 2010 Google Inc, rights reserved.
-  * Released under terms and conditions of the Apache License, version 2.0. 
+  * Released under terms and conditions of the Apache License, version 2.0.
 --------------------
 1. What is skipfish?
 --------------------
-Skipfish is an active web application security reconnaissance tool. It prepares 
+Skipfish is an active web application security reconnaissance tool. It 
-an interactive sitemap for the targeted site by carrying out a recursive crawl 
+prepares an interactive sitemap for the targeted site by carrying out a 
-and dictionary-based probes. The resulting map is then annotated with the 
+recursive crawl and dictionary-based probes. The resulting map is then 
-output from a number of active (but hopefully non-disruptive) security checks. 
+annotated with the output from a number of active (but hopefully 
-The final report generated by the tool is meant to serve as a foundation for 
+non-disruptive) security checks. The final report generated by the tool is 
-professional web application security assessments.
+meant to serve as a foundation for professional web application security 
-Why should I bother with this particular tool?
+assessments.
 -------------------------------------------------
 2. Why should I bother with this particular tool?
 -------------------------------------------------
 A number of commercial and open source tools with analogous functionality is 
-readily available (e.g., Nikto, Nessus); stick to the one that suits you best. 
+readily available (e.g., Nikto, Nessus); stick to the one that suits you 
-That said, skipfish tries to address some of the common problems associated 
+best. That said, skipfish tries to address some of the common problems 
-with web security scanners. Specific advantages include:
+associated with web security scanners. Specific advantages include:
  * High performance: 500+ requests per second against responsive Internet 
    targets, 2000+ requests per second on LAN / MAN networks, and 7000+ requests
-    against local instances has been observed, with a very modest CPU, network,
+    against local instances have been observed, with a very modest CPU, network,
    and memory footprint. This can be attributed to:
-    - Multiplexing single-thread, fully asynchronous network I/O and data 
+    * Multiplexing single-thread, fully asynchronous network I/O and data 
      processing model that eliminates memory management, scheduling, and IPC 
      inefficiencies present in some multi-threaded clients.
-    - Advanced HTTP/1.1 features such as range requests, content 
+    * Advanced HTTP/1.1 features such as range requests, content compression,
-      compression, and keep-alive connections, as well as forced response size 
+      and keep-alive connections, as well as forced response size limiting, to
-      limiting, to keep network-level overhead in check.
+      keep network-level overhead in check.
-    - Smart response caching and advanced server behavior heuristics are 
+    * Smart response caching and advanced server behavior heuristics are used to
-      used to minimize unnecessary traffic.
+      minimize unnecessary traffic.
-    - Performance-oriented, pure C implementation, including a custom 
+    * Performance-oriented, pure C implementation, including a custom 
      HTTP stack. 
-  * Ease of use: skipfish is highly adaptive and reliable. The scanner 
+  * Ease of use: skipfish is highly adaptive and reliable. The scanner features:
    features:
-    - Heuristic recognition of obscure path- and query-based parameter 
+    * Heuristic recognition of obscure path- and query-based parameter handling
-      handling schemes.
+      schemes.
-    - Graceful handling of multi-framework sites where certain paths obey 
+    * Graceful handling of multi-framework sites where certain paths obey
-      a completely different semantics, or are subject to different filtering
+      completely different semantics, or are subject to different filtering
      rules.
-    - Automatic wordlist construction based on site content analysis.
+    * Automatic wordlist construction based on site content analysis.
-    - Probabilistic scanning features to allow periodic, time-bound 
+    * Probabilistic scanning features to allow periodic, time-bound assessments
-      assessments of arbitrarily complex sites. 
+      of arbitrarily complex sites. 
-  * Well-designed security checks: the tool is meant to provide accurate and 
+    * Well-designed security checks: the tool is meant to provide accurate 
-    meaningful results:
+      and meaningful results:
-    - Three-step differential probes are preferred to signature checks 
+      * Handcrafted dictionaries offer excellent coverage and permit thorough 
-      for detecting vulnerabilities.
+        $keyword.$extension testing in a reasonable timeframe.
-    - Ratproxy-style logic is used to spot subtle security problems: 
+      * Three-step differential probes are preferred to signature checks for
-      cross-site request forgery, cross-site script inclusion, mixed content,
+         detecting vulnerabilities.
      issues MIME- and charset mismatches, incorrect caching directive, etc.
-    - Bundled security checks are designed to handle tricky scenarios: 
+      * Ratproxy-style logic is used to spot subtle security problems: 
-      stored XSS (path, parameters, headers), blind SQL or XML injection, or
+        cross-site request forgery, cross-site script inclusion, mixed content, 
-      blind shell injection.
+        issues MIME- and charset mismatches, incorrect caching directives, etc.
-    - Report post-processing drastically reduces the noise caused by any 
+      * Bundled security checks are designed to handle tricky scenarios: 
-      remaining false positives or server gimmicks by identifying repetitive
+        stored XSS (path, parameters, headers), blind SQL or XML injection, 
-      patterns. 
+        or blind shell injection.
      * Report post-processing drastically reduces the noise caused by any
        remaining false positives or server gimmicks by identifying repetitive 
        patterns. 
 That said, skipfish is not a silver bullet, and may be unsuitable for certain 
-purposes. For example, it does not satisfy most of the requirements outlined in 
+purposes. For example, it does not satisfy most of the requirements outlined 
-WASC Web Application Security Scanner Evaluation Criteria (some of them on 
+in WASC Web Application Security Scanner Evaluation Criteria (some of them on 
 purpose, some out of necessity); and unlike most other projects of this type, 
 it does not come with an extensive database of known vulnerabilities for 
 banner-type checks.
 -----------------------------------------------------
-2. Most curious! What specific tests are implemented?
+3. Most curious! What specific tests are implemented?
 -----------------------------------------------------
 A rough list of the security checks offered by the tool is outlined below.
  * High risk flaws (potentially leading to system compromise):
-    - Server-side SQL injection (including blind vectors, numerical 
+    * Server-side SQL injection (including blind vectors, numerical parameters).
-      parameters).
+    * Explicit SQL-like syntax in GET or POST parameters.
-    - Explicit SQL-like syntax in GET or POST parameters.
+    * Server-side shell command injection (including blind vectors).
-    - Server-side shell command injection (including blind vectors).
+    * Server-side XML / XPath injection (including blind vectors).
-    - Server-side XML / XPath injection (including blind vectors).
+    * Format string vulnerabilities.
-    - Format string vulnerabilities.
+    * Integer overflow vulnerabilities.
-    - Integer overflow vulnerabilities. 
+    * Locations accepting HTTP PUT. 
    - Locations accepting HTTP PUT.
  * Medium risk flaws (potentially leading to data compromise):
-    - Stored and reflected XSS vectors in document body (minimal JS XSS 
+    * Stored and reflected XSS vectors in document body (minimal JS XSS support).
-      support present).
+    * Stored and reflected XSS vectors via HTTP redirects.
-    - Stored and reflected XSS vectors via HTTP redirects.
+    * Stored and reflected XSS vectors via HTTP header splitting.
-    - Stored and reflected XSS vectors via HTTP header splitting.
+    * Directory traversal (including constrained vectors).
-    - Directory traversal (including constrained vectors).
+    * Assorted file POIs (server-side sources, configs, etc).
-    - Assorted file POIs (server-side sources, configs, etc).
+    * Attacker-supplied script and CSS inclusion vectors (stored and reflected).
-    - Attacker-supplied script and CSS inclusion vectors (stored and 
+    * External untrusted script and CSS inclusion vectors.
-      reflected).
+    * Mixed content problems on script and CSS resources (optional).
-    - External untrusted script and CSS inclusion vectors.
+    * Incorrect or missing MIME types on renderables.
-    - Mixed content problems on script and CSS resources (optional).
+    * Generic MIME types on renderables.
-    - Incorrect or missing MIME types on renderables.
+    * Incorrect or missing charsets on renderables.
-    - Generic MIME types on renderables.
+    * Conflicting MIME / charset info on renderables.
-    - Incorrect or missing charsets on renderables.
+    * Bad caching directives on cookie setting responses. 
    - Conflicting MIME / charset info on renderables.
    - Bad caching directives on cookie setting responses. 
  * Low risk issues (limited impact or low specificity):
-    - Directory listing bypass vectors.
+    * Directory listing bypass vectors.
-    - Redirection to attacker-supplied URLs (stored and reflected).
+    * Redirection to attacker-supplied URLs (stored and reflected).
-    - Attacker-supplied embedded content (stored and reflected).
+    * Attacker-supplied embedded content (stored and reflected).
-    - External untrusted embedded content.
+    * External untrusted embedded content.
-    - Mixed content on non-scriptable subresources (optional).
+    * Mixed content on non-scriptable subresources (optional).
-    - HTTP credentials in URLs.
+    * HTTP credentials in URLs.
-    - Expired or not-yet-valid SSL certificates.
+    * Expired or not-yet-valid SSL certificates.
-    - HTML forms with no XSRF protection.
+    * HTML forms with no XSRF protection.
-    - Self-signed SSL certificates.
+    * Self-signed SSL certificates.
-    - SSL certificate host name mismatches.
+    * SSL certificate host name mismatches.
-    - Bad caching directives on less sensitive content. 
+    * Bad caching directives on less sensitive content. 
  * Internal warnings:
-    - Failed resource fetch attempts.
+    * Failed resource fetch attempts.
-    - Exceeded crawl limits.
+    * Exceeded crawl limits.
-    - Failed 404 behavior checks.
+    * Failed 404 behavior checks.
-    - IPS filtering detected.
+    * IPS filtering detected.
-    - Unexpected response variations.
+    * Unexpected response variations.
-    - Seemingly misclassified crawl nodes. 
+    * Seemingly misclassified crawl nodes. 
  * Non-specific informational entries:
-    - General SSL certificate information.
+    * General SSL certificate information.
-    - Significantly changing HTTP cookies.
+    * Significantly changing HTTP cookies.
-    - Changing Server, Via, or X-... headers.
+    * Changing Server, Via, or X-... headers.
-    - New 404 signatures.
+    * New 404 signatures.
-    - Resources that cannot be accessed.
+    * Resources that cannot be accessed.
-    - Resources requiring HTTP authentication.
+    * Resources requiring HTTP authentication.
-    - Broken links.
+    * Broken links.
-    - Server errors.
+    * Server errors.
-    - All external links not classified otherwise (optional).
+    * All external links not classified otherwise (optional).
-    - All external e-mails (optional).
+    * All external e-mails (optional).
-    - All external URL redirectors (optional).
+    * All external URL redirectors (optional).
-    - Links to unknown protocols.
+    * Links to unknown protocols.
-    - Form fields that could not be autocompleted.
+    * Form fields that could not be autocompleted.
-    - Password entry forms (for external brute-force).
+    * Password entry forms (for external brute-force).
-    - File upload forms.
+    * File upload forms.
-    - All other HTML forms detected.
+    * Other HTML forms (not classified otherwise).
-    - Numerical file names (for external brute-force).
+    * Numerical file names (for external brute-force).
-    - User-supplied links otherwise rendered on a page.
+    * User-supplied links otherwise rendered on a page.
-    - Incorrect or missing MIME type on less significant content.
+    * Incorrect or missing MIME type on less significant content.
-    - Generic MIME type on less significant content.
+    * Generic MIME type on less significant content.
-    - Incorrect or missing charset on less significant content.
+    * Incorrect or missing charset on less significant content.
-    - Conflicting MIME / charset information on less significant content.
+    * Conflicting MIME / charset information on less significant content.
-    - OGNL-like parameter passing conventions. 
+    * OGNL-like parameter passing conventions. 
 Along with a list of identified issues, skipfish also provides summary 
-overviews of document types and issue types found; and an interactive sitemap, 
+overviews of document types and issue types found; and an interactive 
-with nodes discovered through brute-force denoted in a distinctive way.
+sitemap, with nodes discovered through brute-force denoted in a distinctive 
 way.
-NOTE: As a conscious design decision, skipfish will not redundantly complain
+NOTE: As a conscious design decision, skipfish will not redundantly complain 
 about highly non-specific issues, including but not limited to:
-  * Non-`httponly` cookies,
+  * Non-httponly or non-secure cookies,
-  * Non-HTTPS or `autocomplete`-enabled forms,
+  * Non-HTTPS or autocomplete-enabled forms,
  * HTML comments detected on a page,
  * Filesystem path disclosure in error messages,
  * Server of framework version disclosure,
-  * Mere presence of certain technologies, such as WebDAV.
+  * Servers supporting TRACE or OPTIONS requests,
  * Mere presence of certain technologies, such as WebDAV. 
-Most of these aspects are easy to inspect in a report if so desired - for
+Most of these aspects are easy to inspect in a report if so desired - for 
-example, all the HTML forms are listed separately, so are new cookies or
+example, all the HTML forms are listed separately, so are new cookies or 
-interesting HTTP headers - and the expectation is that the auditor may opt to
+interesting HTTP headers - and the expectation is that the auditor may opt to 
-make certain design recommendations based on this data where appropriate. That
+make certain design recommendations based on this data where appropriate. 
-said, these occurrences are not highlighted as a specific security flaw.
+That said, these occurrences are not highlighted as a specific security flaw.
 -----------------------------------------------------------
-3. All right, I want to try it out. What do I need to know?
+4. All right, I want to try it out. What do I need to know?
 -----------------------------------------------------------
 First and foremost, please do not be evil. Use skipfish only against services 
 you own, or have a permission to test.
-Keep in mind that all types of security testing can be disruptive. Although the 
+Keep in mind that all types of security testing can be disruptive. Although 
-scanner is designed not to carry out malicious attacks, it may accidentally 
+the scanner is designed not to carry out malicious attacks, it may 
-interfere with the operations of the site. You must accept the risk, and plan
+accidentally interfere with the operations of the site. You must accept the 
-accordingly. Run the scanner against test instances where feasible, and be
+risk, and plan accordingly. Run the scanner against test instances where 
-prepared to deal with the consequences if things go wrong.
+feasible, and be prepared to deal with the consequences if things go wrong.
 Also note that the tool is meant to be used by security professionals, and is 
-experimental in nature. It may return false positives or miss obvious security 
+experimental in nature. It may return false positives or miss obvious 
-problems - and even when it operates perfectly, it is simply not meant to be a 
+security problems - and even when it operates perfectly, it is simply not 
-point-and-click application. Do not rely on its output at face value.
+meant to be a point-and-click application. Do not take its output at face 
 value.
-Running the tool against vendor-supplied demo sites is not a good way to
+Running the tool against vendor-supplied demo sites is not a good way to 
-evaluate it, as they usually approximate vulnerabilities very imperfectly; we
+evaluate it, as they usually approximate vulnerabilities very imperfectly; we 
 made no effort to accommodate these cases.
-Lastly, the scanner is simply not designed for dealing with rogue and
+Lastly, the scanner is simply not designed for dealing with rogue and 
-misbehaving HTTP servers - and offers no guarantees of safe (or sane) behavior
+misbehaving HTTP servers - and offers no guarantees of safe (or sane) 
-there.
+behavior there.
 --------------------------
-4. How to run the scanner?
+5. How to run the scanner?
 --------------------------
 To compile it, simply unpack the archive and try make. Chances are, you will 
 need to install libidn first.
 Next, you need to copy the desired dictionary file from dictionaries/ to 
-skipfish.wl. Please read dictionaries/README-FIRST carefully to make the right 
+skipfish.wl. Please read dictionaries/README-FIRST carefully to make the 
-choice. This step has a profound impact on the quality of scan results later on.
+right choice. This step has a profound impact on the quality of scan results 
 later on.
 Once you have the dictionary selected, you can try:
 $ ./skipfish -o output_dir http://www.example.com/some/starting/path.txt
-Note that you can provide more than one starting URL if so desired; all of them 
+Note that you can provide more than one starting URL if so desired; all of 
-will be crawled.
+them will be crawled.
-The tool will display some helpful stats while the scan is in progress. You
+The tool will display some helpful stats while the scan is in progress. You 
 can also switch to a list of in-flight HTTP requests by pressing return.
-In the example above, skipfish will scan the entire www.example.com (including 
+In the example above, skipfish will scan the entire www.example.com 
-services on other ports, if linked to from the main page), and write a report 
+(including services on other ports, if linked to from the main page), and 
-to output_dir/index.html. You can then view this report with your favorite 
+write a report to output_dir/index.html. You can then view this report with 
-browser (JavaScript must be enabled). The index.html file is static; actual 
+your favorite browser (JavaScript must be enabled; and because of recent 
-results are stored as a hierarchy of JSON files, suitable for machine 
+file:/// security improvements in certain browsers, you might need to access 
-processing if needs be.
+results over HTTP). The index.html file is static; actual results are stored 
 as a hierarchy of JSON files, suitable for machine processing or different 
 presentation frontends if needs be.
-Some sites may require authentication; for simple HTTP credentials, you can try:
+Some sites may require authentication; for simple HTTP credentials, you can 
 try:
 $ ./skipfish -A user:pass ...other parameters...
 Alternatively, if the site relies on HTTP cookies instead, log in in your 
-browser or using a simple curl script, and then provide skipfish with a session 
+browser or using a simple curl script, and then provide skipfish with a 
-cookie:
+session cookie:
 $ ./skipfish -C name=val ...other parameters...
@ -263,20 +273,20 @@ $ ./skipfish -X /logout/logout.aspx ...other parameters...
 The -X option is also useful for speeding up your scans by excluding /icons/, 
 /doc/, /manuals/, and other standard, mundane locations along these lines. In 
-general, you can use -X, plus -I (only spider URLs matching a substring) and -S 
+general, you can use -X, plus -I (only spider URLs matching a substring) and 
-(ignore links on pages where a substring appears in response body) to limit the 
+-S (ignore links on pages where a substring appears in response body) to 
-scope of a scan any way you like - including restricting it only to a specific 
+limit the scope of a scan any way you like - including restricting it only to 
-protocol and port:
+a specific protocol and port:
 $ ./skipfish -I http://example.com:1234/ ...other parameters...
-A related function, -K, allows you to specify parameter names not to fuzz
+A related function, -K, allows you to specify parameter names not to fuzz 
 (useful for applications that put session IDs in the URL, to minimize noise).
-Another useful scoping option is -D - allowing you to specify additional hosts 
+Another useful scoping option is -D - allowing you to specify additional 
-or domains to consider in-scope for the test. By default, all hosts appearing 
+hosts or domains to consider in-scope for the test. By default, all hosts 
-in the command-line URLs are added to the list - but you can use -D to broaden 
+appearing in the command-line URLs are added to the list - but you can use -D 
-these rules, for example:
+to broaden these rules, for example:
 $ ./skipfish -D test2.example.com -o output-dir http://test1.example.com/
@ -284,120 +294,124 @@ $ ./skipfish -D test2.example.com -o output-dir http://test1.example.com/
 $ ./skipfish -D .example.com -o output-dir http://test1.example.com/
-In some cases, you do not want to actually crawl a third-party domain, but you 
+In some cases, you do not want to actually crawl a third-party domain, but 
-trust the owner of that domain enough not to worry about cross-domain content 
+you trust the owner of that domain enough not to worry about cross-domain 
-inclusion from that location. To suppress warnings, you can use the -B option, 
+content inclusion from that location. To suppress warnings, you can use the 
-for example:
+-B option, for example:
-$ ./skipfish -B .google-analytics.com -B .googleapis.com ...other parameters...
+$ ./skipfish -B .google-analytics.com -B .googleapis.com ...other 
 parameters...
 By default, skipfish sends minimalistic HTTP headers to reduce the amount of 
 data exchanged over the wire; some sites examine User-Agent strings or header 
-ordering to reject unsupported clients, however. In such a case, you can use -b 
+ordering to reject unsupported clients, however. In such a case, you can use 
-ie or -b ffox to mimic one of the two popular browsers.
+-b ie or -b ffox to mimic one of the two popular browsers.
-When it comes to customizing your HTTP requests, you can also use the -H option 
+When it comes to customizing your HTTP requests, you can also use the -H 
-to insert any additional, non-standard headers; or -F to define a custom 
+option to insert any additional, non-standard headers; or -F to define a 
-mapping between a host and an IP (bypassing the resolver). The latter feature 
+custom mapping between a host and an IP (bypassing the resolver). The latter 
-is particularly useful for not-yet-launched or legacy services.
+feature is particularly useful for not-yet-launched or legacy services.
 Some sites may be too big to scan in a reasonable timeframe. If the site 
 features well-defined tarpits - for example, 100,000 nearly identical user 
 profiles as a part of a social network - these specific locations can be 
 excluded with -X or -S. In other cases, you may need to resort to other 
 settings: -d limits crawl depth to a specified number of subdirectories; -c 
-limits the number of children per directory; and -r limits the total number of 
+limits the number of children per directory; -x limits the total number of
-requests to send in a scan.
+descendants per crawl tree branch; and -r limits the total number of requests
 to send in a scan.
-An interesting option is available for repeated assessments: -p. By specifying 
+An interesting option is available for repeated assessments: -p. By 
-a percentage between 1 and 100%, it is possible to tell the crawler to follow 
+specifying a percentage between 1 and 100%, it is possible to tell the 
-fewer than 100% of all links, and try fewer than 100% of all dictionary 
+crawler to follow fewer than 100% of all links, and try fewer than 100% of 
-entries. This - naturally - limits the completeness of a scan, but unlike most 
+all dictionary entries. This - naturally - limits the completeness of a scan, 
-other settings, it does so in a balanced, non-deterministic manner. It is 
+but unlike most other settings, it does so in a balanced, non-deterministic 
-extremely useful when you are setting up time-bound, but periodic assessments 
+manner. It is extremely useful when you are setting up time-bound, but 
-of your infrastructure. Another related option is -q, which sets the initial 
+periodic assessments of your infrastructure. Another related option is -q, 
-random seed for the crawler to a specified value. This can be used to exactly 
+which sets the initial random seed for the crawler to a specified value. This 
-reproduce a previous scan to compare results. Randomness is relied upon most 
+can be used to exactly reproduce a previous scan to compare results. 
-heavily in the -p mode, but also for making a couple of other scan management 
+Randomness is relied upon most heavily in the -p mode, but also for making a 
-decisions elsewhere.
+couple of other scan management decisions elsewhere.
 Some particularly complex (or broken) services may involve a very high number 
 of identical or nearly identical pages. Although these occurrences are by 
-default grayed out in the report, they still use up some screen estate and take 
+default grayed out in the report, they still use up some screen estate and 
-a while to process on JavaScript level. In such extreme cases, you may use the 
+take a while to process on JavaScript level. In such extreme cases, you may 
-Q option to suppress reporting of duplicate nodes altogether, before the 
+use the -Q option to suppress reporting of duplicate nodes altogether, before 
-report is written. This may give you a less comprehensive understanding of how 
+the report is written. This may give you a less comprehensive understanding 
-the site is organized, but has no impact on test coverage.
+of how the site is organized, but has no impact on test coverage.
 In certain quick assessments, you might also have no interest in paying any 
 particular attention to the desired functionality of the site - hoping to 
-explore non-linked secrets only. In such a case, you may specify -P to inhibit 
+explore non-linked secrets only. In such a case, you may specify -P to 
-all HTML parsing. This limits the coverage and takes away the ability for the 
+inhibit all HTML parsing. This limits the coverage and takes away the ability 
-scanner to learn new keywords by looking at the HTML, but speeds up the test 
+for the scanner to learn new keywords by looking at the HTML, but speeds up 
-dramatically. Another similarly crippling option that reduces the risk of 
+the test dramatically. Another similarly crippling option that reduces the 
-persistent effects of a scan is -O, which inhibits all form parsing and 
+risk of persistent effects of a scan is -O, which inhibits all form parsing 
-submission steps.
+and submission steps.
 By default, skipfish complains loudly about all MIME or character set 
 mismatches on renderable documents, and classifies many of them as "medium 
 risk"; this is because, if any user-controlled content is returned, the 
 situation could lead to cross-site scripting attacks in certain browsers. On 
-some poorly designed and maintained sites, this may contribute too much noise; 
+some poorly designed and maintained sites, this may contribute too much 
-if so, you may use -J to mark these issues as "low risk" unless the scanner can 
+noise; if so, you may use -J to mark these issues as "low risk" unless the 
-explicitly sees its own user input being echoed back on the resulting page. 
+scanner can explicitly sees its own user input being echoed back on the 
-This may miss many subtle attack vectors, though.
+resulting page. This may miss many subtle attack vectors, though.
 Some sites that handle sensitive user data care about SSL - and about getting 
-it right. Skipfish may optionally assist you in figuring out problematic mixed 
+it right. Skipfish may optionally assist you in figuring out problematic 
-content scenarios - use the -M option to enable this. The scanner will complain 
+mixed content scenarios - use the -M option to enable this. The scanner will 
-about situations such as http:// scripts being loaded on https:// pages - but 
+complain about situations such as http:// scripts being loaded on https:// 
-will disregard non-risk scenarios such as images.
+pages - but will disregard non-risk scenarios such as images.
 Likewise, certain pedantic sites may care about cases where caching is 
 restricted on HTTP/1.1 level, but no explicit HTTP/1.0 caching directive is 
 given on specifying -E in the command-line causes skipfish to log all such 
 cases carefully.
-Lastly, in some assessments that involve self-contained sites without extensive 
+Lastly, in some assessments that involve self-contained sites without 
-user content, the auditor may care about any external e-mails or HTTP links 
+extensive user content, the auditor may care about any external e-mails or 
-seen, even if they have no immediate security impact. Use the -U option to have 
+HTTP links seen, even if they have no immediate security impact. Use the -U 
-these logged.
+option to have these logged.
 Dictionary management is a special topic, and - as mentioned - is covered in 
 more detail in dictionaries/README-FIRST. Please read that file before 
 proceeding. Some of the relevant options include -W to specify a custom 
 wordlist, -L to suppress auto-learning, -V to suppress dictionary updates, -G 
-to limit the keyword guess jar size, -R to drop old dictionary entries, and -Y 
+to limit the keyword guess jar size, -R to drop old dictionary entries, and 
-to inhibit expensive $keyword.$extension fuzzing.
+-Y to inhibit expensive $keyword.$extension fuzzing.
 Skipfish also features a form auto-completion mechanism in order to maximize 
 scan coverage. The values should be non-malicious, as they are not meant to 
-implement security checks - but rather, to get past input validation logic. You 
+implement security checks - but rather, to get past input validation logic. 
-can define additional rules, or override existing ones, with the -T option (-T 
+You can define additional rules, or override existing ones, with the -T 
-form_field_name=field_value, e.g. -T login=test123 -T password=test321 - 
+option (-T form_field_name=field_value, e.g. -T login=test123 -T 
-although note that -C and -A are a much better method of logging in).
+password=test321 - although note that -C and -A are a much better method of 
 logging in).
 There is also a handful of performance-related options. Use -g to set the 
 maximum number of connections to maintain, globally, to all targets (it is 
-sensible to keep this under 50 or so to avoid overwhelming the TCP/IP stack on 
+sensible to keep this under 50 or so to avoid overwhelming the TCP/IP stack 
-your system or on the nearby NAT / firewall devices); and -m to set the per-IP 
+on your system or on the nearby NAT / firewall devices); and -m to set the 
-limit (experiment a bit: 2-4 is usually good for localhost, 4-8 for local 
+per-IP limit (experiment a bit: 2-4 is usually good for localhost, 4-8 for 
-networks, 10-20 for external targets, 30+ for really lagged or non-keep-alive 
+local networks, 10-20 for external targets, 30+ for really lagged or 
-hosts). You can also use -w to set the I/O timeout (i.e., skipfish will wait 
+non-keep-alive hosts). You can also use -w to set the I/O timeout (i.e., 
-only so long for an individual read or write), and -t to set the total request 
+skipfish will wait only so long for an individual read or write), and -t to 
-timeout, to account for really slow or really fast sites.
+set the total request timeout, to account for really slow or really fast 
 sites.
 Lastly, -f controls the maximum number of consecutive HTTP errors you are 
 willing to see before aborting the scan; and -s sets the maximum length of a 
 response to fetch and parse (longer responses will be truncated).
-Further rate-limiting is available through third-party user mode tools such as
+Further rate-limiting is available through third-party user mode tools such 
-trickle, or kernel-level traffic shaping.
+as trickle, or kernel-level traffic shaping.
-Oh, and runtime stats can be suppressed with -u to run skipfish in quiet mode.
+Oh, and real-time scan statistics can be suppressed with -u.
 --------------------------------
-5. But seriously, how to run it?
+6. But seriously, how to run it?
 --------------------------------
 A standard, authenticated scan of a well-designed and self-contained site 
@ -407,52 +421,53 @@ issues):
 $ ./skipfish -MEU -C "AuthCookie=value" -X /logout.aspx -o output_dir \
  http://www.example.com/
-Five-connection crawl, but no brute-force; pretending to be MSIE, caring 
+Five-connection crawl, but no brute-force; pretending to be MSIE and caring 
-less about ambiguous MIME or character set mismatches, and trusting
+less about ambiguous MIME or character set mismatches, and trusting 
 example.com links:
 $ ./skipfish -m 5 -LVJ -W /dev/null -o output_dir -b ie -B example.com \
  http://www.example.com/
-Brute force only (no HTML link extraction), limited to a specific
+Brute force only (no HTML link extraction), limited to a single directory and 
-directory, timing out after 5 seconds:
+timing out after 5 seconds:
-$ ./skipfish -P -I http://www.example.com/dir1/ -O -o output_dir -t 5 \
+$ ./skipfish -P -I http://www.example.com/dir1/ -o output_dir -t 5 -I \
  http://www.example.com/dir1/
 For a short list of all command-line options, try ./skipfish -h.
 ----------------------------------------------------
-6. How to interpret and address the issues reported?
+7. How to interpret and address the issues reported?
 ----------------------------------------------------
-Most of the problems reported by skipfish should self-explanatory, assuming you 
+Most of the problems reported by skipfish should self-explanatory, assuming you
-have a good gasp of the fundamentals of web security. If you need a quick 
+have a good gasp of the fundamentals of web security. If you need a quick
-refresher on some of the more complicated topics, such as MIME sniffing, you 
+refresher on some of the more complicated topics, such as MIME sniffing, you
 may enjoy our comprehensive Browser Security Handbook as a starting point:
  http://code.google.com/p/browsersec/
-If you still need assistance, there are several organizations that put a 
+If you still need assistance, there are several organizations that put a
-considerable effort into documenting and explaining many of the common web 
+considerable effort into documenting and explaining many of the common web
-security threats, and advising the public on how to address them. I encourage 
+security threats, and advising the public on how to address them. I encourage
-you to refer to the materials published by OWASP and Web Application Security 
+you to refer to the materials published by OWASP and Web Application Security
 Consortium, amongst others:
  * http://www.owasp.org/index.php/Category:Principle
  * http://www.owasp.org/index.php/Category:OWASP_Guide_Project
  * http://www.webappsec.org/projects/articles/
-Although I am happy to diagnose problems with the scanner itself, I regrettably 
+Although I am happy to diagnose problems with the scanner itself, I regrettably
-cannot offer any assistance with the inner wokings of third-party web 
+cannot offer any assistance with the inner wokings of third-party web
 applications.
 ---------------------------------------
-7. Known limitations / feature wishlist
+8. Known limitations / feature wishlist
 ---------------------------------------
 Below is a list of features currently missing in skipfish. If you wish to 
-improve the tool by contributing code in one of these areas, please let me know:
+improve the tool by contributing code in one of these areas, please let me 
 know:
  * Buffer overflow checks: after careful consideration, I suspect there is 
    no reliable way to test for buffer overflows remotely. Much like the actual 
@ -468,24 +483,24 @@ improve the tool by contributing code in one of these areas, please let me know:
    problems seem to be largely addressed on browser level at this point, so
    they were much lower priority at the time of this writing. 
-  * Security checks and link extraction for third-party, plugin-based content 
+  * Security checks and link extraction for third-party, plugin-based 
-    (Flash, Java, PDF, etc). 
+    content (Flash, Java, PDF, etc). 
  * Password brute-force and numerical filename brute-force probes. 
  * Search engine integration (vhosts, starting paths). 
-  * More specific PHP tests (eval injection, RFI). 
+  * VIEWSTATE decoding. 
  * VIEWSTATE decoding.
  * NTLM and digest authentication. 
-  * Proxy support: somewhat incompatible with performance control features 
+  * More specific PHP tests (eval injection, RFI). 
    currently employed by skipfish; but in the long run, should be provided as
    a last-resort option. 
-  * Scan resume option.
+  * Proxy support: somewhat incompatible with performance control features 
    currently employed by skipfish; but in the long run, should be provided
    as a last-resort option. 
  * Scan resume option. 
  * Option to limit document sampling or save samples directly to disk. 
@ -493,16 +508,17 @@ improve the tool by contributing code in one of these areas, please let me know:
  * Config file support. 
-  * A database for banner / version checks?
+  * A database for banner / version checks? 
 -------------------------------------
-8. Oy! Something went horribly wrong!
+9. Oy! Something went horribly wrong!
 -------------------------------------
 There is no web crawler so good that there wouldn't be a web framework to one 
 day set it on fire. If you encounter what appears to be bad behavior (e.g., a 
-scan that takes forever and generates too many requests, completely bogus nodes 
+scan that takes forever and generates too many requests, completely bogus 
-in scan output, or outright crashes), please first check this page:
+nodes in scan output, or outright crashes), please first check our known 
 issues page:
  http://code.google.com/p/skipfish/wiki/KnownIssues
@ -526,12 +542,12 @@ $ gdb --batch -ex back ./skipfish core
 ...and be sure to send the author the output of that last command as well.
-----------------------
+------------------------
-9. Credits and feedback
+10. Credits and feedback
-----------------------
+------------------------
-Skipfish is made possible thanks to the contributions of, and valuable feedback 
+Skipfish is made possible thanks to the contributions of, and valuable 
-from, Google's information security engineering team.
+feedback from, Google's information security engineering team.
-If you have any bug reports, questions, suggestions, or concerns regarding the 
+If you have any bug reports, questions, suggestions, or concerns regarding 
-application, the author can be reached at lcamtuf@google.com. 
+the application, the author can be reached at lcamtuf@google.com. 
--- a/config.h
+++ b/config.h
@ -70,7 +70,8 @@
 /* Configurable settings for crawl database (cmdline override): */
 #define MAX_DEPTH       16              /* Maximum crawl tree depth        */
-#define MAX_CHILDREN    1024            /* Maximum children per tree node  */
+#define MAX_CHILDREN    512             /* Maximum children per tree node  */
 #define MAX_DESCENDANTS 8192            /* Maximum descendants per branch  */
 #define MAX_SAMENAME    3               /* Identically named path nodes    */
 /* Crawl / analysis constants: */
--- a/crawler.c
+++ b/crawler.c
@ -1654,7 +1654,7 @@ static void crawl_par_numerical_init(struct pivot_desc* pv) {
  DEBUG_HELPER(pv);
-  if (pv->child_cnt >= max_children) goto schedule_next;
+  if (!descendants_ok(pv)) goto schedule_next;
  /* Skip to the first digit, then to first non-digit. */
@ -1754,7 +1754,7 @@ static u8 par_numerical_callback(struct http_request* req,
        !((is_c_sens(req->pivot) ? strcmp : strcasecmp)((char*)TPAR(req),
        (char*)req->pivot->child[i]->name))) goto schedule_next;
-  if (req->pivot->child_cnt >= max_children) goto schedule_next;
+  if (!descendants_ok(req->pivot)) goto schedule_next;
  /* Hmm, looks like we're onto something. Let's manually create a dummy
     pivot and attach it to current node, without any activity planned.
@ -1777,6 +1777,8 @@ static u8 par_numerical_callback(struct http_request* req,
  req->pivot->child[req->pivot->child_cnt++] = n;
  add_descendant(req->pivot);
  req->pivot = n;
  RESP_CHECKS(req, res);
@ -1814,7 +1816,7 @@ static void crawl_par_dict_init(struct pivot_desc* pv) {
 restart_dict:
-  if (pv->child_cnt >= max_children) {
+  if (!descendants_ok(pv)) {
    crawl_par_trylist_init(pv);
    return;
  }
@ -1945,7 +1947,7 @@ static u8 par_dict_callback(struct http_request* req,
        !((is_c_sens(req->pivot) ? strcmp : strcasecmp)((char*)TPAR(req),
        (char*)req->pivot->child[i]->name))) goto schedule_next;
-  if (req->pivot->child_cnt >= max_children) goto schedule_next;
+  if (!descendants_ok(req->pivot)) goto schedule_next;
  n = ck_alloc(sizeof(struct pivot_desc));
@ -1963,6 +1965,9 @@ static u8 par_dict_callback(struct http_request* req,
                                 * sizeof(struct pivot_desc*));
  req->pivot->child[req->pivot->child_cnt++] = n;
  add_descendant(req->pivot);
  req->pivot = n;
  keep = 1;
@ -1992,7 +1997,7 @@ void crawl_par_trylist_init(struct pivot_desc* pv) {
     no point in going through the try list if restarted. */
  if (pv->fuzz_par == -1 || pv->bogus_par || pv->res_varies
-      || pv->child_cnt >= max_children) {
+      || !descendants_ok(pv)) {
    pv->state = PSTATE_DONE;
    return;
  } else
@ -2078,7 +2083,7 @@ static u8 par_trylist_callback(struct http_request* req,
        !((is_c_sens(req->pivot) ? strcmp : strcasecmp)((char*)TPAR(req),
        (char*)req->pivot->child[i]->name))) goto schedule_next;
-  if (req->pivot->child_cnt >= max_children) goto schedule_next;
+  if (!descendants_ok(req->pivot)) goto schedule_next;
  n = ck_alloc(sizeof(struct pivot_desc));
@ -2096,6 +2101,9 @@ static u8 par_trylist_callback(struct http_request* req,
                                 * sizeof(struct pivot_desc*));
  req->pivot->child[req->pivot->child_cnt++] = n;
  add_descendant(req->pivot);
  req->pivot = n;
  RESP_CHECKS(req, res);
@ -2634,7 +2642,7 @@ static void crawl_dir_dict_init(struct pivot_desc* pv) {
  if (in_dict_init || pv->pending > DICT_BATCH || pv->state != PSTATE_CHILD_DICT)
    return;
-  if (pv->child_cnt >= max_children) {
+  if (!descendants_ok(pv)) {
    crawl_parametric_init(pv);
    return;
  }
--- a/database.c
+++ b/database.c
@ -52,9 +52,10 @@ u32 num_deny_urls,
    num_trust_domains,
    num_skip_params;
-u32 max_depth    = MAX_DEPTH,
+u32 max_depth       = MAX_DEPTH,
-    max_children = MAX_CHILDREN,
+    max_children    = MAX_CHILDREN,
-    max_guesses  = MAX_GUESSES;
+    max_descendants = MAX_DESCENDANTS,
    max_guesses     = MAX_GUESSES;
 u8  dont_add_words;                     /* No auto dictionary building     */
@ -84,6 +85,31 @@ static u32 cur_xss_id, scan_id;         /* Stored XSS manager IDs          */
 static struct http_request** xss_req;   /* Stored XSS manager req cache    */
 /* Checks descendant counts. */
 u8 descendants_ok(struct pivot_desc* pv) {
  if (pv->child_cnt > max_children) return 0;
  while (pv) {
    if (pv->desc_cnt > max_descendants) return 0;
    pv = pv->parent;
  }
  return 1;
 }
 void add_descendant(struct pivot_desc* pv) {
  while (pv) {
    pv->desc_cnt++;
    pv = pv->parent;
  }
 }
 /* Maps a parsed URL (in req) to the pivot tree, creating or modifying nodes
   as necessary, and scheduling them for crawl. This should be called only
   on requests that were *not* yet retrieved. */
@ -167,6 +193,8 @@ void maybe_add_pivot(struct http_request* req, struct http_response* res,
    root_pivot.child[root_pivot.child_cnt++] = cur;
    add_descendant(&root_pivot);
    cur->type     = PIVOT_SERV;
    cur->state    = PSTATE_FETCH;
    cur->linked   = 2;
@ -234,7 +262,7 @@ void maybe_add_pivot(struct http_request* req, struct http_response* res,
      /* Enforce user limits. */
-      if ((i + 1) >= max_depth || cur->child_cnt > max_children) {
+      if ((i + 1) >= max_depth || !descendants_ok(cur)) {
        problem(PROB_LIMITS, req, res, (u8*)"Child node limit exceeded", cur, 
                0);
        return;
@ -261,6 +289,8 @@ void maybe_add_pivot(struct http_request* req, struct http_response* res,
      cur->child[cur->child_cnt++] = n;
      add_descendant(cur);
      n->parent  = cur;
      n->linked  = via_link;
      n->name    = ck_strdup(pname);
@ -427,7 +457,7 @@ void maybe_add_pivot(struct http_request* req, struct http_response* res,
      /* Enforce user limits. */
-      if (cur->child_cnt > max_children) {
+      if (!descendants_ok(cur)) {
        problem(PROB_LIMITS, req, res, (u8*)"Child node limit exceeded", cur, 0);
        return;
      }
@ -441,6 +471,8 @@ void maybe_add_pivot(struct http_request* req, struct http_response* res,
      cur->child[cur->child_cnt++] = n;
      add_descendant(cur);
      n->parent  = cur;
      n->type    = PIVOT_PARAM;
      n->linked  = via_link;
@ -1236,8 +1268,9 @@ void dump_pivots(struct pivot_desc* cur, u8 nest) {
  }
  SAY(cGRA "%sFlags    : " cNOR "linked %u, case %u/%u, fuzz_par %d, ips %u, "
-      "sigs %u, reqs %u\n", indent, cur->linked, cur->csens, cur->c_checked,
+      "sigs %u, reqs %u, desc %u/%u\n", indent, cur->linked, cur->csens, cur->c_checked,
-      cur->fuzz_par, cur->uses_ips, cur->r404_cnt, cur->pending);
+      cur->fuzz_par, cur->uses_ips, cur->r404_cnt, cur->pending, cur->child_cnt,
      cur->desc_cnt);
  if (cur->req) {
    url = serialize_path(cur->req, 1, 0);
--- a/database.h
+++ b/database.h
@ -96,6 +96,7 @@ struct pivot_desc {
  struct pivot_desc* parent;                    /* Parent pivot, if any      */
  struct pivot_desc** child;                    /* List of children          */
  u32 child_cnt;                                /* Number of children        */
  u32 desc_cnt;                                 /* Number of descendants     */
  struct issue_desc* issue;                     /* List of issues found      */
  u32 issue_cnt;                                /* Number of issues          */
@ -153,6 +154,14 @@ struct pivot_desc {
 extern struct pivot_desc root_pivot;
 /* Checks child / descendant limits. */
 u8 descendants_ok(struct pivot_desc* pv);
 /* Increases descendant count. */
 void add_descendant(struct pivot_desc* pv);
 /* Maps a parsed URL (in req) to the pivot tree, creating or modifying nodes
   as necessary, and scheduling them for crawl; via_link should be 1 if the
   URL came from an explicit link or user input, 0 if brute-forced.
@ -332,6 +341,7 @@ extern u32 num_deny_urls,
 extern u32 max_depth,
           max_children,
           max_descendants,
           max_trylist,
           max_guesses;
--- a/skipfish.1
+++ b/skipfish.1
@ -40,7 +40,10 @@ do not accept any new cookies
 maximum crawl tree depth (default: 16)
 .TP
 .B \-c max_child
-maximum children to index per node (default: 1024)
+maximum children to index per node (default: 512)
 .TP
 .B \-x max_desc
 maximum descendants to index per crawl tree branch (default: 8192)
 .TP
 .B \-r r_limit
 max total number of requests to send (default: 100000000)
--- a/skipfish.c
+++ b/skipfish.c
@ -89,6 +89,7 @@ static void usage(char* argv0) {
      "  -d max_depth   - maximum crawl tree depth (%u)\n"
      "  -c max_child   - maximum children to index per node (%u)\n"
      "  -x max_desc    - maximum descendants to index per branch (%u)\n"
      "  -r r_limit     - max total number of requests to send (%u)\n"
      "  -p crawl%%      - node and link crawl probability (100%%)\n"
      "  -q hex         - repeat probabilistic scan with given seed\n"
@ -133,9 +134,9 @@ static void usage(char* argv0) {
      "  -s s_limit     - response size limit (%u B)\n\n"
      "Send comments and complaints to <lcamtuf@google.com>.\n", argv0,
-      max_depth, max_children, max_requests, DEF_WORDLIST, MAX_GUESSES,
+      max_depth, max_children, max_descendants, max_requests, DEF_WORDLIST,
-      max_connections, max_conn_host, max_fail, resp_tmout, rw_tmout,
+      MAX_GUESSES, max_connections, max_conn_host, max_fail, resp_tmout,
-      idle_tmout, size_limit);
+      rw_tmout, idle_tmout, size_limit);
  exit(1);
 }
@ -214,7 +215,7 @@ int main(int argc, char** argv) {
  SAY("skipfish version " VERSION " by <lcamtuf@google.com>\n");
  while ((opt = getopt(argc, argv,
-          "+A:F:C:H:b:Nd:c:r:p:I:X:S:D:PJOYQMZUEK:W:LVT:G:R:B:q:g:m:f:t:w:i:s:o:hu")) > 0)
+          "+A:F:C:H:b:Nd:c:x:r:p:I:X:S:D:PJOYQMZUEK:W:LVT:G:R:B:q:g:m:f:t:w:i:s:o:hu")) > 0)
    switch (opt) {
@ -362,6 +363,11 @@ int main(int argc, char** argv) {
        if (!max_children) FATAL("Invalid value '%s'.", optarg);
        break;
      case 'x':
        max_descendants = atoi(optarg);
        if (!max_descendants) FATAL("Invalid value '%s'.", optarg);
        break;
      case 'p':
        crawl_prob = atoi(optarg);
        if (!crawl_prob) FATAL("Invalid value '%s'.", optarg);