1.58b: Descendant limit checks added.
This commit is contained in:
parent
768867c93b
commit
42d17c7921
|
@ -1,3 +1,8 @@
|
||||||
|
Version 1.58b:
|
||||||
|
--------------
|
||||||
|
|
||||||
|
- Descendant limit checks added.
|
||||||
|
|
||||||
Version 1.57b:
|
Version 1.57b:
|
||||||
--------------
|
--------------
|
||||||
|
|
||||||
|
|
2
Makefile
2
Makefile
|
@ -20,7 +20,7 @@
|
||||||
#
|
#
|
||||||
|
|
||||||
PROGNAME = skipfish
|
PROGNAME = skipfish
|
||||||
VERSION = 1.57b
|
VERSION = 1.58b
|
||||||
|
|
||||||
OBJFILES = http_client.c database.c crawler.c analysis.c report.c
|
OBJFILES = http_client.c database.c crawler.c analysis.c report.c
|
||||||
INCFILES = alloc-inl.h string-inl.h debug.h types.h http_client.h \
|
INCFILES = alloc-inl.h string-inl.h debug.h types.h http_client.h \
|
||||||
|
|
530
README
530
README
|
@ -6,249 +6,259 @@ skipfish - web application security scanner
|
||||||
|
|
||||||
* Written and maintained by Michal Zalewski <lcamtuf@google.com>.
|
* Written and maintained by Michal Zalewski <lcamtuf@google.com>.
|
||||||
* Copyright 2009, 2010 Google Inc, rights reserved.
|
* Copyright 2009, 2010 Google Inc, rights reserved.
|
||||||
* Released under terms and conditions of the Apache License, version 2.0.
|
* Released under terms and conditions of the Apache License, version 2.0.
|
||||||
|
|
||||||
--------------------
|
--------------------
|
||||||
1. What is skipfish?
|
1. What is skipfish?
|
||||||
--------------------
|
--------------------
|
||||||
|
|
||||||
Skipfish is an active web application security reconnaissance tool. It prepares
|
Skipfish is an active web application security reconnaissance tool. It
|
||||||
an interactive sitemap for the targeted site by carrying out a recursive crawl
|
prepares an interactive sitemap for the targeted site by carrying out a
|
||||||
and dictionary-based probes. The resulting map is then annotated with the
|
recursive crawl and dictionary-based probes. The resulting map is then
|
||||||
output from a number of active (but hopefully non-disruptive) security checks.
|
annotated with the output from a number of active (but hopefully
|
||||||
The final report generated by the tool is meant to serve as a foundation for
|
non-disruptive) security checks. The final report generated by the tool is
|
||||||
professional web application security assessments.
|
meant to serve as a foundation for professional web application security
|
||||||
Why should I bother with this particular tool?
|
assessments.
|
||||||
|
|
||||||
|
-------------------------------------------------
|
||||||
|
2. Why should I bother with this particular tool?
|
||||||
|
-------------------------------------------------
|
||||||
|
|
||||||
A number of commercial and open source tools with analogous functionality is
|
A number of commercial and open source tools with analogous functionality is
|
||||||
readily available (e.g., Nikto, Nessus); stick to the one that suits you best.
|
readily available (e.g., Nikto, Nessus); stick to the one that suits you
|
||||||
That said, skipfish tries to address some of the common problems associated
|
best. That said, skipfish tries to address some of the common problems
|
||||||
with web security scanners. Specific advantages include:
|
associated with web security scanners. Specific advantages include:
|
||||||
|
|
||||||
* High performance: 500+ requests per second against responsive Internet
|
* High performance: 500+ requests per second against responsive Internet
|
||||||
targets, 2000+ requests per second on LAN / MAN networks, and 7000+ requests
|
targets, 2000+ requests per second on LAN / MAN networks, and 7000+ requests
|
||||||
against local instances has been observed, with a very modest CPU, network,
|
against local instances have been observed, with a very modest CPU, network,
|
||||||
and memory footprint. This can be attributed to:
|
and memory footprint. This can be attributed to:
|
||||||
|
|
||||||
- Multiplexing single-thread, fully asynchronous network I/O and data
|
* Multiplexing single-thread, fully asynchronous network I/O and data
|
||||||
processing model that eliminates memory management, scheduling, and IPC
|
processing model that eliminates memory management, scheduling, and IPC
|
||||||
inefficiencies present in some multi-threaded clients.
|
inefficiencies present in some multi-threaded clients.
|
||||||
|
|
||||||
- Advanced HTTP/1.1 features such as range requests, content
|
* Advanced HTTP/1.1 features such as range requests, content compression,
|
||||||
compression, and keep-alive connections, as well as forced response size
|
and keep-alive connections, as well as forced response size limiting, to
|
||||||
limiting, to keep network-level overhead in check.
|
keep network-level overhead in check.
|
||||||
|
|
||||||
- Smart response caching and advanced server behavior heuristics are
|
* Smart response caching and advanced server behavior heuristics are used to
|
||||||
used to minimize unnecessary traffic.
|
minimize unnecessary traffic.
|
||||||
|
|
||||||
- Performance-oriented, pure C implementation, including a custom
|
* Performance-oriented, pure C implementation, including a custom
|
||||||
HTTP stack.
|
HTTP stack.
|
||||||
|
|
||||||
* Ease of use: skipfish is highly adaptive and reliable. The scanner
|
* Ease of use: skipfish is highly adaptive and reliable. The scanner features:
|
||||||
features:
|
|
||||||
|
|
||||||
- Heuristic recognition of obscure path- and query-based parameter
|
* Heuristic recognition of obscure path- and query-based parameter handling
|
||||||
handling schemes.
|
schemes.
|
||||||
|
|
||||||
- Graceful handling of multi-framework sites where certain paths obey
|
* Graceful handling of multi-framework sites where certain paths obey
|
||||||
a completely different semantics, or are subject to different filtering
|
completely different semantics, or are subject to different filtering
|
||||||
rules.
|
rules.
|
||||||
|
|
||||||
- Automatic wordlist construction based on site content analysis.
|
* Automatic wordlist construction based on site content analysis.
|
||||||
|
|
||||||
- Probabilistic scanning features to allow periodic, time-bound
|
* Probabilistic scanning features to allow periodic, time-bound assessments
|
||||||
assessments of arbitrarily complex sites.
|
of arbitrarily complex sites.
|
||||||
|
|
||||||
* Well-designed security checks: the tool is meant to provide accurate and
|
* Well-designed security checks: the tool is meant to provide accurate
|
||||||
meaningful results:
|
and meaningful results:
|
||||||
|
|
||||||
- Three-step differential probes are preferred to signature checks
|
* Handcrafted dictionaries offer excellent coverage and permit thorough
|
||||||
for detecting vulnerabilities.
|
$keyword.$extension testing in a reasonable timeframe.
|
||||||
|
|
||||||
- Ratproxy-style logic is used to spot subtle security problems:
|
* Three-step differential probes are preferred to signature checks for
|
||||||
cross-site request forgery, cross-site script inclusion, mixed content,
|
detecting vulnerabilities.
|
||||||
issues MIME- and charset mismatches, incorrect caching directive, etc.
|
|
||||||
|
|
||||||
- Bundled security checks are designed to handle tricky scenarios:
|
* Ratproxy-style logic is used to spot subtle security problems:
|
||||||
stored XSS (path, parameters, headers), blind SQL or XML injection, or
|
cross-site request forgery, cross-site script inclusion, mixed content,
|
||||||
blind shell injection.
|
issues MIME- and charset mismatches, incorrect caching directives, etc.
|
||||||
|
|
||||||
- Report post-processing drastically reduces the noise caused by any
|
* Bundled security checks are designed to handle tricky scenarios:
|
||||||
remaining false positives or server gimmicks by identifying repetitive
|
stored XSS (path, parameters, headers), blind SQL or XML injection,
|
||||||
patterns.
|
or blind shell injection.
|
||||||
|
|
||||||
|
* Report post-processing drastically reduces the noise caused by any
|
||||||
|
remaining false positives or server gimmicks by identifying repetitive
|
||||||
|
patterns.
|
||||||
|
|
||||||
That said, skipfish is not a silver bullet, and may be unsuitable for certain
|
That said, skipfish is not a silver bullet, and may be unsuitable for certain
|
||||||
purposes. For example, it does not satisfy most of the requirements outlined in
|
purposes. For example, it does not satisfy most of the requirements outlined
|
||||||
WASC Web Application Security Scanner Evaluation Criteria (some of them on
|
in WASC Web Application Security Scanner Evaluation Criteria (some of them on
|
||||||
purpose, some out of necessity); and unlike most other projects of this type,
|
purpose, some out of necessity); and unlike most other projects of this type,
|
||||||
it does not come with an extensive database of known vulnerabilities for
|
it does not come with an extensive database of known vulnerabilities for
|
||||||
banner-type checks.
|
banner-type checks.
|
||||||
|
|
||||||
-----------------------------------------------------
|
-----------------------------------------------------
|
||||||
2. Most curious! What specific tests are implemented?
|
3. Most curious! What specific tests are implemented?
|
||||||
-----------------------------------------------------
|
-----------------------------------------------------
|
||||||
|
|
||||||
A rough list of the security checks offered by the tool is outlined below.
|
A rough list of the security checks offered by the tool is outlined below.
|
||||||
|
|
||||||
* High risk flaws (potentially leading to system compromise):
|
* High risk flaws (potentially leading to system compromise):
|
||||||
|
|
||||||
- Server-side SQL injection (including blind vectors, numerical
|
* Server-side SQL injection (including blind vectors, numerical parameters).
|
||||||
parameters).
|
* Explicit SQL-like syntax in GET or POST parameters.
|
||||||
- Explicit SQL-like syntax in GET or POST parameters.
|
* Server-side shell command injection (including blind vectors).
|
||||||
- Server-side shell command injection (including blind vectors).
|
* Server-side XML / XPath injection (including blind vectors).
|
||||||
- Server-side XML / XPath injection (including blind vectors).
|
* Format string vulnerabilities.
|
||||||
- Format string vulnerabilities.
|
* Integer overflow vulnerabilities.
|
||||||
- Integer overflow vulnerabilities.
|
* Locations accepting HTTP PUT.
|
||||||
- Locations accepting HTTP PUT.
|
|
||||||
|
|
||||||
* Medium risk flaws (potentially leading to data compromise):
|
* Medium risk flaws (potentially leading to data compromise):
|
||||||
|
|
||||||
- Stored and reflected XSS vectors in document body (minimal JS XSS
|
* Stored and reflected XSS vectors in document body (minimal JS XSS support).
|
||||||
support present).
|
* Stored and reflected XSS vectors via HTTP redirects.
|
||||||
- Stored and reflected XSS vectors via HTTP redirects.
|
* Stored and reflected XSS vectors via HTTP header splitting.
|
||||||
- Stored and reflected XSS vectors via HTTP header splitting.
|
* Directory traversal (including constrained vectors).
|
||||||
- Directory traversal (including constrained vectors).
|
* Assorted file POIs (server-side sources, configs, etc).
|
||||||
- Assorted file POIs (server-side sources, configs, etc).
|
* Attacker-supplied script and CSS inclusion vectors (stored and reflected).
|
||||||
- Attacker-supplied script and CSS inclusion vectors (stored and
|
* External untrusted script and CSS inclusion vectors.
|
||||||
reflected).
|
* Mixed content problems on script and CSS resources (optional).
|
||||||
- External untrusted script and CSS inclusion vectors.
|
* Incorrect or missing MIME types on renderables.
|
||||||
- Mixed content problems on script and CSS resources (optional).
|
* Generic MIME types on renderables.
|
||||||
- Incorrect or missing MIME types on renderables.
|
* Incorrect or missing charsets on renderables.
|
||||||
- Generic MIME types on renderables.
|
* Conflicting MIME / charset info on renderables.
|
||||||
- Incorrect or missing charsets on renderables.
|
* Bad caching directives on cookie setting responses.
|
||||||
- Conflicting MIME / charset info on renderables.
|
|
||||||
- Bad caching directives on cookie setting responses.
|
|
||||||
|
|
||||||
* Low risk issues (limited impact or low specificity):
|
* Low risk issues (limited impact or low specificity):
|
||||||
|
|
||||||
- Directory listing bypass vectors.
|
* Directory listing bypass vectors.
|
||||||
- Redirection to attacker-supplied URLs (stored and reflected).
|
* Redirection to attacker-supplied URLs (stored and reflected).
|
||||||
- Attacker-supplied embedded content (stored and reflected).
|
* Attacker-supplied embedded content (stored and reflected).
|
||||||
- External untrusted embedded content.
|
* External untrusted embedded content.
|
||||||
- Mixed content on non-scriptable subresources (optional).
|
* Mixed content on non-scriptable subresources (optional).
|
||||||
- HTTP credentials in URLs.
|
* HTTP credentials in URLs.
|
||||||
- Expired or not-yet-valid SSL certificates.
|
* Expired or not-yet-valid SSL certificates.
|
||||||
- HTML forms with no XSRF protection.
|
* HTML forms with no XSRF protection.
|
||||||
- Self-signed SSL certificates.
|
* Self-signed SSL certificates.
|
||||||
- SSL certificate host name mismatches.
|
* SSL certificate host name mismatches.
|
||||||
- Bad caching directives on less sensitive content.
|
* Bad caching directives on less sensitive content.
|
||||||
|
|
||||||
* Internal warnings:
|
* Internal warnings:
|
||||||
|
|
||||||
- Failed resource fetch attempts.
|
* Failed resource fetch attempts.
|
||||||
- Exceeded crawl limits.
|
* Exceeded crawl limits.
|
||||||
- Failed 404 behavior checks.
|
* Failed 404 behavior checks.
|
||||||
- IPS filtering detected.
|
* IPS filtering detected.
|
||||||
- Unexpected response variations.
|
* Unexpected response variations.
|
||||||
- Seemingly misclassified crawl nodes.
|
* Seemingly misclassified crawl nodes.
|
||||||
|
|
||||||
* Non-specific informational entries:
|
* Non-specific informational entries:
|
||||||
|
|
||||||
- General SSL certificate information.
|
* General SSL certificate information.
|
||||||
- Significantly changing HTTP cookies.
|
* Significantly changing HTTP cookies.
|
||||||
- Changing Server, Via, or X-... headers.
|
* Changing Server, Via, or X-... headers.
|
||||||
- New 404 signatures.
|
* New 404 signatures.
|
||||||
- Resources that cannot be accessed.
|
* Resources that cannot be accessed.
|
||||||
- Resources requiring HTTP authentication.
|
* Resources requiring HTTP authentication.
|
||||||
- Broken links.
|
* Broken links.
|
||||||
- Server errors.
|
* Server errors.
|
||||||
- All external links not classified otherwise (optional).
|
* All external links not classified otherwise (optional).
|
||||||
- All external e-mails (optional).
|
* All external e-mails (optional).
|
||||||
- All external URL redirectors (optional).
|
* All external URL redirectors (optional).
|
||||||
- Links to unknown protocols.
|
* Links to unknown protocols.
|
||||||
- Form fields that could not be autocompleted.
|
* Form fields that could not be autocompleted.
|
||||||
- Password entry forms (for external brute-force).
|
* Password entry forms (for external brute-force).
|
||||||
- File upload forms.
|
* File upload forms.
|
||||||
- All other HTML forms detected.
|
* Other HTML forms (not classified otherwise).
|
||||||
- Numerical file names (for external brute-force).
|
* Numerical file names (for external brute-force).
|
||||||
- User-supplied links otherwise rendered on a page.
|
* User-supplied links otherwise rendered on a page.
|
||||||
- Incorrect or missing MIME type on less significant content.
|
* Incorrect or missing MIME type on less significant content.
|
||||||
- Generic MIME type on less significant content.
|
* Generic MIME type on less significant content.
|
||||||
- Incorrect or missing charset on less significant content.
|
* Incorrect or missing charset on less significant content.
|
||||||
- Conflicting MIME / charset information on less significant content.
|
* Conflicting MIME / charset information on less significant content.
|
||||||
- OGNL-like parameter passing conventions.
|
* OGNL-like parameter passing conventions.
|
||||||
|
|
||||||
Along with a list of identified issues, skipfish also provides summary
|
Along with a list of identified issues, skipfish also provides summary
|
||||||
overviews of document types and issue types found; and an interactive sitemap,
|
overviews of document types and issue types found; and an interactive
|
||||||
with nodes discovered through brute-force denoted in a distinctive way.
|
sitemap, with nodes discovered through brute-force denoted in a distinctive
|
||||||
|
way.
|
||||||
|
|
||||||
NOTE: As a conscious design decision, skipfish will not redundantly complain
|
NOTE: As a conscious design decision, skipfish will not redundantly complain
|
||||||
about highly non-specific issues, including but not limited to:
|
about highly non-specific issues, including but not limited to:
|
||||||
|
|
||||||
* Non-`httponly` cookies,
|
* Non-httponly or non-secure cookies,
|
||||||
* Non-HTTPS or `autocomplete`-enabled forms,
|
* Non-HTTPS or autocomplete-enabled forms,
|
||||||
* HTML comments detected on a page,
|
* HTML comments detected on a page,
|
||||||
* Filesystem path disclosure in error messages,
|
* Filesystem path disclosure in error messages,
|
||||||
* Server of framework version disclosure,
|
* Server of framework version disclosure,
|
||||||
* Mere presence of certain technologies, such as WebDAV.
|
* Servers supporting TRACE or OPTIONS requests,
|
||||||
|
* Mere presence of certain technologies, such as WebDAV.
|
||||||
|
|
||||||
Most of these aspects are easy to inspect in a report if so desired - for
|
Most of these aspects are easy to inspect in a report if so desired - for
|
||||||
example, all the HTML forms are listed separately, so are new cookies or
|
example, all the HTML forms are listed separately, so are new cookies or
|
||||||
interesting HTTP headers - and the expectation is that the auditor may opt to
|
interesting HTTP headers - and the expectation is that the auditor may opt to
|
||||||
make certain design recommendations based on this data where appropriate. That
|
make certain design recommendations based on this data where appropriate.
|
||||||
said, these occurrences are not highlighted as a specific security flaw.
|
That said, these occurrences are not highlighted as a specific security flaw.
|
||||||
|
|
||||||
-----------------------------------------------------------
|
-----------------------------------------------------------
|
||||||
3. All right, I want to try it out. What do I need to know?
|
4. All right, I want to try it out. What do I need to know?
|
||||||
-----------------------------------------------------------
|
-----------------------------------------------------------
|
||||||
|
|
||||||
First and foremost, please do not be evil. Use skipfish only against services
|
First and foremost, please do not be evil. Use skipfish only against services
|
||||||
you own, or have a permission to test.
|
you own, or have a permission to test.
|
||||||
|
|
||||||
Keep in mind that all types of security testing can be disruptive. Although the
|
Keep in mind that all types of security testing can be disruptive. Although
|
||||||
scanner is designed not to carry out malicious attacks, it may accidentally
|
the scanner is designed not to carry out malicious attacks, it may
|
||||||
interfere with the operations of the site. You must accept the risk, and plan
|
accidentally interfere with the operations of the site. You must accept the
|
||||||
accordingly. Run the scanner against test instances where feasible, and be
|
risk, and plan accordingly. Run the scanner against test instances where
|
||||||
prepared to deal with the consequences if things go wrong.
|
feasible, and be prepared to deal with the consequences if things go wrong.
|
||||||
|
|
||||||
Also note that the tool is meant to be used by security professionals, and is
|
Also note that the tool is meant to be used by security professionals, and is
|
||||||
experimental in nature. It may return false positives or miss obvious security
|
experimental in nature. It may return false positives or miss obvious
|
||||||
problems - and even when it operates perfectly, it is simply not meant to be a
|
security problems - and even when it operates perfectly, it is simply not
|
||||||
point-and-click application. Do not rely on its output at face value.
|
meant to be a point-and-click application. Do not take its output at face
|
||||||
|
value.
|
||||||
|
|
||||||
Running the tool against vendor-supplied demo sites is not a good way to
|
Running the tool against vendor-supplied demo sites is not a good way to
|
||||||
evaluate it, as they usually approximate vulnerabilities very imperfectly; we
|
evaluate it, as they usually approximate vulnerabilities very imperfectly; we
|
||||||
made no effort to accommodate these cases.
|
made no effort to accommodate these cases.
|
||||||
|
|
||||||
Lastly, the scanner is simply not designed for dealing with rogue and
|
Lastly, the scanner is simply not designed for dealing with rogue and
|
||||||
misbehaving HTTP servers - and offers no guarantees of safe (or sane) behavior
|
misbehaving HTTP servers - and offers no guarantees of safe (or sane)
|
||||||
there.
|
behavior there.
|
||||||
|
|
||||||
--------------------------
|
--------------------------
|
||||||
4. How to run the scanner?
|
5. How to run the scanner?
|
||||||
--------------------------
|
--------------------------
|
||||||
|
|
||||||
To compile it, simply unpack the archive and try make. Chances are, you will
|
To compile it, simply unpack the archive and try make. Chances are, you will
|
||||||
need to install libidn first.
|
need to install libidn first.
|
||||||
|
|
||||||
Next, you need to copy the desired dictionary file from dictionaries/ to
|
Next, you need to copy the desired dictionary file from dictionaries/ to
|
||||||
skipfish.wl. Please read dictionaries/README-FIRST carefully to make the right
|
skipfish.wl. Please read dictionaries/README-FIRST carefully to make the
|
||||||
choice. This step has a profound impact on the quality of scan results later on.
|
right choice. This step has a profound impact on the quality of scan results
|
||||||
|
later on.
|
||||||
|
|
||||||
Once you have the dictionary selected, you can try:
|
Once you have the dictionary selected, you can try:
|
||||||
|
|
||||||
$ ./skipfish -o output_dir http://www.example.com/some/starting/path.txt
|
$ ./skipfish -o output_dir http://www.example.com/some/starting/path.txt
|
||||||
|
|
||||||
Note that you can provide more than one starting URL if so desired; all of them
|
Note that you can provide more than one starting URL if so desired; all of
|
||||||
will be crawled.
|
them will be crawled.
|
||||||
|
|
||||||
The tool will display some helpful stats while the scan is in progress. You
|
The tool will display some helpful stats while the scan is in progress. You
|
||||||
can also switch to a list of in-flight HTTP requests by pressing return.
|
can also switch to a list of in-flight HTTP requests by pressing return.
|
||||||
|
|
||||||
In the example above, skipfish will scan the entire www.example.com (including
|
In the example above, skipfish will scan the entire www.example.com
|
||||||
services on other ports, if linked to from the main page), and write a report
|
(including services on other ports, if linked to from the main page), and
|
||||||
to output_dir/index.html. You can then view this report with your favorite
|
write a report to output_dir/index.html. You can then view this report with
|
||||||
browser (JavaScript must be enabled). The index.html file is static; actual
|
your favorite browser (JavaScript must be enabled; and because of recent
|
||||||
results are stored as a hierarchy of JSON files, suitable for machine
|
file:/// security improvements in certain browsers, you might need to access
|
||||||
processing if needs be.
|
results over HTTP). The index.html file is static; actual results are stored
|
||||||
|
as a hierarchy of JSON files, suitable for machine processing or different
|
||||||
|
presentation frontends if needs be.
|
||||||
|
|
||||||
Some sites may require authentication; for simple HTTP credentials, you can try:
|
Some sites may require authentication; for simple HTTP credentials, you can
|
||||||
|
try:
|
||||||
|
|
||||||
$ ./skipfish -A user:pass ...other parameters...
|
$ ./skipfish -A user:pass ...other parameters...
|
||||||
|
|
||||||
Alternatively, if the site relies on HTTP cookies instead, log in in your
|
Alternatively, if the site relies on HTTP cookies instead, log in in your
|
||||||
browser or using a simple curl script, and then provide skipfish with a session
|
browser or using a simple curl script, and then provide skipfish with a
|
||||||
cookie:
|
session cookie:
|
||||||
|
|
||||||
$ ./skipfish -C name=val ...other parameters...
|
$ ./skipfish -C name=val ...other parameters...
|
||||||
|
|
||||||
|
@ -263,20 +273,20 @@ $ ./skipfish -X /logout/logout.aspx ...other parameters...
|
||||||
|
|
||||||
The -X option is also useful for speeding up your scans by excluding /icons/,
|
The -X option is also useful for speeding up your scans by excluding /icons/,
|
||||||
/doc/, /manuals/, and other standard, mundane locations along these lines. In
|
/doc/, /manuals/, and other standard, mundane locations along these lines. In
|
||||||
general, you can use -X, plus -I (only spider URLs matching a substring) and -S
|
general, you can use -X, plus -I (only spider URLs matching a substring) and
|
||||||
(ignore links on pages where a substring appears in response body) to limit the
|
-S (ignore links on pages where a substring appears in response body) to
|
||||||
scope of a scan any way you like - including restricting it only to a specific
|
limit the scope of a scan any way you like - including restricting it only to
|
||||||
protocol and port:
|
a specific protocol and port:
|
||||||
|
|
||||||
$ ./skipfish -I http://example.com:1234/ ...other parameters...
|
$ ./skipfish -I http://example.com:1234/ ...other parameters...
|
||||||
|
|
||||||
A related function, -K, allows you to specify parameter names not to fuzz
|
A related function, -K, allows you to specify parameter names not to fuzz
|
||||||
(useful for applications that put session IDs in the URL, to minimize noise).
|
(useful for applications that put session IDs in the URL, to minimize noise).
|
||||||
|
|
||||||
Another useful scoping option is -D - allowing you to specify additional hosts
|
Another useful scoping option is -D - allowing you to specify additional
|
||||||
or domains to consider in-scope for the test. By default, all hosts appearing
|
hosts or domains to consider in-scope for the test. By default, all hosts
|
||||||
in the command-line URLs are added to the list - but you can use -D to broaden
|
appearing in the command-line URLs are added to the list - but you can use -D
|
||||||
these rules, for example:
|
to broaden these rules, for example:
|
||||||
|
|
||||||
$ ./skipfish -D test2.example.com -o output-dir http://test1.example.com/
|
$ ./skipfish -D test2.example.com -o output-dir http://test1.example.com/
|
||||||
|
|
||||||
|
@ -284,120 +294,124 @@ $ ./skipfish -D test2.example.com -o output-dir http://test1.example.com/
|
||||||
|
|
||||||
$ ./skipfish -D .example.com -o output-dir http://test1.example.com/
|
$ ./skipfish -D .example.com -o output-dir http://test1.example.com/
|
||||||
|
|
||||||
In some cases, you do not want to actually crawl a third-party domain, but you
|
In some cases, you do not want to actually crawl a third-party domain, but
|
||||||
trust the owner of that domain enough not to worry about cross-domain content
|
you trust the owner of that domain enough not to worry about cross-domain
|
||||||
inclusion from that location. To suppress warnings, you can use the -B option,
|
content inclusion from that location. To suppress warnings, you can use the
|
||||||
for example:
|
-B option, for example:
|
||||||
|
|
||||||
$ ./skipfish -B .google-analytics.com -B .googleapis.com ...other parameters...
|
$ ./skipfish -B .google-analytics.com -B .googleapis.com ...other
|
||||||
|
parameters...
|
||||||
|
|
||||||
By default, skipfish sends minimalistic HTTP headers to reduce the amount of
|
By default, skipfish sends minimalistic HTTP headers to reduce the amount of
|
||||||
data exchanged over the wire; some sites examine User-Agent strings or header
|
data exchanged over the wire; some sites examine User-Agent strings or header
|
||||||
ordering to reject unsupported clients, however. In such a case, you can use -b
|
ordering to reject unsupported clients, however. In such a case, you can use
|
||||||
ie or -b ffox to mimic one of the two popular browsers.
|
-b ie or -b ffox to mimic one of the two popular browsers.
|
||||||
|
|
||||||
When it comes to customizing your HTTP requests, you can also use the -H option
|
When it comes to customizing your HTTP requests, you can also use the -H
|
||||||
to insert any additional, non-standard headers; or -F to define a custom
|
option to insert any additional, non-standard headers; or -F to define a
|
||||||
mapping between a host and an IP (bypassing the resolver). The latter feature
|
custom mapping between a host and an IP (bypassing the resolver). The latter
|
||||||
is particularly useful for not-yet-launched or legacy services.
|
feature is particularly useful for not-yet-launched or legacy services.
|
||||||
|
|
||||||
Some sites may be too big to scan in a reasonable timeframe. If the site
|
Some sites may be too big to scan in a reasonable timeframe. If the site
|
||||||
features well-defined tarpits - for example, 100,000 nearly identical user
|
features well-defined tarpits - for example, 100,000 nearly identical user
|
||||||
profiles as a part of a social network - these specific locations can be
|
profiles as a part of a social network - these specific locations can be
|
||||||
excluded with -X or -S. In other cases, you may need to resort to other
|
excluded with -X or -S. In other cases, you may need to resort to other
|
||||||
settings: -d limits crawl depth to a specified number of subdirectories; -c
|
settings: -d limits crawl depth to a specified number of subdirectories; -c
|
||||||
limits the number of children per directory; and -r limits the total number of
|
limits the number of children per directory; -x limits the total number of
|
||||||
requests to send in a scan.
|
descendants per crawl tree branch; and -r limits the total number of requests
|
||||||
|
to send in a scan.
|
||||||
|
|
||||||
An interesting option is available for repeated assessments: -p. By specifying
|
An interesting option is available for repeated assessments: -p. By
|
||||||
a percentage between 1 and 100%, it is possible to tell the crawler to follow
|
specifying a percentage between 1 and 100%, it is possible to tell the
|
||||||
fewer than 100% of all links, and try fewer than 100% of all dictionary
|
crawler to follow fewer than 100% of all links, and try fewer than 100% of
|
||||||
entries. This - naturally - limits the completeness of a scan, but unlike most
|
all dictionary entries. This - naturally - limits the completeness of a scan,
|
||||||
other settings, it does so in a balanced, non-deterministic manner. It is
|
but unlike most other settings, it does so in a balanced, non-deterministic
|
||||||
extremely useful when you are setting up time-bound, but periodic assessments
|
manner. It is extremely useful when you are setting up time-bound, but
|
||||||
of your infrastructure. Another related option is -q, which sets the initial
|
periodic assessments of your infrastructure. Another related option is -q,
|
||||||
random seed for the crawler to a specified value. This can be used to exactly
|
which sets the initial random seed for the crawler to a specified value. This
|
||||||
reproduce a previous scan to compare results. Randomness is relied upon most
|
can be used to exactly reproduce a previous scan to compare results.
|
||||||
heavily in the -p mode, but also for making a couple of other scan management
|
Randomness is relied upon most heavily in the -p mode, but also for making a
|
||||||
decisions elsewhere.
|
couple of other scan management decisions elsewhere.
|
||||||
|
|
||||||
Some particularly complex (or broken) services may involve a very high number
|
Some particularly complex (or broken) services may involve a very high number
|
||||||
of identical or nearly identical pages. Although these occurrences are by
|
of identical or nearly identical pages. Although these occurrences are by
|
||||||
default grayed out in the report, they still use up some screen estate and take
|
default grayed out in the report, they still use up some screen estate and
|
||||||
a while to process on JavaScript level. In such extreme cases, you may use the
|
take a while to process on JavaScript level. In such extreme cases, you may
|
||||||
-Q option to suppress reporting of duplicate nodes altogether, before the
|
use the -Q option to suppress reporting of duplicate nodes altogether, before
|
||||||
report is written. This may give you a less comprehensive understanding of how
|
the report is written. This may give you a less comprehensive understanding
|
||||||
the site is organized, but has no impact on test coverage.
|
of how the site is organized, but has no impact on test coverage.
|
||||||
|
|
||||||
In certain quick assessments, you might also have no interest in paying any
|
In certain quick assessments, you might also have no interest in paying any
|
||||||
particular attention to the desired functionality of the site - hoping to
|
particular attention to the desired functionality of the site - hoping to
|
||||||
explore non-linked secrets only. In such a case, you may specify -P to inhibit
|
explore non-linked secrets only. In such a case, you may specify -P to
|
||||||
all HTML parsing. This limits the coverage and takes away the ability for the
|
inhibit all HTML parsing. This limits the coverage and takes away the ability
|
||||||
scanner to learn new keywords by looking at the HTML, but speeds up the test
|
for the scanner to learn new keywords by looking at the HTML, but speeds up
|
||||||
dramatically. Another similarly crippling option that reduces the risk of
|
the test dramatically. Another similarly crippling option that reduces the
|
||||||
persistent effects of a scan is -O, which inhibits all form parsing and
|
risk of persistent effects of a scan is -O, which inhibits all form parsing
|
||||||
submission steps.
|
and submission steps.
|
||||||
|
|
||||||
By default, skipfish complains loudly about all MIME or character set
|
By default, skipfish complains loudly about all MIME or character set
|
||||||
mismatches on renderable documents, and classifies many of them as "medium
|
mismatches on renderable documents, and classifies many of them as "medium
|
||||||
risk"; this is because, if any user-controlled content is returned, the
|
risk"; this is because, if any user-controlled content is returned, the
|
||||||
situation could lead to cross-site scripting attacks in certain browsers. On
|
situation could lead to cross-site scripting attacks in certain browsers. On
|
||||||
some poorly designed and maintained sites, this may contribute too much noise;
|
some poorly designed and maintained sites, this may contribute too much
|
||||||
if so, you may use -J to mark these issues as "low risk" unless the scanner can
|
noise; if so, you may use -J to mark these issues as "low risk" unless the
|
||||||
explicitly sees its own user input being echoed back on the resulting page.
|
scanner can explicitly sees its own user input being echoed back on the
|
||||||
This may miss many subtle attack vectors, though.
|
resulting page. This may miss many subtle attack vectors, though.
|
||||||
|
|
||||||
Some sites that handle sensitive user data care about SSL - and about getting
|
Some sites that handle sensitive user data care about SSL - and about getting
|
||||||
it right. Skipfish may optionally assist you in figuring out problematic mixed
|
it right. Skipfish may optionally assist you in figuring out problematic
|
||||||
content scenarios - use the -M option to enable this. The scanner will complain
|
mixed content scenarios - use the -M option to enable this. The scanner will
|
||||||
about situations such as http:// scripts being loaded on https:// pages - but
|
complain about situations such as http:// scripts being loaded on https://
|
||||||
will disregard non-risk scenarios such as images.
|
pages - but will disregard non-risk scenarios such as images.
|
||||||
|
|
||||||
Likewise, certain pedantic sites may care about cases where caching is
|
Likewise, certain pedantic sites may care about cases where caching is
|
||||||
restricted on HTTP/1.1 level, but no explicit HTTP/1.0 caching directive is
|
restricted on HTTP/1.1 level, but no explicit HTTP/1.0 caching directive is
|
||||||
given on specifying -E in the command-line causes skipfish to log all such
|
given on specifying -E in the command-line causes skipfish to log all such
|
||||||
cases carefully.
|
cases carefully.
|
||||||
|
|
||||||
Lastly, in some assessments that involve self-contained sites without extensive
|
Lastly, in some assessments that involve self-contained sites without
|
||||||
user content, the auditor may care about any external e-mails or HTTP links
|
extensive user content, the auditor may care about any external e-mails or
|
||||||
seen, even if they have no immediate security impact. Use the -U option to have
|
HTTP links seen, even if they have no immediate security impact. Use the -U
|
||||||
these logged.
|
option to have these logged.
|
||||||
|
|
||||||
Dictionary management is a special topic, and - as mentioned - is covered in
|
Dictionary management is a special topic, and - as mentioned - is covered in
|
||||||
more detail in dictionaries/README-FIRST. Please read that file before
|
more detail in dictionaries/README-FIRST. Please read that file before
|
||||||
proceeding. Some of the relevant options include -W to specify a custom
|
proceeding. Some of the relevant options include -W to specify a custom
|
||||||
wordlist, -L to suppress auto-learning, -V to suppress dictionary updates, -G
|
wordlist, -L to suppress auto-learning, -V to suppress dictionary updates, -G
|
||||||
to limit the keyword guess jar size, -R to drop old dictionary entries, and -Y
|
to limit the keyword guess jar size, -R to drop old dictionary entries, and
|
||||||
to inhibit expensive $keyword.$extension fuzzing.
|
-Y to inhibit expensive $keyword.$extension fuzzing.
|
||||||
|
|
||||||
Skipfish also features a form auto-completion mechanism in order to maximize
|
Skipfish also features a form auto-completion mechanism in order to maximize
|
||||||
scan coverage. The values should be non-malicious, as they are not meant to
|
scan coverage. The values should be non-malicious, as they are not meant to
|
||||||
implement security checks - but rather, to get past input validation logic. You
|
implement security checks - but rather, to get past input validation logic.
|
||||||
can define additional rules, or override existing ones, with the -T option (-T
|
You can define additional rules, or override existing ones, with the -T
|
||||||
form_field_name=field_value, e.g. -T login=test123 -T password=test321 -
|
option (-T form_field_name=field_value, e.g. -T login=test123 -T
|
||||||
although note that -C and -A are a much better method of logging in).
|
password=test321 - although note that -C and -A are a much better method of
|
||||||
|
logging in).
|
||||||
|
|
||||||
There is also a handful of performance-related options. Use -g to set the
|
There is also a handful of performance-related options. Use -g to set the
|
||||||
maximum number of connections to maintain, globally, to all targets (it is
|
maximum number of connections to maintain, globally, to all targets (it is
|
||||||
sensible to keep this under 50 or so to avoid overwhelming the TCP/IP stack on
|
sensible to keep this under 50 or so to avoid overwhelming the TCP/IP stack
|
||||||
your system or on the nearby NAT / firewall devices); and -m to set the per-IP
|
on your system or on the nearby NAT / firewall devices); and -m to set the
|
||||||
limit (experiment a bit: 2-4 is usually good for localhost, 4-8 for local
|
per-IP limit (experiment a bit: 2-4 is usually good for localhost, 4-8 for
|
||||||
networks, 10-20 for external targets, 30+ for really lagged or non-keep-alive
|
local networks, 10-20 for external targets, 30+ for really lagged or
|
||||||
hosts). You can also use -w to set the I/O timeout (i.e., skipfish will wait
|
non-keep-alive hosts). You can also use -w to set the I/O timeout (i.e.,
|
||||||
only so long for an individual read or write), and -t to set the total request
|
skipfish will wait only so long for an individual read or write), and -t to
|
||||||
timeout, to account for really slow or really fast sites.
|
set the total request timeout, to account for really slow or really fast
|
||||||
|
sites.
|
||||||
|
|
||||||
Lastly, -f controls the maximum number of consecutive HTTP errors you are
|
Lastly, -f controls the maximum number of consecutive HTTP errors you are
|
||||||
willing to see before aborting the scan; and -s sets the maximum length of a
|
willing to see before aborting the scan; and -s sets the maximum length of a
|
||||||
response to fetch and parse (longer responses will be truncated).
|
response to fetch and parse (longer responses will be truncated).
|
||||||
|
|
||||||
Further rate-limiting is available through third-party user mode tools such as
|
Further rate-limiting is available through third-party user mode tools such
|
||||||
trickle, or kernel-level traffic shaping.
|
as trickle, or kernel-level traffic shaping.
|
||||||
|
|
||||||
Oh, and runtime stats can be suppressed with -u to run skipfish in quiet mode.
|
Oh, and real-time scan statistics can be suppressed with -u.
|
||||||
|
|
||||||
--------------------------------
|
--------------------------------
|
||||||
5. But seriously, how to run it?
|
6. But seriously, how to run it?
|
||||||
--------------------------------
|
--------------------------------
|
||||||
|
|
||||||
A standard, authenticated scan of a well-designed and self-contained site
|
A standard, authenticated scan of a well-designed and self-contained site
|
||||||
|
@ -407,52 +421,53 @@ issues):
|
||||||
$ ./skipfish -MEU -C "AuthCookie=value" -X /logout.aspx -o output_dir \
|
$ ./skipfish -MEU -C "AuthCookie=value" -X /logout.aspx -o output_dir \
|
||||||
http://www.example.com/
|
http://www.example.com/
|
||||||
|
|
||||||
Five-connection crawl, but no brute-force; pretending to be MSIE, caring
|
Five-connection crawl, but no brute-force; pretending to be MSIE and caring
|
||||||
less about ambiguous MIME or character set mismatches, and trusting
|
less about ambiguous MIME or character set mismatches, and trusting
|
||||||
example.com links:
|
example.com links:
|
||||||
|
|
||||||
$ ./skipfish -m 5 -LVJ -W /dev/null -o output_dir -b ie -B example.com \
|
$ ./skipfish -m 5 -LVJ -W /dev/null -o output_dir -b ie -B example.com \
|
||||||
http://www.example.com/
|
http://www.example.com/
|
||||||
|
|
||||||
Brute force only (no HTML link extraction), limited to a specific
|
Brute force only (no HTML link extraction), limited to a single directory and
|
||||||
directory, timing out after 5 seconds:
|
timing out after 5 seconds:
|
||||||
|
|
||||||
$ ./skipfish -P -I http://www.example.com/dir1/ -O -o output_dir -t 5 \
|
$ ./skipfish -P -I http://www.example.com/dir1/ -o output_dir -t 5 -I \
|
||||||
http://www.example.com/dir1/
|
http://www.example.com/dir1/
|
||||||
|
|
||||||
For a short list of all command-line options, try ./skipfish -h.
|
For a short list of all command-line options, try ./skipfish -h.
|
||||||
|
|
||||||
----------------------------------------------------
|
----------------------------------------------------
|
||||||
6. How to interpret and address the issues reported?
|
7. How to interpret and address the issues reported?
|
||||||
----------------------------------------------------
|
----------------------------------------------------
|
||||||
|
|
||||||
Most of the problems reported by skipfish should self-explanatory, assuming you
|
Most of the problems reported by skipfish should self-explanatory, assuming you
|
||||||
have a good gasp of the fundamentals of web security. If you need a quick
|
have a good gasp of the fundamentals of web security. If you need a quick
|
||||||
refresher on some of the more complicated topics, such as MIME sniffing, you
|
refresher on some of the more complicated topics, such as MIME sniffing, you
|
||||||
may enjoy our comprehensive Browser Security Handbook as a starting point:
|
may enjoy our comprehensive Browser Security Handbook as a starting point:
|
||||||
|
|
||||||
http://code.google.com/p/browsersec/
|
http://code.google.com/p/browsersec/
|
||||||
|
|
||||||
If you still need assistance, there are several organizations that put a
|
If you still need assistance, there are several organizations that put a
|
||||||
considerable effort into documenting and explaining many of the common web
|
considerable effort into documenting and explaining many of the common web
|
||||||
security threats, and advising the public on how to address them. I encourage
|
security threats, and advising the public on how to address them. I encourage
|
||||||
you to refer to the materials published by OWASP and Web Application Security
|
you to refer to the materials published by OWASP and Web Application Security
|
||||||
Consortium, amongst others:
|
Consortium, amongst others:
|
||||||
|
|
||||||
* http://www.owasp.org/index.php/Category:Principle
|
* http://www.owasp.org/index.php/Category:Principle
|
||||||
* http://www.owasp.org/index.php/Category:OWASP_Guide_Project
|
* http://www.owasp.org/index.php/Category:OWASP_Guide_Project
|
||||||
* http://www.webappsec.org/projects/articles/
|
* http://www.webappsec.org/projects/articles/
|
||||||
|
|
||||||
Although I am happy to diagnose problems with the scanner itself, I regrettably
|
Although I am happy to diagnose problems with the scanner itself, I regrettably
|
||||||
cannot offer any assistance with the inner wokings of third-party web
|
cannot offer any assistance with the inner wokings of third-party web
|
||||||
applications.
|
applications.
|
||||||
|
|
||||||
---------------------------------------
|
---------------------------------------
|
||||||
7. Known limitations / feature wishlist
|
8. Known limitations / feature wishlist
|
||||||
---------------------------------------
|
---------------------------------------
|
||||||
|
|
||||||
Below is a list of features currently missing in skipfish. If you wish to
|
Below is a list of features currently missing in skipfish. If you wish to
|
||||||
improve the tool by contributing code in one of these areas, please let me know:
|
improve the tool by contributing code in one of these areas, please let me
|
||||||
|
know:
|
||||||
|
|
||||||
* Buffer overflow checks: after careful consideration, I suspect there is
|
* Buffer overflow checks: after careful consideration, I suspect there is
|
||||||
no reliable way to test for buffer overflows remotely. Much like the actual
|
no reliable way to test for buffer overflows remotely. Much like the actual
|
||||||
|
@ -468,24 +483,24 @@ improve the tool by contributing code in one of these areas, please let me know:
|
||||||
problems seem to be largely addressed on browser level at this point, so
|
problems seem to be largely addressed on browser level at this point, so
|
||||||
they were much lower priority at the time of this writing.
|
they were much lower priority at the time of this writing.
|
||||||
|
|
||||||
* Security checks and link extraction for third-party, plugin-based content
|
* Security checks and link extraction for third-party, plugin-based
|
||||||
(Flash, Java, PDF, etc).
|
content (Flash, Java, PDF, etc).
|
||||||
|
|
||||||
* Password brute-force and numerical filename brute-force probes.
|
* Password brute-force and numerical filename brute-force probes.
|
||||||
|
|
||||||
* Search engine integration (vhosts, starting paths).
|
* Search engine integration (vhosts, starting paths).
|
||||||
|
|
||||||
* More specific PHP tests (eval injection, RFI).
|
* VIEWSTATE decoding.
|
||||||
|
|
||||||
* VIEWSTATE decoding.
|
|
||||||
|
|
||||||
* NTLM and digest authentication.
|
* NTLM and digest authentication.
|
||||||
|
|
||||||
* Proxy support: somewhat incompatible with performance control features
|
* More specific PHP tests (eval injection, RFI).
|
||||||
currently employed by skipfish; but in the long run, should be provided as
|
|
||||||
a last-resort option.
|
|
||||||
|
|
||||||
* Scan resume option.
|
* Proxy support: somewhat incompatible with performance control features
|
||||||
|
currently employed by skipfish; but in the long run, should be provided
|
||||||
|
as a last-resort option.
|
||||||
|
|
||||||
|
* Scan resume option.
|
||||||
|
|
||||||
* Option to limit document sampling or save samples directly to disk.
|
* Option to limit document sampling or save samples directly to disk.
|
||||||
|
|
||||||
|
@ -493,16 +508,17 @@ improve the tool by contributing code in one of these areas, please let me know:
|
||||||
|
|
||||||
* Config file support.
|
* Config file support.
|
||||||
|
|
||||||
* A database for banner / version checks?
|
* A database for banner / version checks?
|
||||||
|
|
||||||
-------------------------------------
|
-------------------------------------
|
||||||
8. Oy! Something went horribly wrong!
|
9. Oy! Something went horribly wrong!
|
||||||
-------------------------------------
|
-------------------------------------
|
||||||
|
|
||||||
There is no web crawler so good that there wouldn't be a web framework to one
|
There is no web crawler so good that there wouldn't be a web framework to one
|
||||||
day set it on fire. If you encounter what appears to be bad behavior (e.g., a
|
day set it on fire. If you encounter what appears to be bad behavior (e.g., a
|
||||||
scan that takes forever and generates too many requests, completely bogus nodes
|
scan that takes forever and generates too many requests, completely bogus
|
||||||
in scan output, or outright crashes), please first check this page:
|
nodes in scan output, or outright crashes), please first check our known
|
||||||
|
issues page:
|
||||||
|
|
||||||
http://code.google.com/p/skipfish/wiki/KnownIssues
|
http://code.google.com/p/skipfish/wiki/KnownIssues
|
||||||
|
|
||||||
|
@ -526,12 +542,12 @@ $ gdb --batch -ex back ./skipfish core
|
||||||
|
|
||||||
...and be sure to send the author the output of that last command as well.
|
...and be sure to send the author the output of that last command as well.
|
||||||
|
|
||||||
-----------------------
|
------------------------
|
||||||
9. Credits and feedback
|
10. Credits and feedback
|
||||||
-----------------------
|
------------------------
|
||||||
|
|
||||||
Skipfish is made possible thanks to the contributions of, and valuable feedback
|
Skipfish is made possible thanks to the contributions of, and valuable
|
||||||
from, Google's information security engineering team.
|
feedback from, Google's information security engineering team.
|
||||||
|
|
||||||
If you have any bug reports, questions, suggestions, or concerns regarding the
|
If you have any bug reports, questions, suggestions, or concerns regarding
|
||||||
application, the author can be reached at lcamtuf@google.com.
|
the application, the author can be reached at lcamtuf@google.com.
|
||||||
|
|
3
config.h
3
config.h
|
@ -70,7 +70,8 @@
|
||||||
/* Configurable settings for crawl database (cmdline override): */
|
/* Configurable settings for crawl database (cmdline override): */
|
||||||
|
|
||||||
#define MAX_DEPTH 16 /* Maximum crawl tree depth */
|
#define MAX_DEPTH 16 /* Maximum crawl tree depth */
|
||||||
#define MAX_CHILDREN 1024 /* Maximum children per tree node */
|
#define MAX_CHILDREN 512 /* Maximum children per tree node */
|
||||||
|
#define MAX_DESCENDANTS 8192 /* Maximum descendants per branch */
|
||||||
#define MAX_SAMENAME 3 /* Identically named path nodes */
|
#define MAX_SAMENAME 3 /* Identically named path nodes */
|
||||||
|
|
||||||
/* Crawl / analysis constants: */
|
/* Crawl / analysis constants: */
|
||||||
|
|
22
crawler.c
22
crawler.c
|
@ -1654,7 +1654,7 @@ static void crawl_par_numerical_init(struct pivot_desc* pv) {
|
||||||
|
|
||||||
DEBUG_HELPER(pv);
|
DEBUG_HELPER(pv);
|
||||||
|
|
||||||
if (pv->child_cnt >= max_children) goto schedule_next;
|
if (!descendants_ok(pv)) goto schedule_next;
|
||||||
|
|
||||||
/* Skip to the first digit, then to first non-digit. */
|
/* Skip to the first digit, then to first non-digit. */
|
||||||
|
|
||||||
|
@ -1754,7 +1754,7 @@ static u8 par_numerical_callback(struct http_request* req,
|
||||||
!((is_c_sens(req->pivot) ? strcmp : strcasecmp)((char*)TPAR(req),
|
!((is_c_sens(req->pivot) ? strcmp : strcasecmp)((char*)TPAR(req),
|
||||||
(char*)req->pivot->child[i]->name))) goto schedule_next;
|
(char*)req->pivot->child[i]->name))) goto schedule_next;
|
||||||
|
|
||||||
if (req->pivot->child_cnt >= max_children) goto schedule_next;
|
if (!descendants_ok(req->pivot)) goto schedule_next;
|
||||||
|
|
||||||
/* Hmm, looks like we're onto something. Let's manually create a dummy
|
/* Hmm, looks like we're onto something. Let's manually create a dummy
|
||||||
pivot and attach it to current node, without any activity planned.
|
pivot and attach it to current node, without any activity planned.
|
||||||
|
@ -1777,6 +1777,8 @@ static u8 par_numerical_callback(struct http_request* req,
|
||||||
|
|
||||||
req->pivot->child[req->pivot->child_cnt++] = n;
|
req->pivot->child[req->pivot->child_cnt++] = n;
|
||||||
|
|
||||||
|
add_descendant(req->pivot);
|
||||||
|
|
||||||
req->pivot = n;
|
req->pivot = n;
|
||||||
|
|
||||||
RESP_CHECKS(req, res);
|
RESP_CHECKS(req, res);
|
||||||
|
@ -1814,7 +1816,7 @@ static void crawl_par_dict_init(struct pivot_desc* pv) {
|
||||||
|
|
||||||
restart_dict:
|
restart_dict:
|
||||||
|
|
||||||
if (pv->child_cnt >= max_children) {
|
if (!descendants_ok(pv)) {
|
||||||
crawl_par_trylist_init(pv);
|
crawl_par_trylist_init(pv);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
@ -1945,7 +1947,7 @@ static u8 par_dict_callback(struct http_request* req,
|
||||||
!((is_c_sens(req->pivot) ? strcmp : strcasecmp)((char*)TPAR(req),
|
!((is_c_sens(req->pivot) ? strcmp : strcasecmp)((char*)TPAR(req),
|
||||||
(char*)req->pivot->child[i]->name))) goto schedule_next;
|
(char*)req->pivot->child[i]->name))) goto schedule_next;
|
||||||
|
|
||||||
if (req->pivot->child_cnt >= max_children) goto schedule_next;
|
if (!descendants_ok(req->pivot)) goto schedule_next;
|
||||||
|
|
||||||
n = ck_alloc(sizeof(struct pivot_desc));
|
n = ck_alloc(sizeof(struct pivot_desc));
|
||||||
|
|
||||||
|
@ -1963,6 +1965,9 @@ static u8 par_dict_callback(struct http_request* req,
|
||||||
* sizeof(struct pivot_desc*));
|
* sizeof(struct pivot_desc*));
|
||||||
|
|
||||||
req->pivot->child[req->pivot->child_cnt++] = n;
|
req->pivot->child[req->pivot->child_cnt++] = n;
|
||||||
|
|
||||||
|
add_descendant(req->pivot);
|
||||||
|
|
||||||
req->pivot = n;
|
req->pivot = n;
|
||||||
|
|
||||||
keep = 1;
|
keep = 1;
|
||||||
|
@ -1992,7 +1997,7 @@ void crawl_par_trylist_init(struct pivot_desc* pv) {
|
||||||
no point in going through the try list if restarted. */
|
no point in going through the try list if restarted. */
|
||||||
|
|
||||||
if (pv->fuzz_par == -1 || pv->bogus_par || pv->res_varies
|
if (pv->fuzz_par == -1 || pv->bogus_par || pv->res_varies
|
||||||
|| pv->child_cnt >= max_children) {
|
|| !descendants_ok(pv)) {
|
||||||
pv->state = PSTATE_DONE;
|
pv->state = PSTATE_DONE;
|
||||||
return;
|
return;
|
||||||
} else
|
} else
|
||||||
|
@ -2078,7 +2083,7 @@ static u8 par_trylist_callback(struct http_request* req,
|
||||||
!((is_c_sens(req->pivot) ? strcmp : strcasecmp)((char*)TPAR(req),
|
!((is_c_sens(req->pivot) ? strcmp : strcasecmp)((char*)TPAR(req),
|
||||||
(char*)req->pivot->child[i]->name))) goto schedule_next;
|
(char*)req->pivot->child[i]->name))) goto schedule_next;
|
||||||
|
|
||||||
if (req->pivot->child_cnt >= max_children) goto schedule_next;
|
if (!descendants_ok(req->pivot)) goto schedule_next;
|
||||||
|
|
||||||
n = ck_alloc(sizeof(struct pivot_desc));
|
n = ck_alloc(sizeof(struct pivot_desc));
|
||||||
|
|
||||||
|
@ -2096,6 +2101,9 @@ static u8 par_trylist_callback(struct http_request* req,
|
||||||
* sizeof(struct pivot_desc*));
|
* sizeof(struct pivot_desc*));
|
||||||
|
|
||||||
req->pivot->child[req->pivot->child_cnt++] = n;
|
req->pivot->child[req->pivot->child_cnt++] = n;
|
||||||
|
|
||||||
|
add_descendant(req->pivot);
|
||||||
|
|
||||||
req->pivot = n;
|
req->pivot = n;
|
||||||
|
|
||||||
RESP_CHECKS(req, res);
|
RESP_CHECKS(req, res);
|
||||||
|
@ -2634,7 +2642,7 @@ static void crawl_dir_dict_init(struct pivot_desc* pv) {
|
||||||
if (in_dict_init || pv->pending > DICT_BATCH || pv->state != PSTATE_CHILD_DICT)
|
if (in_dict_init || pv->pending > DICT_BATCH || pv->state != PSTATE_CHILD_DICT)
|
||||||
return;
|
return;
|
||||||
|
|
||||||
if (pv->child_cnt >= max_children) {
|
if (!descendants_ok(pv)) {
|
||||||
crawl_parametric_init(pv);
|
crawl_parametric_init(pv);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
47
database.c
47
database.c
|
@ -52,9 +52,10 @@ u32 num_deny_urls,
|
||||||
num_trust_domains,
|
num_trust_domains,
|
||||||
num_skip_params;
|
num_skip_params;
|
||||||
|
|
||||||
u32 max_depth = MAX_DEPTH,
|
u32 max_depth = MAX_DEPTH,
|
||||||
max_children = MAX_CHILDREN,
|
max_children = MAX_CHILDREN,
|
||||||
max_guesses = MAX_GUESSES;
|
max_descendants = MAX_DESCENDANTS,
|
||||||
|
max_guesses = MAX_GUESSES;
|
||||||
|
|
||||||
u8 dont_add_words; /* No auto dictionary building */
|
u8 dont_add_words; /* No auto dictionary building */
|
||||||
|
|
||||||
|
@ -84,6 +85,31 @@ static u32 cur_xss_id, scan_id; /* Stored XSS manager IDs */
|
||||||
static struct http_request** xss_req; /* Stored XSS manager req cache */
|
static struct http_request** xss_req; /* Stored XSS manager req cache */
|
||||||
|
|
||||||
|
|
||||||
|
/* Checks descendant counts. */
|
||||||
|
|
||||||
|
u8 descendants_ok(struct pivot_desc* pv) {
|
||||||
|
|
||||||
|
if (pv->child_cnt > max_children) return 0;
|
||||||
|
|
||||||
|
while (pv) {
|
||||||
|
if (pv->desc_cnt > max_descendants) return 0;
|
||||||
|
pv = pv->parent;
|
||||||
|
}
|
||||||
|
|
||||||
|
return 1;
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
void add_descendant(struct pivot_desc* pv) {
|
||||||
|
|
||||||
|
while (pv) {
|
||||||
|
pv->desc_cnt++;
|
||||||
|
pv = pv->parent;
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
/* Maps a parsed URL (in req) to the pivot tree, creating or modifying nodes
|
/* Maps a parsed URL (in req) to the pivot tree, creating or modifying nodes
|
||||||
as necessary, and scheduling them for crawl. This should be called only
|
as necessary, and scheduling them for crawl. This should be called only
|
||||||
on requests that were *not* yet retrieved. */
|
on requests that were *not* yet retrieved. */
|
||||||
|
@ -167,6 +193,8 @@ void maybe_add_pivot(struct http_request* req, struct http_response* res,
|
||||||
|
|
||||||
root_pivot.child[root_pivot.child_cnt++] = cur;
|
root_pivot.child[root_pivot.child_cnt++] = cur;
|
||||||
|
|
||||||
|
add_descendant(&root_pivot);
|
||||||
|
|
||||||
cur->type = PIVOT_SERV;
|
cur->type = PIVOT_SERV;
|
||||||
cur->state = PSTATE_FETCH;
|
cur->state = PSTATE_FETCH;
|
||||||
cur->linked = 2;
|
cur->linked = 2;
|
||||||
|
@ -234,7 +262,7 @@ void maybe_add_pivot(struct http_request* req, struct http_response* res,
|
||||||
|
|
||||||
/* Enforce user limits. */
|
/* Enforce user limits. */
|
||||||
|
|
||||||
if ((i + 1) >= max_depth || cur->child_cnt > max_children) {
|
if ((i + 1) >= max_depth || !descendants_ok(cur)) {
|
||||||
problem(PROB_LIMITS, req, res, (u8*)"Child node limit exceeded", cur,
|
problem(PROB_LIMITS, req, res, (u8*)"Child node limit exceeded", cur,
|
||||||
0);
|
0);
|
||||||
return;
|
return;
|
||||||
|
@ -261,6 +289,8 @@ void maybe_add_pivot(struct http_request* req, struct http_response* res,
|
||||||
|
|
||||||
cur->child[cur->child_cnt++] = n;
|
cur->child[cur->child_cnt++] = n;
|
||||||
|
|
||||||
|
add_descendant(cur);
|
||||||
|
|
||||||
n->parent = cur;
|
n->parent = cur;
|
||||||
n->linked = via_link;
|
n->linked = via_link;
|
||||||
n->name = ck_strdup(pname);
|
n->name = ck_strdup(pname);
|
||||||
|
@ -427,7 +457,7 @@ void maybe_add_pivot(struct http_request* req, struct http_response* res,
|
||||||
|
|
||||||
/* Enforce user limits. */
|
/* Enforce user limits. */
|
||||||
|
|
||||||
if (cur->child_cnt > max_children) {
|
if (!descendants_ok(cur)) {
|
||||||
problem(PROB_LIMITS, req, res, (u8*)"Child node limit exceeded", cur, 0);
|
problem(PROB_LIMITS, req, res, (u8*)"Child node limit exceeded", cur, 0);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
@ -441,6 +471,8 @@ void maybe_add_pivot(struct http_request* req, struct http_response* res,
|
||||||
|
|
||||||
cur->child[cur->child_cnt++] = n;
|
cur->child[cur->child_cnt++] = n;
|
||||||
|
|
||||||
|
add_descendant(cur);
|
||||||
|
|
||||||
n->parent = cur;
|
n->parent = cur;
|
||||||
n->type = PIVOT_PARAM;
|
n->type = PIVOT_PARAM;
|
||||||
n->linked = via_link;
|
n->linked = via_link;
|
||||||
|
@ -1236,8 +1268,9 @@ void dump_pivots(struct pivot_desc* cur, u8 nest) {
|
||||||
}
|
}
|
||||||
|
|
||||||
SAY(cGRA "%sFlags : " cNOR "linked %u, case %u/%u, fuzz_par %d, ips %u, "
|
SAY(cGRA "%sFlags : " cNOR "linked %u, case %u/%u, fuzz_par %d, ips %u, "
|
||||||
"sigs %u, reqs %u\n", indent, cur->linked, cur->csens, cur->c_checked,
|
"sigs %u, reqs %u, desc %u/%u\n", indent, cur->linked, cur->csens, cur->c_checked,
|
||||||
cur->fuzz_par, cur->uses_ips, cur->r404_cnt, cur->pending);
|
cur->fuzz_par, cur->uses_ips, cur->r404_cnt, cur->pending, cur->child_cnt,
|
||||||
|
cur->desc_cnt);
|
||||||
|
|
||||||
if (cur->req) {
|
if (cur->req) {
|
||||||
url = serialize_path(cur->req, 1, 0);
|
url = serialize_path(cur->req, 1, 0);
|
||||||
|
|
10
database.h
10
database.h
|
@ -96,6 +96,7 @@ struct pivot_desc {
|
||||||
struct pivot_desc* parent; /* Parent pivot, if any */
|
struct pivot_desc* parent; /* Parent pivot, if any */
|
||||||
struct pivot_desc** child; /* List of children */
|
struct pivot_desc** child; /* List of children */
|
||||||
u32 child_cnt; /* Number of children */
|
u32 child_cnt; /* Number of children */
|
||||||
|
u32 desc_cnt; /* Number of descendants */
|
||||||
|
|
||||||
struct issue_desc* issue; /* List of issues found */
|
struct issue_desc* issue; /* List of issues found */
|
||||||
u32 issue_cnt; /* Number of issues */
|
u32 issue_cnt; /* Number of issues */
|
||||||
|
@ -153,6 +154,14 @@ struct pivot_desc {
|
||||||
|
|
||||||
extern struct pivot_desc root_pivot;
|
extern struct pivot_desc root_pivot;
|
||||||
|
|
||||||
|
/* Checks child / descendant limits. */
|
||||||
|
|
||||||
|
u8 descendants_ok(struct pivot_desc* pv);
|
||||||
|
|
||||||
|
/* Increases descendant count. */
|
||||||
|
|
||||||
|
void add_descendant(struct pivot_desc* pv);
|
||||||
|
|
||||||
/* Maps a parsed URL (in req) to the pivot tree, creating or modifying nodes
|
/* Maps a parsed URL (in req) to the pivot tree, creating or modifying nodes
|
||||||
as necessary, and scheduling them for crawl; via_link should be 1 if the
|
as necessary, and scheduling them for crawl; via_link should be 1 if the
|
||||||
URL came from an explicit link or user input, 0 if brute-forced.
|
URL came from an explicit link or user input, 0 if brute-forced.
|
||||||
|
@ -332,6 +341,7 @@ extern u32 num_deny_urls,
|
||||||
|
|
||||||
extern u32 max_depth,
|
extern u32 max_depth,
|
||||||
max_children,
|
max_children,
|
||||||
|
max_descendants,
|
||||||
max_trylist,
|
max_trylist,
|
||||||
max_guesses;
|
max_guesses;
|
||||||
|
|
||||||
|
|
|
@ -40,7 +40,10 @@ do not accept any new cookies
|
||||||
maximum crawl tree depth (default: 16)
|
maximum crawl tree depth (default: 16)
|
||||||
.TP
|
.TP
|
||||||
.B \-c max_child
|
.B \-c max_child
|
||||||
maximum children to index per node (default: 1024)
|
maximum children to index per node (default: 512)
|
||||||
|
.TP
|
||||||
|
.B \-x max_desc
|
||||||
|
maximum descendants to index per crawl tree branch (default: 8192)
|
||||||
.TP
|
.TP
|
||||||
.B \-r r_limit
|
.B \-r r_limit
|
||||||
max total number of requests to send (default: 100000000)
|
max total number of requests to send (default: 100000000)
|
||||||
|
|
14
skipfish.c
14
skipfish.c
|
@ -89,6 +89,7 @@ static void usage(char* argv0) {
|
||||||
|
|
||||||
" -d max_depth - maximum crawl tree depth (%u)\n"
|
" -d max_depth - maximum crawl tree depth (%u)\n"
|
||||||
" -c max_child - maximum children to index per node (%u)\n"
|
" -c max_child - maximum children to index per node (%u)\n"
|
||||||
|
" -x max_desc - maximum descendants to index per branch (%u)\n"
|
||||||
" -r r_limit - max total number of requests to send (%u)\n"
|
" -r r_limit - max total number of requests to send (%u)\n"
|
||||||
" -p crawl%% - node and link crawl probability (100%%)\n"
|
" -p crawl%% - node and link crawl probability (100%%)\n"
|
||||||
" -q hex - repeat probabilistic scan with given seed\n"
|
" -q hex - repeat probabilistic scan with given seed\n"
|
||||||
|
@ -133,9 +134,9 @@ static void usage(char* argv0) {
|
||||||
" -s s_limit - response size limit (%u B)\n\n"
|
" -s s_limit - response size limit (%u B)\n\n"
|
||||||
|
|
||||||
"Send comments and complaints to <lcamtuf@google.com>.\n", argv0,
|
"Send comments and complaints to <lcamtuf@google.com>.\n", argv0,
|
||||||
max_depth, max_children, max_requests, DEF_WORDLIST, MAX_GUESSES,
|
max_depth, max_children, max_descendants, max_requests, DEF_WORDLIST,
|
||||||
max_connections, max_conn_host, max_fail, resp_tmout, rw_tmout,
|
MAX_GUESSES, max_connections, max_conn_host, max_fail, resp_tmout,
|
||||||
idle_tmout, size_limit);
|
rw_tmout, idle_tmout, size_limit);
|
||||||
|
|
||||||
exit(1);
|
exit(1);
|
||||||
}
|
}
|
||||||
|
@ -214,7 +215,7 @@ int main(int argc, char** argv) {
|
||||||
SAY("skipfish version " VERSION " by <lcamtuf@google.com>\n");
|
SAY("skipfish version " VERSION " by <lcamtuf@google.com>\n");
|
||||||
|
|
||||||
while ((opt = getopt(argc, argv,
|
while ((opt = getopt(argc, argv,
|
||||||
"+A:F:C:H:b:Nd:c:r:p:I:X:S:D:PJOYQMZUEK:W:LVT:G:R:B:q:g:m:f:t:w:i:s:o:hu")) > 0)
|
"+A:F:C:H:b:Nd:c:x:r:p:I:X:S:D:PJOYQMZUEK:W:LVT:G:R:B:q:g:m:f:t:w:i:s:o:hu")) > 0)
|
||||||
|
|
||||||
switch (opt) {
|
switch (opt) {
|
||||||
|
|
||||||
|
@ -362,6 +363,11 @@ int main(int argc, char** argv) {
|
||||||
if (!max_children) FATAL("Invalid value '%s'.", optarg);
|
if (!max_children) FATAL("Invalid value '%s'.", optarg);
|
||||||
break;
|
break;
|
||||||
|
|
||||||
|
case 'x':
|
||||||
|
max_descendants = atoi(optarg);
|
||||||
|
if (!max_descendants) FATAL("Invalid value '%s'.", optarg);
|
||||||
|
break;
|
||||||
|
|
||||||
case 'p':
|
case 'p':
|
||||||
crawl_prob = atoi(optarg);
|
crawl_prob = atoi(optarg);
|
||||||
if (!crawl_prob) FATAL("Invalid value '%s'.", optarg);
|
if (!crawl_prob) FATAL("Invalid value '%s'.", optarg);
|
||||||
|
|
Loading…
Reference in New Issue