crt0mega
/
skipfish
1
0
Fork 0
Code Issues 1 Pull Requests Projects Releases Wiki Activity

1.13b - Improved password, file form detection.

This commit is contained in:
Steve Pinkham 2010-03-23 09:58:39 -04:00
parent e29db14ace
commit cb51cd8988
6 changed files with 33 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
ChangeLog
View File

@ -1,3 +1,8 @@
Version 1.13b:
--------------
- Improved password, file form detection.
Version 1.12b:
--------------

13
README
View File

@ -156,8 +156,9 @@ A rough list of the security checks offered by the tool is outlined below.
- All external URL redirectors (optional).
- Links to unknown protocols.
- Form fields that could not be autocompleted.
- All HTML forms detected.
- Password entry forms (for external brute-force).
- File upload forms.
- All other HTML forms detected.
- Numerical file names (for external brute-force).
- User-supplied links otherwise rendered on a page.
- Incorrect or missing MIME type on less significant content.
@ -443,7 +444,9 @@ improve the tool by contributing code in one of these areas, please let me know:
* Search engine integration (vhosts, starting paths).
* VIEWSTATE decoding.
* More specific PHP tests (eval injection, RFI).
* VIEWSTATE decoding.
* NTLM and digest authentication.
@ -451,12 +454,16 @@ improve the tool by contributing code in one of these areas, please let me know:
currently employed by skipfish; but in the long run, should be provided as
a last-resort option.
* Scan resume option.
* Scan resume option.
* Option to limit document sampling or save samples directly to disk.
* Standalone installation (make install) support.
* Config file support.
* A database for banner / version checks?
-------------------------------------
8. Oy! Something went horribly wrong!
-------------------------------------

19
analysis.c
View File

@ -448,7 +448,7 @@ static void collect_form_data(struct http_request* req,
struct http_response* orig_res,
u8* cur_str, u8 is_post) {
u8 has_xsrf = 0, pass_form = 0;
u8 has_xsrf = 0, pass_form = 0, file_form = 0;
u32 tag_cnt = 0;
DEBUG("* collect_form_data() entered\n");
@ -550,7 +550,9 @@ static void collect_form_data(struct http_request* req,
}
if (inl_strcasestr(tag_name, (u8*) "passw")) pass_form = 1;
if (!strcasecmp((char*)tag_type, "password") ||
inl_strcasestr(tag_name, (u8*) "passw")) pass_form = 1;
else if (!strcasecmp((char*)tag_type, "file")) file_form = 1;
ck_free(tag_name);
ck_free(tag_type);
@ -577,10 +579,17 @@ final_checks:
if (pass_form) {
problem(PROB_PASS_FORM, req, orig_res, NULL, req->pivot, 0);
} else {
if (tag_cnt && !has_xsrf)
if (tag_cnt && !has_xsrf) {
if (file_form)
problem(PROB_FILE_FORM, req, orig_res, NULL, req->pivot, 0);
problem(PROB_VULN_FORM, req, orig_res, NULL, req->pivot, 0);
else
problem(PROB_FORM, req, orig_res, NULL, req->pivot, 0);
} else {
if (file_form)
problem(PROB_FILE_FORM, req, orig_res, NULL, req->pivot, 0);
else
problem(PROB_FORM, req, orig_res, NULL, req->pivot, 0);
}
}
}

3
assets/index.html
View File

@ -232,8 +232,9 @@ var issue_desc= {
"10503": "All e-mail addresses",
"10504": "Links to unknown protocols",
"10505": "Unknown form field (can't autocomplete)",
"10601": "HTML form found",
"10601": "HTML form (not classified otherwise)",
"10602": "Password entry form - consider brute-force",
"10603": "File upload form",
"10701": "User-supplied link rendered on a page",
"10801": "Incorrect or missing MIME type (low risk)",
"10802": "Generic MIME used (low risk)",

2
config.h
View File

@ -23,7 +23,7 @@
#ifndef _HAVE_CONFIG_H
#define _HAVE_CONFIG_H
#define VERSION "1.12b"
#define VERSION "1.13b"
#define USE_COLOR 1 /* Use terminal colors */

1
database.h
View File

@ -202,6 +202,7 @@ u8 is_c_sens(struct pivot_desc* pv);
#define PROB_FORM 10601 /* XSRF-safe form */
#define PROB_PASS_FORM 10602 /* Password form */
#define PROB_FILE_FORM 10603 /* File upload form */
#define PROB_USER_LINK 10701 /* User-supplied A link */