From e7485cd346a9502e3728939c49cd72dd8b5bb457 Mon Sep 17 00:00:00 2001 From: Steve Pinkham Date: Tue, 9 Aug 2011 16:02:53 -0400 Subject: [PATCH] 1.93b: Major fix to URL XSS detection logic --- ChangeLog | 5 +++++ Makefile | 2 +- analysis.c | 24 ++++++++++++------------ crawler.c | 12 ++++++------ 4 files changed, 24 insertions(+), 19 deletions(-) diff --git a/ChangeLog b/ChangeLog index f530412..56d2b1a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +Version 1.93b: +-------------- + + - Major fix to URL XSS detection logic. + Version 1.92b: -------------- diff --git a/Makefile b/Makefile index b83b837..138f6dc 100644 --- a/Makefile +++ b/Makefile @@ -20,7 +20,7 @@ # PROGNAME = skipfish -VERSION = 1.92b +VERSION = 1.93b OBJFILES = http_client.c database.c crawler.c analysis.c report.c INCFILES = alloc-inl.h string-inl.h debug.h types.h http_client.h \ diff --git a/analysis.c b/analysis.c index bed61e7..2b14c8a 100644 --- a/analysis.c +++ b/analysis.c @@ -122,10 +122,10 @@ static void test_add_link(u8* str, struct http_request* ref, /* Don't add injected links. */ - if (!strncasecmp((char*)str, "skipfish:", 10) || - !strncasecmp((char*)str, "//skipfish.invalid/", 20) || + if (!strncasecmp((char*)str, "skipfish:", 9) || + !strncasecmp((char*)str, "//skipfish.invalid/", 19) || inl_strcasestr(str, (u8*) "/" BOGUS_FILE) || - !strncasecmp((char*)str, "http://skipfish.invalid/", 25)) return; + !strncasecmp((char*)str, "http://skipfish.invalid/", 24)) return; /* Don't add links that look like they came from JS code with fragmented HTML snippets, etc. */ @@ -1275,9 +1275,9 @@ static void check_js_xss(struct http_request* req, struct http_response* res, !strncmp((char*)last_word, "url", 3) || !strncmp((char*)last_word, "href", 4) || !strncmp((char*)last_word, "write", 5)) && - (!strncasecmp((char*)text + 1,"//skipfish.invalid/", 20) || - !strncasecmp((char*)text + 1,"http://skipfish.invalid/", 25) || - !strncasecmp((char*)text + 1,"skipfish:", 10))) + (!strncasecmp((char*)text + 1,"//skipfish.invalid/", 19) || + !strncasecmp((char*)text + 1,"http://skipfish.invalid/", 24) || + !strncasecmp((char*)text + 1,"skipfish:", 9))) problem(PROB_URL_XSS, req, res, (u8*)"injected URL in JS/CSS code", req->pivot, 0); @@ -1644,7 +1644,7 @@ void content_checks(struct http_request* req, struct http_response* res) { strcasecmp((char*)tag_name, "input")) || !strcasecmp((char*)param_name, "codebase")) && clean_val) { - if (!strncasecmp((char*)clean_val, "skipfish://", 12)) + if (!strncasecmp((char*)clean_val, "skipfish://", 11)) problem(PROB_URL_XSS, req, res, tag_name, req->pivot, 0); /* A bit hairy, but in essence, links to attacker-supplied @@ -1652,8 +1652,8 @@ void content_checks(struct http_request* req, struct http_response* res) { are sorta noteworthy, depending on context; and A links are usually of little relevance. */ - if (!strncasecmp((char*)clean_val, "http://skipfish.invalid/", 25) || - !strncasecmp((char*)clean_val, "//skipfish.invalid/", 20)) { + if (!strncasecmp((char*)clean_val, "http://skipfish.invalid/", 24) || + !strncasecmp((char*)clean_val, "//skipfish.invalid/", 19)) { if (!strcasecmp((char*)tag_name, "script") || !strcasecmp((char*)tag_name, "link")) @@ -1679,14 +1679,14 @@ void content_checks(struct http_request* req, struct http_response* res) { url += 4; if (*url == '\'' || *url == '"') { url++; semi_safe = 1; } - if (!strncasecmp((char*)url, "http://skipfish.invalid/", 25) || - !strncasecmp((char*)url, "//skipfish.invalid/", 20)) + if (!strncasecmp((char*)url, "http://skipfish.invalid/", 24) || + !strncasecmp((char*)url, "//skipfish.invalid/", 19)) problem(PROB_URL_REDIR, req, res, (u8*)"injected URL in META refresh", req->pivot, 0); /* Unescaped semicolon in Refresh headers is unsafe with MSIE6. */ - if (!strncasecmp((char*)url, "skipfish://", 12) || + if (!strncasecmp((char*)url, "skipfish://", 11) || (!semi_safe && strchr((char*)url, ';'))) problem(PROB_URL_XSS, req, res, (u8*)"injected URL in META refresh", req->pivot, 0); diff --git a/crawler.c b/crawler.c index fb2cded..ca41a92 100644 --- a/crawler.c +++ b/crawler.c @@ -980,12 +980,12 @@ static u8 inject_check5_callback(struct http_request* req, if (val) { - if (!strncasecmp((char*)val, "http://skipfish.invalid/", 25) || - !strncasecmp((char*)val, "//skipfish.invalid/", 21)) + if (!strncasecmp((char*)val, "http://skipfish.invalid/", 24) || + !strncasecmp((char*)val, "//skipfish.invalid/", 19)) problem(PROB_URL_REDIR, req, res, (u8*)"injected URL in 'Location' header", req->pivot, 0); - if (!strncasecmp((char*)val, "skipfish://", 12)) + if (!strncasecmp((char*)val, "skipfish://", 11)) problem(PROB_URL_XSS, req, res, (u8*)"injected URL in 'Location' header", req->pivot, 0); @@ -998,14 +998,14 @@ static u8 inject_check5_callback(struct http_request* req, if (*val == '\'' || *val == '"') { val++; semi_safe++; } - if (!strncasecmp((char*)val, "http://skipfish.invalid/", 25) || - !strncasecmp((char*)val, "//skipfish.invalid/", 20)) + if (!strncasecmp((char*)val, "http://skipfish.invalid/", 24) || + !strncasecmp((char*)val, "//skipfish.invalid/", 19)) problem(PROB_URL_REDIR, req, res, (u8*)"injected URL in 'Refresh' header", req->pivot, 0); /* Unescaped semicolon in Refresh headers is unsafe with MSIE6. */ - if (!strncasecmp((char*)val, "skipfish://", 12) || + if (!strncasecmp((char*)val, "skipfish://", 11) || (!semi_safe && strchr((char*)val, ';'))) problem(PROB_URL_XSS, req, res, (u8*)"injected URL in 'Refresh' header", req->pivot, 0);