Commit Graph

102 Commits

Author SHA1 Message Date
Steve Pinkham 093800c9de 2.10b: Many updates, see changelog 2012-12-21 23:32:24 -05:00
Steve Pinkham e48969d827 Version 2.09b: bugfixes and policy improvements
- Fixed a crash that could be triggered during 404 fingerprint
    failures
  - Signature IDs for detected issues are now stored in the report
    JSON files.
  - Added mod_status, mod_info, MySQL dump, phpMyAdmin SQL dump and
    robots.txt signatures.
  - Improved the Flash and Silverlight crossdomain policy signatures to
    only warn about them when they use wildcards.
2012-09-12 17:09:00 -04:00
Steve Pinkham c9d5b74896 Version 2.08b: Many changes including dir refactor
- Added Host header XSS testing.
  - Added HTML encoding XSS tests to detect scenarios where our
    injection string ends up in an attributes that execute HTML encoded
    Javascript. For example: onclick.
  - Bruteforcing is now disabled for URLs that gave a directory listing.
  - Added subject alternate name checking for SSL certificates (cheers
    to Matt Caroll for his feedback)
  - Added signature matching (see doc/signatures.txt) which means a lot
    of the content based issues are no longer hardcoded.
  - Added active XSSI test. The passive XSSI stays (for now) but this
    active check is more acurate and will remove issues detected by the
    passive one if they cannot be confirmed. This reduces false
    positives
  - Added HTML tag XSS test which triggers when our payload is used
    as a tag attribute value but without quotes (courtesy of wavsep).
  - Added javascript: scheme XSS testing (courtesy of wavsep).
  - Added form based authentication. During these authenticated
    scans, skipfish will check if the session has ended and re-authenticates
    if necessary.
  - Fixed a bug where in slow scans the console output could mess up
    due to the high(er) refresh rate.
  - Fixed a bug where a missed response during the injection tests could
    result in a crash. (courtesy of Sebastian Roschke)
  - Restructure the source package a bit by adding a src/, doc/ and
    tools/ directory.
2012-09-12 17:06:51 -04:00
Steve Pinkham a655d5853c Version 2.07b: bugfixes and enhancements
- A bugfix to fprint_response() will help reduce false positives that
    could occur for differential tests (i.e. the query and shell
    injection tests)
  - We now suppress implicit cache warnings when dealing with 302, 303
    and 307 redirects.
  - Added --no-checks which allows a scan to be run without any
    injection tests. This still allows bruteforcing and combines well with the
    new ability to load URLs from previous scan results.
  - We can now parse the pivots.txt, which can be found in the output
    directory of older scans. All URLs will be loaded which seriously
    speeds up recurring scans.
  - Directory bruteforcing now includes a content negotiation trick
    where a using a fake mime in the Accept: header will cause some servers to
    propose us files via a 406 response.
  - A horrible bug fix which caused instable pages not be marked
    as such. The result: false positives.
2012-09-12 16:56:44 -04:00
Steve Pinkham d1f54c9fe2 Version 2.06b: Major update, see full commit msg
- Crawler update which gives more control over the injection test
    scheduling. This comes with the --checks and --checks-toggle
    flags to display and enable/disable checks.
  - Pages where the response varies are no longer completely
    discarded. Instead now we only disable tests that require stability
    which increases scan coverage.
  - Split the traversal and disclosure test to increase coverage:
    traversal checks require stable pages, the disclosure checks can be
    performed on all.
  - Updated dictionaries and converted them to use the dictionary
    optimisations we introduced in 2.03b
  - Fixed offline report viewing (thanks to Sebastian Roschke)
  - Added NULL byte file disclosure tests
  - Added JSP inclusion error check to analyse.c
  - Added XSS injection tests for cookies
  - Directory listings are now reported as individual (info-type) issues
  - Added warning in case the negotiated SSL cipher turns out to be a
    weak one (leaving the cipher enumeration to network scanners)
  - Added experimental -v flag which can be used to enable (limited)
    runtime reporting. This output is written to stderr and should be
    redirected to a file, unless you use the -u flag.
  - The man page has been rewritten and now includes detailed
    descriptions
    and examples.
  - A whole bunch of small bug fixes
2012-09-12 16:48:57 -04:00
Steve Pinkham 771e70eba4 2.05b: crash and redirect fixes
- Fixed a NULL pointer crash when adding "callback" tests to JavaScript
  URLs that have a parameter with no value.
- Bug fix in the redirect callback which expected 2 responses but
  since 2.04b actually should process 4.
2012-03-17 10:06:56 -04:00
Steve Pinkham a46315b1ec 2.04b: See changelog or extended commit message
- Option -V eliminated in favor of -W / -S.
- Option -l added to limit the maximum requests per second
  (contributed by Sebastian Roschke)
- Option -k added to limit the maximum duration of a scan (contributed
  by Sebastian Roschke)
- Support for #ro, -W-; related documentation changes.
- HTTPS -> HTTP form detection.
- Added more diverse traversal and file disclosure tests (including
  file:// scheme tests)
- Improved injection detection in <script> sections, where a ' or "
  is all we need to inject js code.
- Added check to see if our injection strings end up server
  Set-Cookie,
  Set-Cookie2 and Content-Type reponse headers
- URLs that give us a Javascript response are now tested with a
  "callback=" parameter to find JSONP issues.
- Fixed "response varies" bug in 404 detection where a stable page
  would be marked unstable.
- Bugfix to es / eg handling in dictionaries.
- Added the "complete-fast.wl" wordlist which is an es / eg optimized
  version of "complete.wl" (resulting in 20-30% fewer requests).
2012-03-17 09:59:08 -04:00
Steve Pinkham 987151620c 2.03b: bugfixes
- Fixed a minor glitch in form parsing in analysis.c, courtesy of Niloufar Pahlevan Sadegh.
- Two database.c bugfixes to wordlist handler, courtesy of Shaojie Wang.
2011-08-09 16:09:16 -04:00
Steve Pinkham c7d2a24438 2.02b: Fixed a minor NULL pointer crash in -Y mode 2011-08-09 16:08:08 -04:00
Steve Pinkham 62021819e7 2.01b: A number of improvements
- Substantial improvement to SQL injection checks.
- Improvements to directory traversal checks (courtesy of Niels Heinen).
- Fix to numerical brute-force logic.
- Major improvement to directory brute force: much better duplicate elimination in some webserver configurations.
- Added a check for attacker-controlled prefixes on inline responses. This currently leads to UTF-7 BOM XSS, Flash, Java attacks (thanks to Niels Heinen).
2011-08-09 16:06:35 -04:00
Steve Pinkham 6b2d33edca Version 2.00b: Many improvements
- Minor bug fix to path parsing to avoid problems with /.$foo/,
- Improved PHP error detection (courtesy of Niels Heinen),
- Improved dictionary logic (courtesy of Niels Heinen) and new documentation of the same,
- Improved support for file.ext keywords in the dictionary,
- Fixed missing content_checks() in unknown_check_callback()(courtesy of Niels Heinen),
- Improved an oversight in dictionary case sensitivity,
- Improved pivots.txt data,
- Support for supplementary read-only dictionaries (-W +dict),
- Change to directory detection to work around a certain sneaky server behavior.
- TODO: Revise dictionaries!!!
2011-08-09 16:04:52 -04:00
Steve Pinkham b199943c9d 1.94b: Proxy support and bugfixes
- Proxy support! Currently only works for HTTP, put behind #ifdef PROXY_SUPPORT.
- Change to prefix() and change_prefix() macros to limit the risk of bugs.
2011-08-09 16:03:29 -04:00
Steve Pinkham e7485cd346 1.93b: Major fix to URL XSS detection logic 2011-08-09 16:02:53 -04:00
Steve Pinkham 831a3a497b 1.92b: Reading starting URLs from file now supported (@ prefix). 2011-08-09 16:01:39 -04:00
Steve Pinkham 16bd99b75c 1.91b: More minor fixes to pivots.txt 2011-08-09 16:00:34 -04:00
Steve Pinkham 2c5f161d7b 1.90b: Minor fix to pivots.txt 2011-08-09 15:58:54 -04:00
Steve Pinkham 3e0d5cbd10 1.89b: Save file of discovered URLS
Skipfish now saves all discovered URLs in a single file for third-party tools: pivots.txt.
2011-08-09 15:57:42 -04:00
Steve Pinkham dcc44d94e8 1.88b: Dictionary improvements, contd. 2011-08-09 15:56:54 -04:00
Steve Pinkham 7d164759bc 1.87b: Dictionary improvements. 2011-08-09 15:56:21 -04:00
Steve Pinkham 2b28b72176 1.86b: Auth header and time display fixes
- HTTP auth header value changed from "basic" to "Basic" to compensate for picky web frameworks.
- Minor fix to time display code.
2011-08-09 15:47:01 -04:00
Steve Pinkham 276ce8a5a8 1.85b: Minor refinements to the content analysis module. 2011-03-29 22:20:42 -04:00
Steve Pinkham baf9921f42 1.84b: Option -S removed. 2011-01-10 14:22:09 -05:00
Steve Pinkham 0f835b3def 1.83b: Minor fix to -e behavior. 2011-01-10 14:18:57 -05:00
Steve Pinkham 0717375d0a 1.82b: NULL pointer in is_javascript() fixed. 2011-01-10 14:17:42 -05:00
Steve Pinkham a3473417d9 1.81b: Fix to numerical SQL injection detector logic. 2010-12-03 15:32:05 -05:00
Steve Pinkham 35607dcb58 1.80b: option not save binary responses, and make charset errors less
noisy by default

  - New option (-e) to delete binary payloads.
  - -J option is now obsolete (on by default).
2010-12-03 15:30:00 -05:00
Steve Pinkham ffee2aec54 1.79b: Improvement to directory listing detector. 2010-12-03 15:28:04 -05:00
Steve Pinkham 44d86a63b6 1.78b: Fix to -J logic. 2010-11-22 09:26:50 -05:00
Steve Pinkham 39cfa696da 1.77b: Further minor documentation and presentation tweaks. 2010-11-21 20:21:25 -05:00
Steve Pinkham 806e8eedea 1.76b: Major clean-up of dictionary instructions. 2010-11-21 07:43:07 -05:00
Steve Pinkham 088136e95e 1.75b: iPhone U-A support added. 2010-11-21 07:40:21 -05:00
Steve Pinkham 514ec354db 1.74b:Non-HTTPS password form analysis added. 2010-11-21 07:37:01 -05:00
Steve Pinkham 8f1f9b0e0f 1.73b: Silence some pointless compiler warnings on newer systems. 2010-11-20 20:45:05 -05:00
Steve Pinkham ecb2517547 1.72b: Minor beautification stuff. 2010-11-18 10:37:31 -05:00
Steve Pinkham 2e4f8fa7a7 1.71b: better duplicate node detection, new report diff tool and child
signatures in report

  - Child signatures now exposed in the report,
  - Improvements to duplicate node detection,
  - sfscandiff tool added to compare reports.
2010-11-17 22:07:04 -05:00
Steve Pinkham e5f6c3e1b1 1.70b: improve SQL syntax detection and allocator flag cleanup
- Improved SQL syntax detection slightly to avoid phone number FP.
  - Removed obsolete allocator flags.
2010-11-17 22:05:27 -05:00
Steve Pinkham 69e6c20648 1.69b: parameter encoding, User-Agent, password fixes
- Minor improvements to parameter encoding, User-Agent controls.
  - Password detector improvement.
2010-10-01 00:00:03 -04:00
Steve Pinkham de39e6a7a3 1.67b: Improved dir detection 2010-09-20 16:17:08 -04:00
Steve Pinkham 3abc965d68 Version 1.66b: Dir detection and dictionary updates 2010-09-20 16:14:23 -04:00
Steve Pinkham 5b119c8e7f 1.65b: dictionary & CSS MIME sniffing improvements
- Relaxed MIME matching on claimed CSS/JS that fails MIME sniffing
logic.
  - Proper detection of @media in CSS.
2010-09-10 12:59:06 -04:00
Steve Pinkham ce8e52b8fb 1.64b: param injection Wordpress improvements 2010-09-07 13:27:26 -04:00
Steve Pinkham aed5e5bea0 1.63b: WordPress param injection fixes
Changed param injection check slightly to work better with
WordPress.
2010-08-30 20:43:46 -04:00
Steve Pinkham 3a220b94d2 1.62b: Further refinements to content classifier. 2010-08-30 20:43:10 -04:00
Steve Pinkham af1a154ac8 1.61b: Further refinements to content classifier. 2010-08-27 11:47:51 -04:00
Steve Pinkham 5e85684e40 1.60b: Minor sniffer fix to better handle CSV file checks 2010-08-27 11:47:18 -04:00
Steve Pinkham 512dfe7ea6 1.59b: Fixed several file POI checks that depended on MIME information. 2010-08-27 11:46:12 -04:00
Steve Pinkham 42d17c7921 1.58b: Descendant limit checks added. 2010-08-21 15:56:47 -04:00
Steve Pinkham 768867c93b 1.57b: Splash screen added (grr). 2010-08-20 17:38:17 -04:00
Steve Pinkham 5d4c67bd53 1.56b: Attack logic improvements
- Path-based injection attacks now also carried out on file / pathinfo nodes.
- Minor bugfix to try_list logic.
- Slight tweak to form parsing to properly handle specified but empty action=
	      strings.
2010-08-20 11:47:57 -04:00
Steve Pinkham 1794a045a0 1.55b: Improved 404 directory no-parse checks. 2010-08-09 10:52:11 -04:00