- Added Host header XSS testing.
- Added HTML encoding XSS tests to detect scenarios where our
injection string ends up in an attributes that execute HTML encoded
Javascript. For example: onclick.
- Bruteforcing is now disabled for URLs that gave a directory listing.
- Added subject alternate name checking for SSL certificates (cheers
to Matt Caroll for his feedback)
- Added signature matching (see doc/signatures.txt) which means a lot
of the content based issues are no longer hardcoded.
- Added active XSSI test. The passive XSSI stays (for now) but this
active check is more acurate and will remove issues detected by the
passive one if they cannot be confirmed. This reduces false
positives
- Added HTML tag XSS test which triggers when our payload is used
as a tag attribute value but without quotes (courtesy of wavsep).
- Added javascript: scheme XSS testing (courtesy of wavsep).
- Added form based authentication. During these authenticated
scans, skipfish will check if the session has ended and re-authenticates
if necessary.
- Fixed a bug where in slow scans the console output could mess up
due to the high(er) refresh rate.
- Fixed a bug where a missed response during the injection tests could
result in a crash. (courtesy of Sebastian Roschke)
- Restructure the source package a bit by adding a src/, doc/ and
tools/ directory.
- Crawler update which gives more control over the injection test
scheduling. This comes with the --checks and --checks-toggle
flags to display and enable/disable checks.
- Pages where the response varies are no longer completely
discarded. Instead now we only disable tests that require stability
which increases scan coverage.
- Split the traversal and disclosure test to increase coverage:
traversal checks require stable pages, the disclosure checks can be
performed on all.
- Updated dictionaries and converted them to use the dictionary
optimisations we introduced in 2.03b
- Fixed offline report viewing (thanks to Sebastian Roschke)
- Added NULL byte file disclosure tests
- Added JSP inclusion error check to analyse.c
- Added XSS injection tests for cookies
- Directory listings are now reported as individual (info-type) issues
- Added warning in case the negotiated SSL cipher turns out to be a
weak one (leaving the cipher enumeration to network scanners)
- Added experimental -v flag which can be used to enable (limited)
runtime reporting. This output is written to stderr and should be
redirected to a file, unless you use the -u flag.
- The man page has been rewritten and now includes detailed
descriptions
and examples.
- A whole bunch of small bug fixes
- Option -V eliminated in favor of -W / -S.
- Option -l added to limit the maximum requests per second
(contributed by Sebastian Roschke)
- Option -k added to limit the maximum duration of a scan (contributed
by Sebastian Roschke)
- Support for #ro, -W-; related documentation changes.
- HTTPS -> HTTP form detection.
- Added more diverse traversal and file disclosure tests (including
file:// scheme tests)
- Improved injection detection in <script> sections, where a ' or "
is all we need to inject js code.
- Added check to see if our injection strings end up server
Set-Cookie,
Set-Cookie2 and Content-Type reponse headers
- URLs that give us a Javascript response are now tested with a
"callback=" parameter to find JSONP issues.
- Fixed "response varies" bug in 404 detection where a stable page
would be marked unstable.
- Bugfix to es / eg handling in dictionaries.
- Added the "complete-fast.wl" wordlist which is an es / eg optimized
version of "complete.wl" (resulting in 20-30% fewer requests).
- Substantial improvement to SQL injection checks.
- Improvements to directory traversal checks (courtesy of Niels Heinen).
- Fix to numerical brute-force logic.
- Major improvement to directory brute force: much better duplicate elimination in some webserver configurations.
- Added a check for attacker-controlled prefixes on inline responses. This currently leads to UTF-7 BOM XSS, Flash, Java attacks (thanks to Niels Heinen).
- Minor bug fix to path parsing to avoid problems with /.$foo/,
- Improved PHP error detection (courtesy of Niels Heinen),
- Improved dictionary logic (courtesy of Niels Heinen) and new documentation of the same,
- Improved support for file.ext keywords in the dictionary,
- Fixed missing content_checks() in unknown_check_callback()(courtesy of Niels Heinen),
- Improved an oversight in dictionary case sensitivity,
- Improved pivots.txt data,
- Support for supplementary read-only dictionaries (-W +dict),
- Change to directory detection to work around a certain sneaky server behavior.
- TODO: Revise dictionaries!!!
- Security: fixed a potential read past EOB in scrape_response() on
zero-sized payloads. Credit to Jeff Johnson.
- Removed redundant fdopen() in dictionary management,
- Several new wordlist entries, courtesy of Glastopf Honeypot:
http://glastopf.org/index.php
- A tweak to path mapping detection logic to detect certain path mappings.
- Makefile now honors external LDFLAGS, CFLAGS.
- Some more documentation tweaks.
- PUT detection logic.
Steve Pinkham