crt0mega/skipfish
1
0
Fork 0
Code Issues 1 Pull Requests Projects Releases Wiki Activity
71 Commits 1 Branch 0 Tags 479 KiB
514ec354db
Commit Graph

71 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Steve Pinkham
514ec354db 1.74b:Non-HTTPS password form analysis added. 2010-11-21 07:37:01 -05:00
Steve Pinkham
8f1f9b0e0f 1.73b: Silence some pointless compiler warnings on newer systems. 2010-11-20 20:45:05 -05:00
Steve Pinkham
ecb2517547 1.72b: Minor beautification stuff. 2010-11-18 10:37:31 -05:00
Steve Pinkham
2e4f8fa7a7 1.71b: better duplicate node detection, new report diff tool and child 
signatures in report

  - Child signatures now exposed in the report,
  - Improvements to duplicate node detection,
  - sfscandiff tool added to compare reports.
 2010-11-17 22:07:04 -05:00
Steve Pinkham
e5f6c3e1b1 1.70b: improve SQL syntax detection and allocator flag cleanup 
- Improved SQL syntax detection slightly to avoid phone number FP.
  - Removed obsolete allocator flags.
 2010-11-17 22:05:27 -05:00
Steve Pinkham
69e6c20648 1.69b: parameter encoding, User-Agent, password fixes 
- Minor improvements to parameter encoding, User-Agent controls.
  - Password detector improvement.
 2010-10-01 00:00:03 -04:00
Steve Pinkham
de39e6a7a3 1.67b: Improved dir detection 2010-09-20 16:17:08 -04:00
Steve Pinkham
3abc965d68 Version 1.66b: Dir detection and dictionary updates 2010-09-20 16:14:23 -04:00
Steve Pinkham
5b119c8e7f 1.65b: dictionary & CSS MIME sniffing improvements 
- Relaxed MIME matching on claimed CSS/JS that fails MIME sniffing
logic.
  - Proper detection of @media in CSS.
 2010-09-10 12:59:06 -04:00
Steve Pinkham
ce8e52b8fb 1.64b: param injection Wordpress improvements 2010-09-07 13:27:26 -04:00
Steve Pinkham
aed5e5bea0 1.63b: WordPress param injection fixes 
Changed param injection check slightly to work better with
WordPress.
 2010-08-30 20:43:46 -04:00
Steve Pinkham
3a220b94d2 1.62b: Further refinements to content classifier. 2010-08-30 20:43:10 -04:00
Steve Pinkham
af1a154ac8 1.61b: Further refinements to content classifier. 2010-08-27 11:47:51 -04:00
Steve Pinkham
5e85684e40 1.60b: Minor sniffer fix to better handle CSV file checks 2010-08-27 11:47:18 -04:00
Steve Pinkham
512dfe7ea6 1.59b: Fixed several file POI checks that depended on MIME information. 2010-08-27 11:46:12 -04:00
Steve Pinkham
42d17c7921 1.58b: Descendant limit checks added. 2010-08-21 15:56:47 -04:00
Steve Pinkham
768867c93b 1.57b: Splash screen added (grr). 2010-08-20 17:38:17 -04:00
Steve Pinkham
5d4c67bd53 1.56b: Attack logic improvements 
- Path-based injection attacks now also carried out on file / pathinfo nodes.
- Minor bugfix to try_list logic.
- Slight tweak to form parsing to properly handle specified but empty action=
	      strings.
 2010-08-20 11:47:57 -04:00
Steve Pinkham
1794a045a0 1.55b: Improved 404 directory no-parse checks. 2010-08-09 10:52:11 -04:00
Steve Pinkham
701f665ab9 1.53b-1.54b: Improved loop derector and JSON discriminator 
- Improved loop detector on mappings that only look at the last path segment.
- Slight improvement to JSON discriminator.
 2010-08-09 10:49:43 -04:00
Steve Pinkham
c4ad54fe2f 1.52b: Fixed HTTP read loop after 1.48b. 2010-07-27 11:17:52 -04:00
Steve Pinkham
9674a65163 Bugfix to 1.50b release 2010-07-27 11:16:29 -04:00
Steve Pinkham
c215134fbe 1.50b: memleak fix, change some exit() to abort() 
- abort() instead of exit() in several places.
- Cleaned up mem leak, incorrect use of ck_free() in IDN handling.
 2010-07-27 11:13:05 -04:00
Steve Pinkham
b9594e48fa 1.49b: Allocator and dir listing changes 
- Minor improvement to the allocator,
- Several directory listing signatures added.
 2010-07-05 22:45:35 -04:00
Steve Pinkham
0d9f8c7fc5 1.48b: SSL handling bugfixes 
- A fix to SSL handling to avoid mystery fetch failures when
      talking to certain servers.
 2010-07-05 22:43:58 -04:00
Steve Pinkham
99fdd5f699 1.47b: performance and compilation changes 
- Minor tweaks around compiler warnings, etc.
- Versioned directories now in use.
- malloc_usable_size ditched in favor of djm's trick.
- Minor performance tweaks as suggested by Jeff Johnson.
 2010-07-05 22:41:31 -04:00
Steve Pinkham
72804b90f0 1.46b: Security fix and cleanup 
- Security: fixed a potential read past EOB in scrape_response() on
      zero-sized payloads. Credit to Jeff Johnson.
- Removed redundant fdopen() in dictionary management,
 2010-07-05 10:10:59 -04:00
Steve Pinkham
38ca4b24a5 1.45b: Reporting improvements 
- Minor aesthetic tweaks to the report viewer.
- Report subnode ordering now a bit saner.
 2010-06-30 12:46:02 -04:00
Steve Pinkham
7548514234 1.44b: Improve SQL injection detection 
- Significant improvement to numerical SQL injection detector.
- Minor tweak to SQL message detection rules.
 2010-06-29 10:10:17 -04:00
Steve Pinkham
98ffe73aba 1.43b: Reduce the likelyhood of crawl loops 
- Improvement to reduce the likelihood of crawl loops: do not
    extract links if current page identical to parent.
 2010-06-29 10:08:21 -04:00
Steve Pinkham
d0ce4e0db9 1.42b: Fix to SQL injection detection with empty parameters. 2010-06-29 10:06:30 -04:00
Steve Pinkham
d4b1cd630e 1.41b: if response varies, directory brute force is also skipped. 2010-06-21 10:57:40 -04:00
Steve Pinkham
2d658f5126 1.40b: Command-line option not to descend into 5xx directories. 2010-06-21 10:55:54 -04:00
Steve Pinkham
15c43e8675 1.38b: Small bugfixes 
- Decompression now honors user-specified size limits more reliably.
- Retry logic corrected to account for certain Oracle servers.
- Terminal I/O fix for debug mode.
 2010-06-21 10:53:17 -04:00
Steve Pinkham
30aa479d14 1.37b: NULL ptr with -F fixed. 2010-06-15 15:44:36 -04:00
Steve Pinkham
822e4f67e1 Version 1.35 and 1.36 - various changes 
Version 1.36b:
  - Command-line support for parameters that should not be fuzzed.
  - In-flight URLs can be previewed by hitting 'return'.

Version 1.35b:
  - Several new form autocomplete rules.
 2010-06-14 21:31:24 -04:00
Steve Pinkham
347a8b4b58 1.34b: A small tweak to file / dir discriminator logic to accommodate quirky frameworks. 2010-05-06 22:59:07 -04:00
Steve Pinkham
8d7293fb5f 1.33b - New SQL error sig and text page detector tweaks 
- New SQL error signature added.
- Improved tolerance for tabs in text page detector.
 2010-04-22 23:01:39 -04:00
Steve Pinkham
23205f4600 1.32b - A minor fix for embedded URL auth detection 2010-04-19 20:27:39 -04:00
Steve Pinkham
a4a2b9130c 1.31b: Fix to detect <frame> tags, and fix commenting out USE_COLOR 
- Compilation with USE_COLOR commented out now works as expected.
- Fix to detect <frame> tags.
 2010-04-15 09:17:53 -04:00
Steve Pinkham
095e83d582 1.30b - Support <button> tag and fix compiler warnings 
- Support for the (rare) <button> tag in forms.
- Fixed compiler warning on some platforms.
 2010-04-08 22:03:37 -04:00
Steve Pinkham
9236e119f7 Further fixes for forms with no action= URL 2010-04-02 13:46:59 -04:00
Steve Pinkham
c9b575c01e 1.28b - added host IP to stats screen, -u for quiet mode, handle forms with now action= URL 
- Forms with no action= URL are now handled correctly.
- New option (-u) to suppress realtime info,
- Destination host displayed on stats screen.
 2010-04-02 09:45:44 -04:00
Steve Pinkham
5918f62bbc 1.27b - Tweaks to CFLAGS and man page added 
- Tweak to CFLAGS ordering to always enforce FORTIFY_SOURCE.
- Man page added.
 2010-03-30 17:23:09 -04:00
Steve Pinkham
dc378471b7 1.26b - phtml added to the dictionary, and another MALLOC_CHECK workaround 2010-03-26 09:39:20 -04:00
Steve Pinkham
b05dbeedfa 1.25b - Limit # of requests with the same path 
- A limit on the number of identically named path elements
	    added. This is a last-resort check against endless recursion
		    (e.g., for 'subdir' -> '.' symlinks).
 2010-03-25 00:36:04 -04:00
Steve Pinkham
71f2ea83b4 1.24b - XSS detection now accounts for commented out text. 2010-03-25 00:33:41 -04:00
Steve Pinkham
ffa63decdb 1.23b - XHTML vs HTML changes 
- A minor improvement to XHTML detection.
  - HTML vs XHTML mismatches no longer trigger a warning.
 2010-03-25 00:32:32 -04:00
Steve Pinkham
942cb96f58 1.22b - bugfix - URL parser now accounts for its own \.\ injection pattern. 2010-03-25 00:31:24 -04:00
Steve Pinkham
50c87f0348 1.20b - URL parser now accounts for its own \.\ injection pattern. bugfix 2010-03-25 00:29:30 -04:00