crt0mega
/
skipfish
1
0
Fork 0
Code Issues 1 Pull Requests Projects Releases Wiki Activity
skipfish/ChangeLog

529 lines
9.9 KiB
Plaintext
Raw Blame History

Version 1.94b:
--------------
- Proxy support! Currently only works for HTTP, put behind #ifdef
PROXY_SUPPORT.
- Change to prefix() and change_prefix() macros to limit the risk of bugs.
Version 1.93b:
--------------
- Major fix to URL XSS detection logic.
Version 1.92b:
--------------
- Reading starting URLs from file is now supported (@ prefix).
Version 1.90b / 1.91b:
----------------------
- Minor fix to pivots.txt.
Version 1.89b:
--------------
- Skipfish now saves all discovered URLs in a single file for third-party
tools: pivots.txt.
Version 1.88b:
--------------
- Dictionary improvements, contd.
Version 1.87b:
--------------
- Dictionary improvements.
Version 1.86b:
--------------
- HTTP auth header value changed from "basic" to "Basic" to
compensate for picky web frameworks.
- Minor fix to time display code.
Version 1.85b:
--------------
- Minor refinements to the content analysis module.
Version 1.84b:
--------------
- Option -S removed.
Version 1.83b:
--------------
- Minor fix to -e behavior.
Version 1.82b:
--------------
- NULL pointer in is_javascript() fixed.
Version 1.81b:
--------------
- Fix to numerical SQL injection detector logic.
Version 1.80b:
--------------
- New option (-e) to delete binary payloads.
- -J option is now obsolete (on by default).
Version 1.79b:
--------------
- Improvement to directory listing detector.
Version 1.78b:
--------------
- Fix to -J logic.
Version 1.77b:
--------------
- Further minor documentation and presentation tweaks.
Version 1.76b:
--------------
- Major clean-up of dictionary instructions.
Version 1.75b:
--------------
- iPhone U-A support added.
Version 1.74b:
--------------
- Non-HTTPS password form analysis added.
Version 1.73b:
--------------
- Silence some pointless compiler warnings on newer systems.
Version 1.72b:
--------------
- Minor beautification stuff.
Version 1.71b:
--------------
- Child signatures now exposed in the report,
- Improvements to duplicate node detection,
- sfscandiff tool added to compare reports.
Version 1.70b:
--------------
- Improved SQL syntax detection slightly to avoid phone number FP.
- Removed obsolete allocator flags.
Version 1.69b:
--------------
- Minor improvements to parameter encoding, User-Agent controls.
Version 1.68b:
--------------
- Password detector improvement.
Version 1.67b:
--------------
- Improved directory detection logic.
- Some dictionary updates.
Version 1.65b:
--------------
- Relaxed MIME matching on claimed CSS/JS that fails MIME sniffing logic.
- Proper detection of @media in CSS.
Version 1.64b:
--------------
- Changed param injection check slightly to work better with WordPress.
Version 1.62b:
--------------
- Further refinements to content classifier.
Version 1.60b:
--------------
- Minor sniffer fix to better handle CSV file checks.
Version 1.59b:
--------------
- Fixed several file POI checks that depended on MIME information.
Version 1.58b:
--------------
- Descendant limit checks added.
Version 1.57b:
--------------
- Splash screen added (grr).
Version 1.56b:
--------------
- Path-based injection attacks now also carried out on file / pathinfo nodes.
- Minor bugfix to try_list logic.
- Slight tweak to form parsing to properly handle specified but empty action=
strings.
Version 1.55b:
--------------
- Improved 404 directory no-parse checks.
Version 1.54b:
--------------
- Improved loop detector on mappings that only look at the last path segment.
Version 1.53b:
--------------
- Slight improvement to JSON discriminator.
Version 1.52b:
--------------
- Fixed HTTP read loop after 1.48b.
Version 1.51b:
--------------
- abort() instead of exit() in several places.
- Cleaned up mem leak, incorrect use of ck_free() in IDN handling.
Version 1.49b:
--------------
- Minor improvement to the allocator,
- Several directory listing signatures added.
Version 1.48b:
--------------
- A fix to SSL handling to avoid mystery fetch failures when
talking to certain servers.
Version 1.47b:
--------------
- Minor tweaks around compiler warnings, etc.
- Versioned directories now in use.
- malloc_usable_size ditched in favor of djm's trick.
- Minor performance tweaks as suggested by Jeff Johnson.
Version 1.46b:
--------------
- Security: fixed a potential read past EOB in scrape_response() on
zero-sized payloads. Credit to Jeff Johnson.
- Removed redundant fdopen() in dictionary management,
Version 1.45b:
--------------
- Minor aesthetic tweaks to the report viewer.
- Report subnode ordering now a bit saner.
Version 1.44b:
--------------
- Significant improvement to numerical SQL injection detector.
- Minor tweak to SQL message detection rules.
Version 1.43b:
--------------
- Improvement to reduce the likelihood of crawl loops: do not
extract links if current page identical to parent.
Version 1.42b:
--------------
- Fix to SQL injection detection with empty parameters.
Version 1.41b:
--------------
- Logic change: if response varies, directory brute force is
also skipped.
Version 1.40b:
--------------
- Command-line option not to descend into 5xx directories.
Version 1.39b:
--------------
- Option to override 'Range' header from the command line.
Version 1.38b:
--------------
- Decompression now honors user-specified size limits more reliably.
- Retry logic corrected to account for certain Oracle servers.
- Terminal I/O fix for debug mode.
Version 1.37b:
--------------
- NULL ptr with -F fixed.
Version 1.36b:
--------------
- Command-line support for parameters that should not be fuzzed.
- In-flight URLs can be previewed by hitting 'return'.
Version 1.35b:
--------------
- Several new form autocomplete rules.
Version 1.34b:
--------------
- A small tweak to file / dir discriminator logic to accommodate
quirky frameworks.
Version 1.33b:
--------------
- New SQL error signature added.
- Improved tolerance for tabs in text page detector.
Version 1.32b:
--------------
- A minor fix for embedded URL auth detection.
Version 1.31b:
--------------
- Compilation with USE_COLOR commented out now works as expected.
- Fix to detect <frame> tags.
Version 1.30b:
--------------
- Support for the (rare) <button> tag in forms.
- Fixed compiler warning on some platforms.
Version 1.29b:
--------------
- Forms with no action= URL are now handled correctly.
- New option (-u) to suppress realtime info,
- Destination host displayed on stats screen.
Version 1.27b:
--------------
- Tweak to CFLAGS ordering to always enforce FORTIFY_SOURCE.
- Man page added.
Version 1.26b:
--------------
- phtml added to the dictionary.
- Yet another workaround for MALLOC_CHECK_. Grr.
Version 1.25b:
--------------
- A limit on the number of identically named path elements added. This
is a last-resort check against endless recursion (e.g., for 'subdir'
-> '.' symlinks).
Version 1.24b:
--------------
- XSS detection now accounts for commented out text.
Version 1.23b:
--------------
- A minor improvement to XHTML detection.
- HTML vs XHTML mismatches no longer trigger a warning.
Version 1.22b:
--------------
- URL parser now accounts for its own \.\ injection pattern.
Version 1.19b:
--------------
- New ODBC POI added.
- Apache config file detection tightened up.
Version 1.18b:
--------------
- Fix a potential NULL ptr deref with malformed Set-Cookie.
- Another last-resort HTML detection pattern added.
Version 1.17b:
--------------
- JS detector refined not to trigger on certain text/plain inputs.
Version 1.16b:
--------------
- Fixed a typo introduced in 1.16 to index.html (d'oh).
- Further refinements to Makefile CFLAGS / LIBS / LDFLAGS to keep package
maintainers happy.
Version 1.15b:
--------------
- Better documentation on why certain issues are not reported by skipfish.
- Another minor tweak to improve path mapping detection logic.
Version 1.14b:
--------------
- Several new wordlist entries, courtesy of Glastopf Honeypot:
http://glastopf.org/index.php
- A tweak to path mapping detection logic to detect certain path mappings
that may result in crawl loops.
- Makefile now honors external LDFLAGS, CFLAGS.
- Some more documentation tweaks and rewrites.
- PUT detection logic added.
Version 1.13b:
--------------
- Improved password, file form detection slightly.
Version 1.12b:
--------------
- Improved visibility of the KnownIssues page (reports, Makefile).
- The location of assets/ directory is now configurable.
Version 1.11b:
--------------
- SIGWINCH support: you can now cleanly resize your window while scanning.
- Typo in report category name fixed.
- Terminal color fix (for users with non-standard color themes).
- Corrected icons license (GPL -> LGPL).
- Fixed a typo in -b ffox headers.
- Fixed a potential NULL ptr deref when doing form parsing.
Version 1.10b:
--------------
- Fix to extensions-only.wl (some bad keywords removed).
Version 1.09b:
--------------
- Fix for a potential NULL ptr deref in probabilistic scan mode (<100%).
Version 1.08b:
--------------
- A minor improvement to XHTML / XML detection.
Version 1.07b:
--------------
- Several build fixes for FreeBSD, MacOS X (-I, -L paths).
Version 1.06b:
--------------
- Minor documentation updates, typos fixed, etc.
Version 1.05b:
--------------
- A more robust workaround for FORTIFY_SOURCE (MacOS X).
Version 1.04b:
--------------
- Workaround for *BSD systems with malloc J or Z options set by default
(0x5a5a5a5a deref after realloc()).
- A minor tweak to reject certain not-quite-URLs extracted from JS.
Version 1.01b:
--------------
- Workaround for a glitch in FORTIFY_SOURCE on Linux (causing crash
on startup).
Version 1.00b:
--------------
- Initial public release.
Reference in New Issue View Git Blame Copy Permalink