Softpedia >Mac >Security >Skipfish >  Changelog

Skipfish Changelog

What's new in Skipfish 2.10 Beta

Dec 4, 2012
  • Updated HTML tags and attributes that are checked for URL XSS injections to also include a few HTML5 specific ones
  • Updated test and description for semi-colon injection in HTML meta refresh tags (this is IE6 specific)
  • Relaxed HTML parsing a bit to allow spaces between HTML tag attributes and their values (e.g. "foo =bar").
  • Major update of LFI tests by adding more dynamic tests (double encoding, dynamic amount of ../'s for web.xml). The total amount of tests for this vulnerability is now 40 per injection point.
  • The RFI test is now a separate test and no longer requires special compile options. The default RFI URL and it's payload check are still defined in src/config.h.
  • Using the --flush-to-disk flag will cause requests and responses to be flushed to disk which reduces the memory footprint. (especially noticable in large scans)
  • Fixed a bug where in some conditions (e.g. a page looks similar to another) links were not scraped from responses which lead to links to be missed (thanks to Anurag Chaurasia for reporting)
  • Added configuration file support with the --config flag. In config/example.conf you can find flags and examples.
  • Several signature keyword enhancements have been made. Most significant are the "header" keyword, which allows header matching and the "depend" keyword which allows signature chaining.
  • Fixed basic authentication which was broken per 2.08b. Cheers to Michael Stevens for reporting.
  • Fixed -k scheduling where 1:0:0 would count as a second in stead of an hour (also visa versa). Cheers to Claudio Criscione for reporting.
  • Small fix to compile time warnings

New in Skipfish 2.09 Beta (Sep 3, 2012)

  • Fixed a crash that could be triggered during 404 fingerprint failures
  • Signature IDs for detected issues are now stored in the report JSON files.
  • Added mod_status, mod_info, MySQL dump, phpMyAdmin SQL dump and robots.txt signatures.
  • Improved the Flash and Silverlight crossdomain policy signatures to only warn about them when they use wildcards.

New in Skipfish 2.08 Beta (Sep 1, 2012)

  • Added Host header XSS testing.
  • Added HTML encoding XSS tests to detect scenarios where our injection string ends up in an attributes that execute HTML encoded Javascript. For example: onclick.
  • Bruteforcing is now disabled for URLs that gave a directory listing.
  • Added subject alternate name checking for SSL certificates (cheers to Matt Caroll for his feedback)
  • Added signature matching (see doc/signatures.txt) which means a lot of the content based issues are no longer hardcoded.
  • Added active XSSI test. The passive XSSI stays (for now) but this active check is more acurate and will remove issues detected by the passive one if they cannot be confirmed. This reduces false positives
  • Added HTML tag XSS test which triggers when our payload is used as a tag attribute value but without quotes (courtesy of wavsep).
  • Added javascript: scheme XSS testing (courtesy of wavsep).
  • Added form based authentication. During these authenticated scans, skipfish will check if the session has ended and re-authenticates if necessary.
  • Fixed a bug where in slow scans the console output could mess up due to the high(er) refresh rate.
  • Fixed a bug where a missed response during the injection tests could result in a crash. (courtesy of Sebastian Roschke)
  • Restructure the source package a bit by adding a src/, doc/ and tools/ directory.

New in Skipfish 2.07 Beta (May 30, 2012)

  • A horrible bug fix which caused instable pages not be marked as such. The result: false positives.
  • A change to fprint_response() will help reduce false positives that could occur for differential tests (i.e. the query and shell injection tests)
  • We now suppress implicit cache warnings when dealing with 302, 303 and 307 redirects.
  • Added --no-checks which allows a scan to be run without any injection tests. This still allows bruteforcing and combines well with the new ability to load URLs from previous scan results.
  • We can now parse the pivots.txt, which can be found in the output directory of older scans. All URLs will be loaded which seriously speeds up recurring scans.
  • Directory bruteforcing now includes a content negotiation trick where using a fake mime in the Accept: header will cause some servers to propose us files via a 406 response.

New in Skipfish 2.06 Beta (May 14, 2012)

  • Crawler update which gives more control over the injection test scheduling. This comes with the --checks and --checks-toggle flags to display and enable/disable checks.
  • Pages where the response varies are no longer completely discarded. Instead now we only disable tests that require stability which increases scan coverage.
  • Split the traversal and disclosure test to increase coverage: traversal checks require stable pages, the disclosure checks can be performed on all.
  • Updated dictionaries and converted them to use the dictionary optimisations we introduced in 2.03b
  • Fixed offline report viewing (thanks to Sebastian Roschke)
  • Added NULL byte file disclosure tests
  • Added JSP inclusion error check to analyse.c
  • Added XSS injection tests for cookies
  • Directory listings are now reported as individual (info-type) issues
  • Added warning in case the negotiated SSL cipher turns out to be a weak one (leaving the cipher enumeration to network scanners)
  • Added experimental -v flag which can be used to enable (limited) runtime reporting. This output is written to stderr and should be redirected to a file, unless you use the -u flag.
  • The man page has been rewritten and now includes detailed descriptions and examples.
  • A whole bunch of small bug fixes

New in Skipfish 2.05 Beta (Mar 6, 2012)

  • Fixed a NULL pointer crash when adding "callback" tests to JavaScript URLs that have a parameter with no value.
  • Bug fix in the redirect callback which expected 2 responses but since 2.04b actually should process 4.

New in Skipfish 2.04 Beta (Feb 27, 2012)

  • Option -V eliminated in favor of -W / -S.
  • Option -l added to limit the maximum requests per second (contributed by Sebastian Roschke)
  • Option -k added to limit the maximum duration of a scan (contributed by Sebastian Roschke)
  • Support for #ro, -W-; related documentation changes.
  • HTTPS -> HTTP form detection.
  • Added more diverse traversal and file disclosure tests (including file:// scheme tests)
  • Improved injection detection in sections, where a ' or " is all we need to inject js code.
  • Added check to see if our injection strings end up server Set-Cookie, Set-Cookie2 and Content-Type reponse headers
  • URLs that give us a Javascript response are now tested with a "callback=" parameter to find JSONP issues.
  • Fixed "response varies" bug in 404 detection where a stable page would be marked unstable.
  • Bugfix to es / eg handling in dictionaries.
  • Added the "complete-fast.wl" wordlist which is an es / eg optimized version of "complete.wl" (resulting in 20-30% fewer requests).

New in Skipfish 2.03 Beta (Feb 6, 2012)

  • Fixed a minor glitch in form parsing in analysis.c, courtesy of Niloufar Pahlevan Sadegh.
  • Two database.c bugfixes to wordlist handler, courtesy of Shaojie Wang.