Last 7 days

• Feb 21, 2012

  issue 141 (Can I found my report when "Cannot chdir to") commented on by lne1...@gmail.com   -   This error happen only once. Maybe I delete the log dir when skipfish is running... Is there a temporary floder to save the report when this error happen?

  This error happen only once. Maybe I delete the log dir when skipfish is running... Is there a temporary floder to save the report when this error happen?
• Feb 20, 2012

  issue 141 (Can I found my report when "Cannot chdir to") Owner changed by niels.he...@gmail.com   -   Can you give me the command-line and output of "ls -ld /Users/username/log" Does this happen everytime? Note that the output dir gets created during scan startup so if it gets removed during the course of the scan, you will get this error.

  Owner:

  Can you give me the command-line and output of "ls -ld /Users/username/log" Does this happen everytime? Note that the output dir gets created during scan startup so if it gets removed during the course of the scan, you will get this error.

  Owner:

Last 30 days

• Feb 14, 2012

  issue 141 (Can I found my report when "Cannot chdir to") reported by lne1...@gmail.com   -   Something wrong is happen when skipfish will end, and it output [-] SYSTEM ERROR : Cannot chdir to '/Users/username/log' Stop location : write_report(), report.c:824 OS message : No such file or directory Can I found my report when this is happen?

  Something wrong is happen when skipfish will end, and it output [-] SYSTEM ERROR : Cannot chdir to '/Users/username/log' Stop location : write_report(), report.c:824 OS message : No such file or directory Can I found my report when this is happen?
• Feb 12, 2012

  issue 140 (http://contribuyente.seniat.gob.ve/BuscaRif/BuscaRif.jsp) Status changed by lcam...@gmail.com   -  

  Status: Invalid

  Status: Invalid
• Feb 12, 2012

  issue 140 (http://contribuyente.seniat.gob.ve/BuscaRif/BuscaRif.jsp) reported by julio...@gmail.com   -   Note: before submitting, check: http://contribuyente.seniat.gob.ve/BuscaRif/BuscaRif.jsp http://code.google.com/p/skipfish/wiki/KnownIssues

  Note: before submitting, check: http://contribuyente.seniat.gob.ve/BuscaRif/BuscaRif.jsp http://code.google.com/p/skipfish/wiki/KnownIssues
• Feb 11, 2012

  issue 129 (Record where new word found) changed by niels.he...@gmail.com   -   Would this be for debugging purpose? If so, does it work for you if you can extract this information from the debug output ?

  Owner:

  Labels: Type-Enhancement Priority-Low −Type-Defect −Priority-Medium

  Would this be for debugging purpose? If so, does it work for you if you can extract this information from the debug output ?

  Owner:

  Labels: Type-Enhancement Priority-Low −Type-Defect −Priority-Medium
• Feb 11, 2012

  issue 139 (Report not viewable in Chrome) changed by niels.he...@gmail.com   -   Yes, this is also described in the known issues section. In Chrome, you can work around this by passing a command-line option of --allow-file-access-from-files. Closing this bug but note that we have improving this on the todo list. Unless you already use this flag and it still doesn't work, than please ping this issue.

  Status: WontFix

  Owner:

  Yes, this is also described in the known issues section. In Chrome, you can work around this by passing a command-line option of --allow-file-access-from-files. Closing this bug but note that we have improving this on the todo list. Unless you already use this flag and it still doesn't work, than please ping this issue.

  Status: WontFix

  Owner:
• Feb 11, 2012

  issue 138 (Installing on Windows XP) commented on by lcam...@gmail.com   -   Eh, you should be able to run it on XP by compiling it under Cygwin. But you're very much on your own.

  Eh, you should be able to run it on XP by compiling it under Cygwin. But you're very much on your own.
• Feb 11, 2012

  issue 138 (Installing on Windows XP) changed by niels.he...@gmail.com   -   I'm sorry, XP is not supported (see documentation)

  Status: WontFix

  Owner:

  I'm sorry, XP is not supported (see documentation)

  Status: WontFix

  Owner:
• Feb 07, 2012

  issue 139 (Report not viewable in Chrome) reported by p...@p1sec.com   -   menu not clickable

  menu not clickable
• Feb 07, 2012

  issue 120 (interim report writing) commented on by p...@p1sec.com   -   Definitely needed.

  Definitely needed.
• Feb 07, 2012

  issue 138 (Installing on Windows XP) reported by fitz...@gmail.com   -   Note: before submitting, check: http://code.google.com/p/skipfish/wiki/KnownIssues I am having trouble installing this program on Windows XP from the downloadable folders? Any advice would be helpful Thanks

  Note: before submitting, check: http://code.google.com/p/skipfish/wiki/KnownIssues I am having trouble installing this program on Windows XP from the downloadable folders? Any advice would be helpful Thanks
• Feb 06, 2012

  issue 134 (How to prevent Limits Exceeded errors) commented on by Charlie....@gmail.com   -   Thanks for the comments guys. I'll look forward to the new version, and give it a shot limiting reqs/s to see if it corrects. If it's still an issue, I'll try doing a web crawl and flat file input prior to avoid the coverage issue. Thanks!

  Thanks for the comments guys. I'll look forward to the new version, and give it a shot limiting reqs/s to see if it corrects. If it's still an issue, I'll try doing a web crawl and flat file input prior to avoid the coverage issue. Thanks!
• Feb 06, 2012

  issue 128 (option to log all requests) changed by niels.he...@gmail.com   -   There is (experimental) proxy support in 2.03b. I suggest using that in combination with burpsuite to get an insight in all the traffic. Other than that, there is a pivots.txt file in the report where you can find the requested URLs.

  Status: WontFix

  Labels: Type-Enhancement Priority-Low −Type-Defect −Priority-Medium

  There is (experimental) proxy support in 2.03b. I suggest using that in combination with burpsuite to get an insight in all the traffic. Other than that, there is a pivots.txt file in the report where you can find the requested URLs.

  Status: WontFix

  Labels: Type-Enhancement Priority-Low −Type-Defect −Priority-Medium
• Feb 05, 2012

  issue 134 (How to prevent Limits Exceeded errors) commented on by lcam...@gmail.com   -   Not related, but one area for improvement is that if the maximum number of failures is exceeded, the scanner will refuse to schedule new requests, but still processes the current queue (which may be up to few k requests). We should probably bail out sooner, because if the requests started timing out, this means waiting a longer while. /mz

  Not related, but one area for improvement is that if the maximum number of failures is exceeded, the scanner will refuse to schedule new requests, but still processes the current queue (which may be up to few k requests). We should probably bail out sooner, because if the requests started timing out, this means waiting a longer while. /mz
• Feb 05, 2012

  issue 137 (Information) commented on by james.j...@gmail.com   -   Thankss!!!

  Thankss!!!
• Feb 05, 2012

  issue 137 (Information) commented on by james.j...@gmail.com   -   gracias!!

  gracias!!
• Feb 05, 2012

  issue 133 (parameter false positively marked as "bogus parameter") changed by niels.he...@gmail.com   -   In the event of two parameters with the same name, we only test the first one. I'll look into fixing this (but with low priority). Cheers!

  Status: Accepted

  Owner:

  Labels: Type-Enhancement Priority-Low −Type-Defect −Priority-Medium

  In the event of two parameters with the same name, we only test the first one. I'll look into fixing this (but with low priority). Cheers!

  Status: Accepted

  Owner:

  Labels: Type-Enhancement Priority-Low −Type-Defect −Priority-Medium
• Feb 05, 2012

  issue 134 (How to prevent Limits Exceeded errors) changed by niels.he...@gmail.com   -   Some of the tests we do involve comparison of multiple server responses. If the server is not stable, these tests will start giving false positives. At the same time, the attempt to reduce false positive impacts coverage of when testing against unstable servers. You can try the following: 1) Recompile with a higher value for BH_CHECKS 2) Scan using an input file which contains the URLs you like to test Btw, -m is not enough for throttling the requests per second. You could use "trickle" for this (see known issues section). Or wait until 2.04b which should be out soon and will have a flag to limit the requests per second. Niels

  Status: Fixed

  Owner:

  Labels: Priority-Low −Priority-Medium

  Some of the tests we do involve comparison of multiple server responses. If the server is not stable, these tests will start giving false positives. At the same time, the attempt to reduce false positive impacts coverage of when testing against unstable servers. You can try the following: 1) Recompile with a higher value for BH_CHECKS 2) Scan using an input file which contains the URLs you like to test Btw, -m is not enough for throttling the requests per second. You could use "trickle" for this (see known issues section). Or wait until 2.04b which should be out soon and will have a flag to limit the requests per second. Niels

  Status: Fixed

  Owner:

  Labels: Priority-Low −Priority-Medium
• Feb 05, 2012

  issue 137 (Information) changed by niels.he...@gmail.com   -   Nope, sorry (try Google search or StackOverflow.com)

  Status: Invalid

  Owner:

  Nope, sorry (try Google search or StackOverflow.com)

  Status: Invalid

  Owner:
• Feb 02, 2012

  issue 137 (Information) reported by james.j...@gmail.com   -   Hello, do you have documentation about Websecurify, w3af, Nikto? Your documents are excellent and have much information. Seeking the benefits and weaknesses of: nikto, WebScarab, ratproxy, skipfish, and websecurify w3af. Thanks, Greetings!

  Hello, do you have documentation about Websecurify, w3af, Nikto? Your documents are excellent and have much information. Seeking the benefits and weaknesses of: nikto, WebScarab, ratproxy, skipfish, and websecurify w3af. Thanks, Greetings!
• Feb 01, 2012

  issue 136 (skip brute force on open dir listing) changed by niels.he...@gmail.com   -   Thanks for reporting! This seems definitely worth to look into although we probably should keep in mind that some directory listings are hiding information (e.g. dot files).

  Owner:

  Labels: Priority-Low −Priority-Medium

  Thanks for reporting! This seems definitely worth to look into although we probably should keep in mind that some directory listings are hiding information (e.g. dot files).

  Owner:

  Labels: Priority-Low −Priority-Medium
• Jan 30, 2012

  issue 136 (skip brute force on open dir listing) reported by jod...@gmail.com   -   where skipfish discovers directory listing enabled for a certain folder, it would be nice if it didn't waste any time scanning for unlisted content in that folder.

  where skipfish discovers directory listing enabled for a certain folder, it would be nice if it didn't waste any time scanning for unlisted content in that folder.

Earlier this year

• Jan 19, 2012

  issue 135 (How can I build on windows?) commented on by di...@sv2.com.br   -   Thanks and sorry for that

  Thanks and sorry for that
• Jan 18, 2012

  issue 135 (How can I build on windows?) Status changed by lcam...@gmail.com   -   Use cygwin. Please don't file bugs just to ask a question - e-mail is better.

  Status: Invalid

  Use cygwin. Please don't file bugs just to ask a question - e-mail is better.

  Status: Invalid
• Jan 18, 2012

  issue 135 (How can I build on windows?) reported by di...@sv2.com.br   -   How can I build on windows?

  How can I build on windows?
• Jan 12, 2012

  issue 134 (How to prevent Limits Exceeded errors) reported by Charlie....@gmail.com   -   Hi lcamtuf, How can I prevent errors like 20102 - Limits exceeded, fetch suppressed? (along with the message Too many previous fetch failures) On some websites, I see a very high number of these, and it looks like it prevents the crawler from crawling every page, since pages where this is returned seem to not be indexed or crawled for additional links. My only guess is - Is this a result of a website responding too slowly? (I am seeing these targets sometimes having 1-2 req/sec, even with -m 3 set, which I figure should reduce load on the webserver) Thanks!

  Hi lcamtuf, How can I prevent errors like 20102 - Limits exceeded, fetch suppressed? (along with the message Too many previous fetch failures) On some websites, I see a very high number of these, and it looks like it prevents the crawler from crawling every page, since pages where this is returned seem to not be indexed or crawled for additional links. My only guess is - Is this a result of a website responding too slowly? (I am seeing these targets sometimes having 1-2 req/sec, even with -m 3 set, which I figure should reduce load on the webserver) Thanks!

Older

• Dec 12, 2011

  issue 133 (parameter false positively marked as "bogus parameter") commented on by random0...@gmail.com   -   I am running skipfish version 2.03b. The vulnerability "XSS vector in document body" is located only when the variables are renamed to 'a' and 'b'. If there are multiple identically named parameters, this vulnerability will not be discovered. I've attached a file 'index.php' for which skipfish is able to locate the XSS vulnerability. Skipfish is not able to locate the same vulnerability in 'x.php' (which has been attached previously).

  I am running skipfish version 2.03b. The vulnerability "XSS vector in document body" is located only when the variables are renamed to 'a' and 'b'. If there are multiple identically named parameters, this vulnerability will not be discovered. I've attached a file 'index.php' for which skipfish is able to locate the XSS vulnerability. Skipfish is not able to locate the same vulnerability in 'x.php' (which has been attached previously).
• Dec 08, 2011

  issue 133 (parameter false positively marked as "bogus parameter") commented on by lcam...@gmail.com   -   The "bogus parameter" finding does not prevent XSS detection and other injection tests; it only inhibits dictionary brute-force. Instead, your problem may be that skipfish may be not prepared to deal with multiple identically named parameters. Does it work if you rename the parameters to "a" and "b"? What version are you using?

  The "bogus parameter" finding does not prevent XSS detection and other injection tests; it only inhibits dictionary brute-force. Instead, your problem may be that skipfish may be not prepared to deal with multiple identically named parameters. Does it work if you rename the parameters to "a" and "b"? What version are you using?
• Dec 08, 2011

  issue 133 (parameter false positively marked as "bogus parameter") commented on by random0...@gmail.com   -   updated version of the attached example page.

  updated version of the attached example page.
• Dec 08, 2011

  issue 133 (parameter false positively marked as "bogus parameter") reported by random0...@gmail.com   -   The attached page x.php contains a parameter 'x' that is vulnerable to XSS. However, this parameter is marked as a "bogus parameter" (in crawler.c), resulting in a false negative XSS. Using PHP (5.3.8) the last GET parameter of a given name is given priority. Since skipfish will perform it's bogus check on the first instance of the 'x' parameter, the parameter will false positively be marked as a "bogus parameter".

  The attached page x.php contains a parameter 'x' that is vulnerable to XSS. However, this parameter is marked as a "bogus parameter" (in crawler.c), resulting in a false negative XSS. Using PHP (5.3.8) the last GET parameter of a given name is given priority. Since skipfish will perform it's bogus check on the first instance of the 'x' parameter, the parameter will false positively be marked as a "bogus parameter".
• Dec 01, 2011

  issue 111 (Net error) commented on by bradfree...@gmail.com   -   Who were you DenverCoder9? What did you see?!

  Who were you DenverCoder9? What did you see?!
• Nov 29, 2011

  issue 128 (option to log all requests) commented on by ebenach...@gmail.com   -   l'option skipfish -I ne marche pas

  l'option skipfish -I ne marche pas
• Nov 22, 2011

  issue 59 (Makefile install) commented on by bag...@gmail.com   -   Jeez - just make a exe for windows rather than require me to download C etc and do the make stuff. I'm a simple web programmer who works mainly in php mysql js etc and want something that I dont have to 'make' - that just works. Go on - make it easy for us. I dare you.

  Jeez - just make a exe for windows rather than require me to download C etc and do the make stuff. I'm a simple web programmer who works mainly in php mysql js etc and want something that I dont have to 'make' - that just works. Go on - make it easy for us. I dare you.
• Nov 20, 2011

  issue 4 (building issue on ubuntu lucid) commented on by mozillal...@gmail.com   -   #8 helped me too. I didn't have libidn11-dev zlib-bin zlibc installed.

  #8 helped me too. I didn't have libidn11-dev zlib-bin zlibc installed.
• Oct 28, 2011

  issue 132 (Interpret Report) commented on by lcam...@gmail.com   -   See the "How to interpret and address the issues reported?" section here: http://code.google.com/p/skipfish/wiki/SkipfishDoc

  See the "How to interpret and address the issues reported?" section here: http://code.google.com/p/skipfish/wiki/SkipfishDoc
• Oct 28, 2011

  issue 132 (Interpret Report) commented on by hedges...@gmail.com   -   Could you kindly suggest a method/way where I could begin so as to improve my knowledge and understanding in web security?

  Could you kindly suggest a method/way where I could begin so as to improve my knowledge and understanding in web security?
• Oct 19, 2011

  issue 131 (How to Use Skipfish tool?) Status changed by lcam...@gmail.com   -  

  Status: Invalid

  Status: Invalid
• Oct 19, 2011

  issue 132 (Interpret Report) Status changed by lcam...@gmail.com   -   Unfortunately, I'm not able to assist with this. You need a certain level of proficiency in web security topics to follow the output of the tool, and there is no way around it.

  Status: WontFix

  Unfortunately, I'm not able to assist with this. You need a certain level of proficiency in web security topics to follow the output of the tool, and there is no way around it.

  Status: WontFix
• Oct 19, 2011

  issue 132 (Interpret Report) reported by hedges...@gmail.com   -   Note: before submitting, check: http://code.google.com/p/skipfish/wiki/KnownIssues Hi, I am new to skipfish and have run a test on my web application. However I cannot interpret the report generated. Could you help me out on this? Thanks

  Note: before submitting, check: http://code.google.com/p/skipfish/wiki/KnownIssues Hi, I am new to skipfish and have run a test on my web application. However I cannot interpret the report generated. Could you help me out on this? Thanks
• Sep 27, 2011

  issue 131 (How to Use Skipfish tool?) reported by navee...@kineticglue.com   -   Note: before submitting, check: http://code.google.com/p/skipfish/wiki/KnownIssues

  Note: before submitting, check: http://code.google.com/p/skipfish/wiki/KnownIssues
• Aug 29, 2011

  issue 130 (expand Randomness description) Status changed by lcam...@gmail.com   -   The short story is that the seed should have no substantial impact if you're not using -p. The reason you might be seeing differences between scans could be that: 1) Skipfish learned a new keyword in one scan, and used it in another, 2) Skipfish exploited a vulnerability (such as stored XSS) in one scan, but discovered the result only in another. 3) Skipfish could not reach all the locations in one scan, for example due to a server error or a timeout; but had more luck in the next run. 4) Some other parallelism-related quirks.

  Status: WontFix

  The short story is that the seed should have no substantial impact if you're not using -p. The reason you might be seeing differences between scans could be that: 1) Skipfish learned a new keyword in one scan, and used it in another, 2) Skipfish exploited a vulnerability (such as stored XSS) in one scan, but discovered the result only in another. 3) Skipfish could not reach all the locations in one scan, for example due to a server error or a timeout; but had more luck in the next run. 4) Some other parallelism-related quirks.

  Status: WontFix
• Aug 29, 2011

  issue 130 (expand Randomness description) reported by b4sw...@gmail.com   -   low priority documentation enhancement request Expand description of how randomness is used outside the "-p" option. Currently the doc just says "Randomness is relied upon most heavily in the -p mode, but also for making a couple of other scan management decisions elsewhere." (I'm trying to determine if seeing an issue identified in a later scan that wasn't in an earlier scan is likely due to the scans being run with different random seeds.)

  low priority documentation enhancement request Expand description of how randomness is used outside the "-p" option. Currently the doc just says "Randomness is relied upon most heavily in the -p mode, but also for making a couple of other scan management decisions elsewhere." (I'm trying to determine if seeing an issue identified in a later scan that wasn't in an earlier scan is likely due to the scans being run with different random seeds.)
• Aug 29, 2011

  issue 129 (Record where new word found) reported by b4sw...@gmail.com   -   low priority enhancement request Record the page or request where each new word was found. (Possibly in the dictionary with the word or maybe by having each word in the "+show trace" header being a link to the provenance of that word.)

  low priority enhancement request Record the page or request where each new word was found. (Possibly in the dictionary with the word or maybe by having each word in the "+show trace" header being a link to the provenance of that word.)
• Aug 29, 2011

  issue 128 (option to log all requests) reported by b4sw...@gmail.com   -   Low priority enhancement request. Add option to log all requests and (at least) the first two header lines of the response. Since log will be large, might be nice it log could be written in a compressed format or if it could be easily piped to a compression utility.

  Low priority enhancement request. Add option to log all requests and (at least) the first two header lines of the response. Since log will be large, might be nice it log could be written in a compressed format or if it could be easily piped to a compression utility.
• Aug 29, 2011

  issue 127 (report command line and host) reported by b4sw...@gmail.com   -   Low priority enhancement request. Include hostname from which scan was run and command line parameters in scan results (possibly in top right box that contains Scan date, Total time, etc.)

  Low priority enhancement request. Include hostname from which scan was run and command line parameters in scan results (possibly in top right box that contains Scan date, Total time, etc.)
• Aug 17, 2011

  issue 126 (pattern analysis for SQL Injection not very clear- please el...) commented on by ssvkames...@gmail.com   -   Is there any documantation available to help us understand the issue type overview(categories and memos) such as the ones shown below: undefined (2) Memo: response to -2^31 different than to -12345 Memo: response to %dn%dn%dn... different than to %nd%nd%nd... Memo: response suggests arithmetic evaluation on server side Memo: responses to `true` and `false` different than to `uname` Memo: responses for <sfish></sfish> and </sfish><sfish> look different Memo: text/plain Directory listing restrictions bypassed (5) Memo: unique response for /./

  Is there any documantation available to help us understand the issue type overview(categories and memos) such as the ones shown below: undefined (2) Memo: response to -2^31 different than to -12345 Memo: response to %dn%dn%dn... different than to %nd%nd%nd... Memo: response suggests arithmetic evaluation on server side Memo: responses to `true` and `false` different than to `uname` Memo: responses for <sfish></sfish> and </sfish><sfish> look different Memo: text/plain Directory listing restrictions bypassed (5) Memo: unique response for /./
• Aug 16, 2011

  issue 126 (pattern analysis for SQL Injection not very clear- please el...) Status changed by lcam...@gmail.com   -   Please don't file questions as bugs. The design of SQL checks should be fairly evident from the various accompanying documentation, and is essentially aimed to check if the first and last response resulted in a potential syntax error, while the middle one went through OK.

  Status: Invalid

  Please don't file questions as bugs. The design of SQL checks should be fairly evident from the various accompanying documentation, and is essentially aimed to check if the first and last response resulted in a potential syntax error, while the middle one went through OK.

  Status: Invalid
• Aug 16, 2011

  issue 126 (pattern analysis for SQL Injection not very clear- please el...) reported by ssvkames...@gmail.com   -   Regarding SQL Injection,I could check in your blog that 'when testing for string-based SQL injection, we compare the results of passing '"original_value, \'\"original_value, and \\'\\"original_value. When the first response is similar to the third one, but different from from the second one - we can, with a pretty high confidence, say that there is an underlying query injection vulnerability (even if query results can't be observed directly). ' Can you please elaborate on this a little more?? Note: before submitting, check: http://code.google.com/p/skipfish/wiki/KnownIssues

  Regarding SQL Injection,I could check in your blog that 'when testing for string-based SQL injection, we compare the results of passing '"original_value, \'\"original_value, and \\'\\"original_value. When the first response is similar to the third one, but different from from the second one - we can, with a pretty high confidence, say that there is an underlying query injection vulnerability (even if query results can't be observed directly). ' Can you please elaborate on this a little more?? Note: before submitting, check: http://code.google.com/p/skipfish/wiki/KnownIssues
• Aug 16, 2011

  issue 108 (Change "low risk" for 1xxxx issues to something better) commented on by ssvkames...@gmail.com   -   Regarding SQL Injection,I could check in your blog that 'when testing for string-based SQL injection, we compare the results of passing '"original_value, \'\"original_value, and \\'\\"original_value. When the first response is similar to the third one, but different from from the second one - we can, with a pretty high confidence, say that there is an underlying query injection vulnerability (even if query results can't be observed directly). ' Can you please elaborate on this a little more. Or help me with any material of the kind of pattern analysis?

  Regarding SQL Injection,I could check in your blog that 'when testing for string-based SQL injection, we compare the results of passing '"original_value, \'\"original_value, and \\'\\"original_value. When the first response is similar to the third one, but different from from the second one - we can, with a pretty high confidence, say that there is an underlying query injection vulnerability (even if query results can't be observed directly). ' Can you please elaborate on this a little more. Or help me with any material of the kind of pattern analysis?