Forms w/o an action attribute are not submitted about skipfish HOT 9 CLOSED

Good point. This is fixed in version 1.28, coming soon.

FYI:
Just downloaded the newest 1.28b and the bug does NOT seem to be fixed. It 
still 
ignores such kind of forms:
<form method="post">
or
<form action="" method="post">

Yeah, sorry. Really fixed in 1.29.

That's weird... but it still doesn't seem to be fixed. Checked on this forms:
<form method="post">
and
<form method="post" action="">

Both cases work for me. Please double check you're using the current version, 
and that 
the page with the form itself is being crawled. You can use 'make debug' to get 
a raw 
crawl log, too.

Hmm... I think I got it. It didn't work b/c I used -I param.
However it's probably a bug b/c my -I value is matching the form's URL.

It starts to submit when I either remove -I or add -I="" (empty string) 

Michal,

If you don't think that this is a bug, can you please tell me how can I check 
the 
exact set of pages www.site.com/xxx1, www.site.com/xxx2, www.site.com/xxx3, ... 
so 
that skipfish will send the forms on the pages listed and will ignore all other 
URLs.

When I try this: `skipfish -I 'xxx' www.site.com/xxx1` it doesn't see the auth 
forms 
due to the bug described above

When I try `skipfish -I 'xxx' -I '' www.site.com/xxx1` it starts submitting the 
forms 
but it also crawls every other page on the site (e.g. www.site.com/yyy) which 
is not 
desired.

Thanks.

It would be a bug, but I can't reproduce: providing -I rules that *both* allow 
the 
scanner to reach and parse the page containing the form, and then allow the 
scanner 
to submit to form target, should work. I just tested it in the scenario you 
described, and I could not reproduce.

There's one corner case where you might be running into a problem: if the form 
is in 
index.html, and you have -I http://www.example.com/index.html; skipfish will 
attempt 
to fetch / on the server first for the purpose of calibrating 404 checks - and 
will 
not explicitly parse /index.html later on, because the response will be 
identical 
with what it already examined. However, the form returned on / will have a 
submit 
target that does not match the -I rule, and will not be submitted.

If that sounds like your problem... well, that's sort of the price of not 
providing 
action= URLs on forms, I am not sure how to address it without causing side 
effects.

Yeah, that's exactly my case. What's a pity.
Actually I'm going to test a part of a site which shows login form on every 
request 
page until user is logged in. So it shows the same form for /xxx and / until 
user is 
logged in. This is technically just as your index.html example.

Ok, I believe that's not an easy fix so I'll skip trying to make this scan for 
now. 
However in my personal feelings that's not a very rare case when a huge portals 
can 
show the same login page on any request until you're logged in. Probably 
grabbing 
cookies can help in such cases (but not in mine - cookies expire too fast). But 
at 
the same time such behavior isn't obvious until the close investigation.

Anyway, thanks for your help, and thanks for the great tool - it's still very, 
very 
helpful and efficient.