Comments (9)
Good point. This is fixed in version 1.28, coming soon.
Original comment by [email protected]
on 31 Mar 2010 at 7:31
- Changed state: Fixed
from skipfish.
FYI:
Just downloaded the newest 1.28b and the bug does NOT seem to be fixed. It
still
ignores such kind of forms:
<form method="post">
or
<form action="" method="post">
Original comment by [email protected]
on 2 Apr 2010 at 8:27
from skipfish.
Yeah, sorry. Really fixed in 1.29.
Original comment by [email protected]
on 2 Apr 2010 at 5:10
from skipfish.
That's weird... but it still doesn't seem to be fixed. Checked on this forms:
<form method="post">
and
<form method="post" action="">
Original comment by [email protected]
on 5 Apr 2010 at 12:57
from skipfish.
Both cases work for me. Please double check you're using the current version,
and that
the page with the form itself is being crawled. You can use 'make debug' to get
a raw
crawl log, too.
Original comment by [email protected]
on 5 Apr 2010 at 5:06
from skipfish.
Hmm... I think I got it. It didn't work b/c I used -I param.
However it's probably a bug b/c my -I value is matching the form's URL.
It starts to submit when I either remove -I or add -I="" (empty string)
Original comment by [email protected]
on 5 Apr 2010 at 5:41
from skipfish.
Michal,
If you don't think that this is a bug, can you please tell me how can I check
the
exact set of pages www.site.com/xxx1, www.site.com/xxx2, www.site.com/xxx3, ...
so
that skipfish will send the forms on the pages listed and will ignore all other
URLs.
When I try this: `skipfish -I 'xxx' www.site.com/xxx1` it doesn't see the auth
forms
due to the bug described above
When I try `skipfish -I 'xxx' -I '' www.site.com/xxx1` it starts submitting the
forms
but it also crawls every other page on the site (e.g. www.site.com/yyy) which
is not
desired.
Thanks.
Original comment by [email protected]
on 6 Apr 2010 at 9:36
from skipfish.
It would be a bug, but I can't reproduce: providing -I rules that *both* allow
the
scanner to reach and parse the page containing the form, and then allow the
scanner
to submit to form target, should work. I just tested it in the scenario you
described, and I could not reproduce.
There's one corner case where you might be running into a problem: if the form
is in
index.html, and you have -I http://www.example.com/index.html; skipfish will
attempt
to fetch / on the server first for the purpose of calibrating 404 checks - and
will
not explicitly parse /index.html later on, because the response will be
identical
with what it already examined. However, the form returned on / will have a
submit
target that does not match the -I rule, and will not be submitted.
If that sounds like your problem... well, that's sort of the price of not
providing
action= URLs on forms, I am not sure how to address it without causing side
effects.
Original comment by [email protected]
on 6 Apr 2010 at 9:50
from skipfish.
Yeah, that's exactly my case. What's a pity.
Actually I'm going to test a part of a site which shows login form on every
request
page until user is logged in. So it shows the same form for /xxx and / until
user is
logged in. This is technically just as your index.html example.
Ok, I believe that's not an easy fix so I'll skip trying to make this scan for
now.
However in my personal feelings that's not a very rare case when a huge portals
can
show the same login page on any request until you're logged in. Probably
grabbing
cookies can help in such cases (but not in mine - cookies expire too fast). But
at
the same time such behavior isn't obvious until the close investigation.
Anyway, thanks for your help, and thanks for the great tool - it's still very,
very
helpful and efficient.
Original comment by [email protected]
on 6 Apr 2010 at 11:46
from skipfish.
Related Issues (20)
- Skipfish -I option doesn't properly work HOT 1
- Skipfish to slow under cygwin HOT 1
- I cant get google play to open. HOT 1
- Patch for /trunk/README
- on Gmail Search button not working properely refreshes the page instead of doing search operations HOT 1
- Add ability to exclude pages by content
- Enter one-line summary
- URL for arachni has changed
- how it work? HOT 1
- Preprocessor use of USE_COLOR (config.h, debug.h) is inconsistent
- Documentation detailing how vulnerabilities are determined
- Hello HOT 1
- Getting the Authentication error even after login form has been authenticated.
- "><img src=x onerror=prompt(0)> HOT 2
- Enter one-line summary
- Use Firing Range to make sure the scanner is tested for recognition of modern vulnerabilities HOT 1
- did my husband add his email on mine so he can see everything i do? All his adresses ad to mine is there a connection spmewhere to [email protected] his email?
- ive been hackedbyyour iwn tools HOT 1
- Install Skipfish globally in Ubuntu 14.04
- Enter one-line summary
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from skipfish.