Closed GoogleCodeExporter closed 8 years ago
The goal is to keep the report fairly self-explanatory to any security-minded
engineer, rather than writing tomes of documentation :-) If there is anything
you would improve, specifically, let me know - but otherwise, I do not intend
to write any extra docs around this part.
The document type overview section is just that - a list of document types
encountered during a crawl, which is often useful in understanding the
operation of the site, and spotting out-of-place data. This is a numbered list.
I'll look to improve the "low risk" note on some of the info entries.
Original comment by lcam...@gmail.com
on 2 Feb 2011 at 6:10
Thanks for the reply.
I am a bit puzzled about the numbers against in the document type overview
section. The site I tested against has so many different documents ( js +
css + images), but only a few are being mentioned here.
Is there any explanation/rule on which of the files will be displayed and
which won't be.
Thanks.
Original comment by sir.john...@gmail.com
on 2 Feb 2011 at 6:18
What does an interesting file mean in the results produced by skipfish? Sorry
if this is not the right place to post..
Original comment by ssvkames...@gmail.com
on 16 Aug 2011 at 10:52
Just that: a file you should probably look at and decide if it should be there.
The "memo" field has more info.
Original comment by lcam...@gmail.com
on 16 Aug 2011 at 10:55
Regarding SQL Injection,I could check in your blog that
'when testing for string-based SQL injection, we compare the results of passing '"original_value, \'\"original_value, and \\'\\"original_value. When the first response is similar to the third one, but different from from the second one - we can, with a pretty high confidence, say that there is an underlying query injection vulnerability (even if query results can't be observed directly). '
Can you please elaborate on this a little more. Or help me with any material of
the kind of pattern analysis?
Original comment by ssvkames...@gmail.com
on 16 Aug 2011 at 11:15
Original comment by niels.he...@gmail.com
on 3 Aug 2012 at 1:43
Original issue reported on code.google.com by
sir.john...@gmail.com
on 2 Feb 2011 at 2:31