Closed GoogleCodeExporter closed 9 years ago
Could you perhaps be more specific? There is no actionable info in your report.
SVG should be recognized; what else do you want the scanner to do with it?
JavaScript-originating requests are not supported in a particularly
sophisticated manner, as explained in the documentation; however, there are
very few scanners that genuinely do a good job here - in JS heavy applications,
using a passive auditing proxy is your best bet.
What do you mean by "mysql" not tested? There are checks for generic SQL
injection bugs that should work in most applications.
SVGZ is a very uncommon extension as far as I can tell, and it's not in the
standard dictionary; but the scanner should be able to learn it based on a scan
of any site that uses .svgz.
Original comment by lcam...@gmail.com
on 10 Sep 2010 at 5:03
To be clear, I found skipfish extremely helpful,
not sure what you mean, but as js is not well supported I guess no
mysql queries originated.
svgz is common where svg is used...
as IE9 now supports svg it may become very common....
it's not clear whether index.svg or index.svgz were found but the
report attached only mentions one file where there are two...
http://localhost/honte/
I've only had a small time to investigate, and most of the mimetype
and other errors are bound to be mine.
i had hoped the post and get in the script might have hammered my
database,
but...
best
Jonathan
Original comment by j...@peepo.com
on 10 Sep 2010 at 6:30
I'm not sure there's anything to be done at this point; on svgz - skipfish can
learn new extensions on the go, or you can add them to the dictionary, but I am
trying to strike a balance between testing time and coverage, which means not
adding every extension known to man up front :-)
Original comment by lcam...@gmail.com
on 19 Sep 2010 at 4:43
Original issue reported on code.google.com by
j...@peepo.com
on 10 Sep 2010 at 2:06