dlee0113 / skipfish

Automatically exported from code.google.com/p/skipfish
Apache License 2.0
0 stars 0 forks source link

Variable extraction from 'Location' header field #89

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
Skipfish doesn't seem to extract URL variables when redirected.

I run it with:
./skipfish -I trainer -o skiprep6 -W dictionaries/complete.wl -g 3 -m 3  
http://localhost/zapotek/tests/trainer.php

Test case:
http://github.com/Zapotek/arachni/blob/0.2/tests/trainer.php

Original issue reported on code.google.com by Tasos.La...@gmail.com on 10 Sep 2010 at 1:13

GoogleCodeExporter commented 9 years ago
Do you mean that it does not follow:

Location: ?msg=Congrats!+You+made+it!

...or something else? Formally, it's not a valid form of redirection, but I 
think it should work? What's the exact symptom?

Original comment by lcam...@gmail.com on 10 Sep 2010 at 5:10

GoogleCodeExporter commented 9 years ago
I can't tell if it followed it or not but I'm pretty sure it didn't audit the 
'msg' parameter.
If it had it would have found the XSS vulnerability.

Also, although it followed all the forms properly it didn't audit the 'rfi' 
cookie either, which is set after the second form has been submitted.

I'll run some more tests to see what's happening...

Original comment by Tasos.La...@gmail.com on 10 Sep 2010 at 5:36

GoogleCodeExporter commented 9 years ago
The best way to troubleshoot this is to do:

make clean debug
./skipfish [...usual stuff...] 2>logfile.txt

This will create a detailed crawl log; we be able to see if the scanner 
actually followed the link, if it attempted any injection attacks against the 
URL, and if not, why. 

Original comment by lcam...@gmail.com on 10 Sep 2010 at 6:47

GoogleCodeExporter commented 9 years ago
It seems that I were wrong.
It found both the cookie and the 'msg' var.

This time is reported the msg var to be vulnerable but it took no further 
action regarding the 'rfi' cookie.

It doesn't seem to audit cookies at all.

Original comment by Tasos.La...@gmail.com on 10 Sep 2010 at 7:09

Attachments:

GoogleCodeExporter commented 9 years ago
Nope, cookies are off the limits at this point. Checking them for XSS is 
generally pointless; SQL injection, etc, is more interesting, and it's on my 
TODO list.

Original comment by lcam...@gmail.com on 10 Sep 2010 at 7:45