dtrip / skipfish

Automatically exported from code.google.com/p/skipfish
Apache License 2.0
0 stars 0 forks source link

URLs outside the include pattern/string is checked. #39

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
Using skipfish version 1.25b on Debian Testing.

I wanted to check only a subdirectory, so I used the -I option. However,
Skipfish still checks the root (and some directories above the subdirectory).

I used this commandline:
./skipfish -o somedir  -I /~username/dir/ajaxhelper.php
http://example.org/~username/dir/ajaxhelper.php

I notice that I get reports for http://example.org/,
http://example.org/~username/ and http://example.org/~username/dir/ Have I
misunderstood the usage of the -I option?

Original issue reported on code.google.com by hansfn@gmail.com on 25 Mar 2010 at 10:43

GoogleCodeExporter commented 9 years ago
Skipfish still needs to do some rudimentary checks on lower-level directories, 
for 
example to detect 404 patterns. In the process of doing so, it may spot a 
couple of 
security problems.

The option should reliably prevent it from performing injection checks or 
brute-force 
of the out-of-scope locations, though; please let me know if this is not the 
case, 
otherwise, the behavior is intended.

Original comment by lcam...@gmail.com on 25 Mar 2010 at 11:28