folpindo / skipfish

Automatically exported from code.google.com/p/skipfish
Apache License 2.0
0 stars 0 forks source link

Enhancement Request: Parameter Pollution #118

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
I was reading about http parameter pollution. It would be great to include a 
check in Skipfish for possible parameter pollution, which I don't think any 
other open source tool currently scans for.

a good overview: http://www.iseclab.org/people/embyte/slides/bh_series.pdf 

Original issue reported on code.google.com by Charlie....@gmail.com on 27 May 2011 at 2:46

GoogleCodeExporter commented 9 years ago
The generic attacks used by skipfish should be already be sufficient to bypass 
some naive filters; but in general, IPS/WAF evasion does not seem to be a 
particularly useful core functionality of a web scanner. 

It's always preferred to test applications with IPS/WAF disabled (or the 
scanner whitelisted); otherwise, with any tool, you are likely to miss actual 
implementation problems because that specific IPS/WAF is tested with and 
designed to block that particular tool.

Original comment by lcam...@gmail.com on 27 May 2011 at 3:16