search

intruxxer / zaproxy

Automatically exported from code.google.com/p/zaproxy
0 stars 0 forks source link

SVN and other SCM scanners #130

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. Not there now

What is the expected output? What do you see instead?

I'd really like for the passive scanner to report on any SVN, CVS, RCS Ids
- Create a list of check in details, names, dates, comments

The Active Scanner should look for .svn/entries and if there, try to enumerate 
hidden SVN content via text base.

Other SCMs have similar issues, so it'd be worth finding out more about them 
and checking on it. 

It would be good to have an asynchronous task that Google dorks the various 
open source repos (github, Google Code, Sourceforge, Savannah, etc) for the 
code, and tries to match up the file in SCM to what's been found. This would 
enable a View Source menu feature, for example. 

What version of the product are you using? On what operating system?

1.3.0 Mac

Please provide any additional information below.

http://www.red-mercury.com/blog/eclectic-tech/hacking-subversion-entries-file/

Original issue reported on code.google.com by vande...@gmail.com on 17 Jun 2011 at 3:11

GoogleCodeExporter commented 9 years ago

Original comment by psii...@gmail.com on 17 Jun 2011 at 8:19

GoogleCodeExporter commented 9 years ago 
Refer this project here https://github.com/anantshri/svn-extractor

works on both .svn/entries as well as .svn/wc.db

may be it could be utilized to perform the simmilar task in ZAP

Original comment by anant@anantshri.info on 19 Apr 2013 at 5:14

GoogleCodeExporter commented 9 years ago 
There is now some fairly extensive related functionality in Zap:
- Spidering of an application using Subversion files found on the web server
- Source Code Disclosure, by extracting the "pristine" copy from Subversion
- Spidering of an application using Git files found on the web server
- Source Code Disclosure, by extracting the "pristine" copy of a given file 
from Git
- Passive Source Code Disclosure scanner, to automatically detect source code 
that was spidered, or downloaded in the course of normal application usage.

I don't currently have plans to add CVS or RCS, due to the increasingly limited 
use of these systems, but Mercurial support could be worthwhile.

Original comment by colm.p.o...@gmail.com on 6 Mar 2014 at 9:11