matoit1 / skipfish

Automatically exported from code.google.com/p/skipfish
Apache License 2.0
0 stars 0 forks source link

SVG: GET, POST svgz etc... #90

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
SVG  recognised  but not well supported.

GET and POST in script not parsed?

mysql not tested?

.svgz not found?

http://www.honte.eu testcase

Original issue reported on code.google.com by j...@peepo.com on 10 Sep 2010 at 2:06

GoogleCodeExporter commented 9 years ago
Could you perhaps be more specific? There is no actionable info in your report.

SVG should be recognized; what else do you want the scanner to do with it?

JavaScript-originating requests are not supported in a particularly 
sophisticated manner, as explained in the documentation; however, there are 
very few scanners that genuinely do a good job here - in JS heavy applications, 
using a passive auditing proxy is your best bet.

What do you mean by "mysql" not tested? There are checks for generic SQL 
injection bugs that should work in most applications.

SVGZ is a very uncommon extension as far as I can tell, and it's not in the 
standard dictionary; but the scanner should be able to learn it based on a scan 
of any site that uses .svgz.

Original comment by lcam...@gmail.com on 10 Sep 2010 at 5:03

GoogleCodeExporter commented 9 years ago
To be clear, I found skipfish extremely helpful,

not sure  what you mean, but as js is not well supported I guess no  
mysql queries originated.

svgz is  common where svg is used...
as IE9 now supports svg it may  become very common....

it's not clear  whether index.svg or index.svgz were found but the  
report attached only mentions one file where there are two...
http://localhost/honte/

I've only had a small time to investigate, and most of the mimetype  
and other errors are bound to be mine.
i had hoped the post and get in the script might have hammered my   
database,
but...

best

Jonathan

Original comment by j...@peepo.com on 10 Sep 2010 at 6:30

GoogleCodeExporter commented 9 years ago
I'm not sure there's anything to be done at this point; on svgz - skipfish can 
learn new extensions on the go, or you can add them to the dictionary, but I am 
trying to strike a balance between testing time and coverage, which means not 
adding every extension known to man up front :-)

Original comment by lcam...@gmail.com on 19 Sep 2010 at 4:43