diff in "show trace"

[GoogleCodeExporter]

I see a lot of false positives in the scan results that are due to dynamic 
content. For example a time shown in seconds is different for each request and 
gets interpreted as a vulnerability. It would be nice to make it easier to spot 
such false positives. Maybe a (word)diff of the returned results could be shown 
in the trace?

Original issue reported on code.google.com by j...@jaapeldering.nl on 28 Dec 2010 at 8:08

[GoogleCodeExporter]

Changing time should not trigger a false positive. The page comparison 
algorithm relies on substantial changes in word length, not changes in 
individual digits. To better understand the problem, it would be useful to see 
the traces in question :-)

Original comment by lcam...@gmail.com on 28 Dec 2010 at 8:30

[GoogleCodeExporter]

Also see problem #10 here:
http://code.google.com/p/skipfish/wiki/KnownIssues

...and these instructions for capturing detailed crawl logs:

http://code.google.com/p/skipfish/wiki/SkipfishDoc#Oy!_Something_went_horribly_w
rong!

Original comment by lcam...@gmail.com on 28 Dec 2010 at 8:31

[GoogleCodeExporter]

Without some extra info, this bug is not actionable.

Original comment by lcam...@gmail.com on 26 Jan 2011 at 7:06

• Changed state: WontFix

[GoogleCodeExporter]

I sent an email on Wed, 29 Dec 2010 00:53:53 +0100 to skipfish@googlecode.com 
with more detailed info (3.4MB total). Didn't this email arrive or was that not 
sufficient information?

Original comment by j...@jaapeldering.nl on 26 Jan 2011 at 8:07

[GoogleCodeExporter]

I don't believe that e-mail got through, please re-send to lcamtuf@gmail.com or 
so.

Original comment by lcam...@google.com on 26 Jan 2011 at 8:08

[GoogleCodeExporter]

Ok, I resent the original message to lcamtuf@gmail.com.

Maybe googlecode doesn't accept larger attachments sent to the bug
tracking system?

Jaap

Original comment by j...@jaapeldering.nl on 26 Jan 2011 at 8:28