URLs outside the include pattern/string is checked.

mfazliazran / skipfish

Automatically exported from code.google.com/p/skipfish

Apache License 2.0

0 stars 0 forks source link

Using skipfish version 1.25b on Debian Testing.

I wanted to check only a subdirectory, so I used the -I option. However,
Skipfish still checks the root (and some directories above the subdirectory).

I used this commandline:
./skipfish -o somedir  -I /~username/dir/ajaxhelper.php
http://example.org/~username/dir/ajaxhelper.php

I notice that I get reports for http://example.org/,
http://example.org/~username/ and http://example.org/~username/dir/ Have I
misunderstood the usage of the -I option?

Original issue reported on code.google.com by hansfn@gmail.com on 25 Mar 2010 at 10:43

Skipfish still needs to do some rudimentary checks on lower-level directories, for example to detect 404 patterns. In the process of doing so, it may spot a couple of security problems. The option should reliably prevent it from performing injection checks or brute-force of the out-of-scope locations, though; please let me know if this is not the case, otherwise, the behavior is intended.

mfazliazran / skipfish

URLs outside the include pattern/string is checked. #39