Open GoogleCodeExporter opened 9 years ago
updated version of the attached example page.
Original comment by random0...@gmail.com
on 8 Dec 2011 at 9:39
Attachments:
The "bogus parameter" finding does not prevent XSS detection and other
injection tests; it only inhibits dictionary brute-force.
Instead, your problem may be that skipfish may be not prepared to deal with
multiple identically named parameters. Does it work if you rename the
parameters to "a" and "b"? What version are you using?
Original comment by lcam...@gmail.com
on 8 Dec 2011 at 9:45
I am running skipfish version 2.03b.
The vulnerability "XSS vector in document body" is located only when the
variables are renamed to 'a' and 'b'. If there are multiple identically named
parameters, this vulnerability will not be discovered.
I've attached a file 'index.php' for which skipfish is able to locate the XSS
vulnerability. Skipfish is not able to locate the same vulnerability in 'x.php'
(which has been attached previously).
Original comment by random0...@gmail.com
on 12 Dec 2011 at 12:03
Attachments:
In the event of two parameters with the same name, we only test the first one.
I'll look into fixing this (but with low priority).
Cheers!
Original comment by niels.he...@gmail.com
on 5 Feb 2012 at 3:00
hi, i m also facing same sort of problem, this is a big issue because the
crawler will miss many links in a single page application. consider a situation
in which different pages get included for same id , eg.
index.php?id=1 leads to one.php page //that have some new links
index.php?id=2 leads to two.php page //that have different links
in this situation page content of two.php will be completely ignored.
Original comment by anuragno...@gmail.com
on 19 Jul 2012 at 11:17
Original issue reported on code.google.com by
random0...@gmail.com
on 8 Dec 2011 at 9:36