thawkins / skipfish-usap

Automatically exported from code.google.com/p/skipfish
Apache License 2.0
1 stars 1 forks source link

JS support #64

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
Not sure if this is the correct place to comment/check on this, but does
the skipfish product plan on supporting stronger GWT security scans?  

When I attempt my scan, it seems to just do it on a page/file level instead
of each 'screen' equivalent (history token) in GWT.

thanks for any feedback on this!

Original issue reported on code.google.com by binarymo...@gmail.com on 17 May 2010 at 8:12

GoogleCodeExporter commented 9 years ago
side comment - this was with skipfish 1.32-0.4.b.fc12, installed via the fedora 
repo
making it really easy to get started!

Original comment by binarymo...@gmail.com on 17 May 2010 at 8:22

GoogleCodeExporter commented 9 years ago
To look forward to see the feature.

Original comment by silver.z...@gmail.com on 27 May 2010 at 2:26

GoogleCodeExporter commented 9 years ago
Skipfish currently does not support JavaScript, and realistically, there are 
limits to what JS support in an automated scanner can achieve: most JS-enabled 
scanners can execute onload handlers and so forth, but they are completely 
oblivious to the right way to interact with complex client-side UIs, etc.

To scratch that itch, you might find it more useful to give ratproxy a try.

Original comment by lcam...@gmail.com on 23 Nov 2010 at 6:48

GoogleCodeExporter commented 9 years ago

Javascript has been very much on my mind lately (e.g. link against v8) but as 
Michal indicated, without using a full browser, the benefits will be limited.  
Next step here is to see how much effort it actually is and what the benefits 
on a crawler and detection (e.g. DOM xss) level will be  before starting with 
an implementation.

Given that there is no immediate action here; in combination with JS support 
being on the wishlist but not actively worked on now; I propose to close out 
this issue (and revive it when the time comes).

Original comment by niels.he...@gmail.com on 2 Sep 2012 at 12:33