Bryan C. Everly [2015-07-25, 12:52:21]:
> $COMMENT: active web application security reconnaissance tool
>
> pkg/DESCR:
>
> Skipfish is an active web application security reconnaissance tool. It
> prepares an interactive sitemap for the targeted site by carrying out
> a recursive crawl and dictionary-based probes. The resulting map is
> then annotated with the output from a number of active (but hopefully
> non-disruptive) security checks. The final report generated by the
> tool is meant to serve as a foundation for professional web
> application security assessments.
>
> Key features:
>
> High speed: pure C code, highly optimized HTTP handling, minimal CPU
> footprint - easily achieving 2000 requests per second with responsive
> targets.
>
> Ease of use: heuristics to support a variety of quirky web frameworks
> and mixed-technology sites, with automatic learning capabilities,
> on-the-fly wordlist creation, and form autocompletion.
>
> Cutting-edge security logic: high quality, low false positive,
> differential security checks, capable of spotting a range of subtle
> flaws, including blind injection vectors.
>
> ----
>
> I'd appreciate any feedback on this one. I'm working on porting
> several penetration testing tools to OpenBSD so this will be the first
> of many. I figure if you have feedback for me on this one, I can
> incorporate it into the others and not waste people's time.
>
> Thanks to @jggimi for his help in how I approach the mailing list.
>
> Thanks to Sebastian for the initial feedback on the port.
>
> ----
>
> Questions? Comments?
your makefile is missing some WANTLIB or LIB_DEPENDS.
src/types.h uses random(3), maybe replace that with arc4random(3).
you have some patches which hardcode /usr/local/ - it's better to patch for
e.g. !!LOCALBASE!! and then replace that with ${LOCALBASE} in pre-configure.
there are some examples of that in the tree.
