Bryan C. Everly [2015-07-25, 12:52:21]: > $COMMENT: active web application security reconnaissance tool > > pkg/DESCR: > > Skipfish is an active web application security reconnaissance tool. It > prepares an interactive sitemap for the targeted site by carrying out > a recursive crawl and dictionary-based probes. The resulting map is > then annotated with the output from a number of active (but hopefully > non-disruptive) security checks. The final report generated by the > tool is meant to serve as a foundation for professional web > application security assessments. > > Key features: > > High speed: pure C code, highly optimized HTTP handling, minimal CPU > footprint - easily achieving 2000 requests per second with responsive > targets. > > Ease of use: heuristics to support a variety of quirky web frameworks > and mixed-technology sites, with automatic learning capabilities, > on-the-fly wordlist creation, and form autocompletion. > > Cutting-edge security logic: high quality, low false positive, > differential security checks, capable of spotting a range of subtle > flaws, including blind injection vectors. > > ---- > > I'd appreciate any feedback on this one. I'm working on porting > several penetration testing tools to OpenBSD so this will be the first > of many. I figure if you have feedback for me on this one, I can > incorporate it into the others and not waste people's time. > > Thanks to @jggimi for his help in how I approach the mailing list. > > Thanks to Sebastian for the initial feedback on the port. > > ---- > > Questions? Comments?
your makefile is missing some WANTLIB or LIB_DEPENDS. src/types.h uses random(3), maybe replace that with arc4random(3). you have some patches which hardcode /usr/local/ - it's better to patch for e.g. !!LOCALBASE!! and then replace that with ${LOCALBASE} in pre-configure. there are some examples of that in the tree.