Steven, My apologies. I missed your arc4random() comment in the original message. The attached tarball contains all of your suggestions now.
Thanks, Bryan On Sun, Jul 26, 2015 at 2:35 PM, Bryan C. Everly <br...@bceassociates.com> wrote: > Steven, > > Thanks for your feedback! > > If you wouldn't mind taking a look at the attached to see if I got > everything correct, I'd appreciate it. If it's good, are you ok > committing it on my behalf? > > Thanks, > Bryan > > > On Sun, Jul 26, 2015 at 5:16 AM, Steven Mestdagh <ste...@openbsd.org> wrote: >> Bryan C. Everly [2015-07-25, 12:52:21]: >>> $COMMENT: active web application security reconnaissance tool >>> >>> pkg/DESCR: >>> >>> Skipfish is an active web application security reconnaissance tool. It >>> prepares an interactive sitemap for the targeted site by carrying out >>> a recursive crawl and dictionary-based probes. The resulting map is >>> then annotated with the output from a number of active (but hopefully >>> non-disruptive) security checks. The final report generated by the >>> tool is meant to serve as a foundation for professional web >>> application security assessments. >>> >>> Key features: >>> >>> High speed: pure C code, highly optimized HTTP handling, minimal CPU >>> footprint - easily achieving 2000 requests per second with responsive >>> targets. >>> >>> Ease of use: heuristics to support a variety of quirky web frameworks >>> and mixed-technology sites, with automatic learning capabilities, >>> on-the-fly wordlist creation, and form autocompletion. >>> >>> Cutting-edge security logic: high quality, low false positive, >>> differential security checks, capable of spotting a range of subtle >>> flaws, including blind injection vectors. >>> >>> ---- >>> >>> I'd appreciate any feedback on this one. I'm working on porting >>> several penetration testing tools to OpenBSD so this will be the first >>> of many. I figure if you have feedback for me on this one, I can >>> incorporate it into the others and not waste people's time. >>> >>> Thanks to @jggimi for his help in how I approach the mailing list. >>> >>> Thanks to Sebastian for the initial feedback on the port. >>> >>> ---- >>> >>> Questions? Comments? >> >> your makefile is missing some WANTLIB or LIB_DEPENDS. >> >> src/types.h uses random(3), maybe replace that with arc4random(3). >> >> you have some patches which hardcode /usr/local/ - it's better to patch for >> e.g. !!LOCALBASE!! and then replace that with ${LOCALBASE} in pre-configure. >> there are some examples of that in the tree.
skipfish.tgz
Description: GNU Zip compressed data