Steven, My apologies. I missed your arc4random() comment in the original message. The attached tarball contains all of your suggestions now.
Thanks,
Bryan
On Sun, Jul 26, 2015 at 2:35 PM, Bryan C. Everly
<br...@bceassociates.com> wrote:
> Steven,
>
> Thanks for your feedback!
>
> If you wouldn't mind taking a look at the attached to see if I got
> everything correct, I'd appreciate it. If it's good, are you ok
> committing it on my behalf?
>
> Thanks,
> Bryan
>
>
> On Sun, Jul 26, 2015 at 5:16 AM, Steven Mestdagh <ste...@openbsd.org> wrote:
>> Bryan C. Everly [2015-07-25, 12:52:21]:
>>> $COMMENT: active web application security reconnaissance tool
>>>
>>> pkg/DESCR:
>>>
>>> Skipfish is an active web application security reconnaissance tool. It
>>> prepares an interactive sitemap for the targeted site by carrying out
>>> a recursive crawl and dictionary-based probes. The resulting map is
>>> then annotated with the output from a number of active (but hopefully
>>> non-disruptive) security checks. The final report generated by the
>>> tool is meant to serve as a foundation for professional web
>>> application security assessments.
>>>
>>> Key features:
>>>
>>> High speed: pure C code, highly optimized HTTP handling, minimal CPU
>>> footprint - easily achieving 2000 requests per second with responsive
>>> targets.
>>>
>>> Ease of use: heuristics to support a variety of quirky web frameworks
>>> and mixed-technology sites, with automatic learning capabilities,
>>> on-the-fly wordlist creation, and form autocompletion.
>>>
>>> Cutting-edge security logic: high quality, low false positive,
>>> differential security checks, capable of spotting a range of subtle
>>> flaws, including blind injection vectors.
>>>
>>> ----
>>>
>>> I'd appreciate any feedback on this one. I'm working on porting
>>> several penetration testing tools to OpenBSD so this will be the first
>>> of many. I figure if you have feedback for me on this one, I can
>>> incorporate it into the others and not waste people's time.
>>>
>>> Thanks to @jggimi for his help in how I approach the mailing list.
>>>
>>> Thanks to Sebastian for the initial feedback on the port.
>>>
>>> ----
>>>
>>> Questions? Comments?
>>
>> your makefile is missing some WANTLIB or LIB_DEPENDS.
>>
>> src/types.h uses random(3), maybe replace that with arc4random(3).
>>
>> you have some patches which hardcode /usr/local/ - it's better to patch for
>> e.g. !!LOCALBASE!! and then replace that with ${LOCALBASE} in pre-configure.
>> there are some examples of that in the tree.
skipfish.tgz
Description: GNU Zip compressed data
