Re: [NEW] security/skipfish

2015-07-27 Thread Bryan C. Everly 
Stuart,

Thanks for pointing me towards arc4random_uniform().  After reading
the manpage that makes perfect sense.  I'll make that change and the
others you suggest and resubmit.

What's the typical rhythm for ports changes going in?  First 3 months
post release?

Thanks,
Bryan


On Mon, Jul 27, 2015 at 7:10 AM, Stuart Henderson st...@openbsd.org wrote:
 On 2015/07/26 15:22, Bryan C. Everly wrote:
 Steven,

 My apologies.  I missed your arc4random() comment in the original
 message.  The attached tarball contains all of your suggestions now.

 : -#define R(_ceil) ((u32)(random() % (_ceil)))
 : +#define R(_ceil) ((u32)(arc4random() % (_ceil)))

 this should use arc4random_uniform

 : +sprintf(fq_fname, /usr/local/share/skipfish/%s, fname);

 /usr/local in the patch should change to ${TRUEPREFIX} so that the
 ${SUBST_CMD} in pre-configure does the right thing

 : +#define SIG_FILE
 /usr/local/share/skipfish/signatures/signatures.conf

 is this supposed to be a user-editable file? if so, it should use
 ${SYSCONFDIR} (with SUBST_CMD as necessary, and add an associated
 @sample line in the plist to copy it into place.

 : ${INSTALL_DATA_DIR} ${PREFIX}/share/skipfish
 : ${INSTALL_DATA_DIR} ${PREFIX}/share/skipfish/assets

 INSTALL_DATA_DIR creates parent directories, no need for the
 first line here.

 We're heading into release mode and commits to ports need to slow right
 down now, so don't be disheartened if this doesn't make it in before 5.8.

Re: [NEW] security/skipfish

2015-07-27 Thread Bryan C. Everly 
Stuart,

I believe I have incorporated the changes you suggested in the
attached tarball.  If you could please look it over and give me
feedback, I'd appreciate it.

Thanks,
Bryan


On Mon, Jul 27, 2015 at 7:10 AM, Stuart Henderson st...@openbsd.org wrote:
 On 2015/07/26 15:22, Bryan C. Everly wrote:
 Steven,

 My apologies.  I missed your arc4random() comment in the original
 message.  The attached tarball contains all of your suggestions now.

 : -#define R(_ceil) ((u32)(random() % (_ceil)))
 : +#define R(_ceil) ((u32)(arc4random() % (_ceil)))

 this should use arc4random_uniform

 : +sprintf(fq_fname, /usr/local/share/skipfish/%s, fname);

 /usr/local in the patch should change to ${TRUEPREFIX} so that the
 ${SUBST_CMD} in pre-configure does the right thing

 : +#define SIG_FILE
 /usr/local/share/skipfish/signatures/signatures.conf

 is this supposed to be a user-editable file? if so, it should use
 ${SYSCONFDIR} (with SUBST_CMD as necessary, and add an associated
 @sample line in the plist to copy it into place.

 : ${INSTALL_DATA_DIR} ${PREFIX}/share/skipfish
 : ${INSTALL_DATA_DIR} ${PREFIX}/share/skipfish/assets

 INSTALL_DATA_DIR creates parent directories, no need for the
 first line here.

 We're heading into release mode and commits to ports need to slow right
 down now, so don't be disheartened if this doesn't make it in before 5.8.



skipfish.tgz
Description: GNU Zip compressed data

Re: [NEW] security/skipfish

2015-07-26 Thread Steven Mestdagh 
Bryan C. Everly [2015-07-25, 12:52:21]:
 $COMMENT: active web application security reconnaissance tool
 
 pkg/DESCR:
 
 Skipfish is an active web application security reconnaissance tool. It
 prepares an interactive sitemap for the targeted site by carrying out
 a recursive crawl and dictionary-based probes. The resulting map is
 then annotated with the output from a number of active (but hopefully
 non-disruptive) security checks. The final report generated by the
 tool is meant to serve as a foundation for professional web
 application security assessments.
 
 Key features:
 
 High speed: pure C code, highly optimized HTTP handling, minimal CPU
 footprint - easily achieving 2000 requests per second with responsive
 targets.
 
 Ease of use: heuristics to support a variety of quirky web frameworks
 and mixed-technology sites, with automatic learning capabilities,
 on-the-fly wordlist creation, and form autocompletion.
 
 Cutting-edge security logic: high quality, low false positive,
 differential  security checks, capable of spotting a range of subtle
 flaws, including blind injection vectors.
 
 
 
 I'd appreciate any feedback on this one.  I'm working on porting
 several penetration testing tools to OpenBSD so this will be the first
 of many.  I figure if you have feedback for me on this one, I can
 incorporate it into the others and not waste people's time.
 
 Thanks to @jggimi for his help in how I approach the mailing list.
 
 Thanks to Sebastian for the initial feedback on the port.
 
 
 
 Questions?  Comments?

your makefile is missing some WANTLIB or LIB_DEPENDS.

src/types.h uses random(3), maybe replace that with arc4random(3).

you have some patches which hardcode /usr/local/ - it's better to patch for
e.g. !!LOCALBASE!! and then replace that with ${LOCALBASE} in pre-configure.
there are some examples of that in the tree.

Re: [NEW] security/skipfish

2015-07-26 Thread Bryan C. Everly 
Steven,

Thanks for your feedback!

If you wouldn't mind taking a look at the attached to see if I got
everything correct, I'd appreciate it.  If it's good, are you ok
committing it on my behalf?

Thanks,
Bryan


On Sun, Jul 26, 2015 at 5:16 AM, Steven Mestdagh ste...@openbsd.org wrote:
 Bryan C. Everly [2015-07-25, 12:52:21]:
 $COMMENT: active web application security reconnaissance tool

 pkg/DESCR:

 Skipfish is an active web application security reconnaissance tool. It
 prepares an interactive sitemap for the targeted site by carrying out
 a recursive crawl and dictionary-based probes. The resulting map is
 then annotated with the output from a number of active (but hopefully
 non-disruptive) security checks. The final report generated by the
 tool is meant to serve as a foundation for professional web
 application security assessments.

 Key features:

 High speed: pure C code, highly optimized HTTP handling, minimal CPU
 footprint - easily achieving 2000 requests per second with responsive
 targets.

 Ease of use: heuristics to support a variety of quirky web frameworks
 and mixed-technology sites, with automatic learning capabilities,
 on-the-fly wordlist creation, and form autocompletion.

 Cutting-edge security logic: high quality, low false positive,
 differential  security checks, capable of spotting a range of subtle
 flaws, including blind injection vectors.

 

 I'd appreciate any feedback on this one.  I'm working on porting
 several penetration testing tools to OpenBSD so this will be the first
 of many.  I figure if you have feedback for me on this one, I can
 incorporate it into the others and not waste people's time.

 Thanks to @jggimi for his help in how I approach the mailing list.

 Thanks to Sebastian for the initial feedback on the port.

 

 Questions?  Comments?

 your makefile is missing some WANTLIB or LIB_DEPENDS.

 src/types.h uses random(3), maybe replace that with arc4random(3).

 you have some patches which hardcode /usr/local/ - it's better to patch for
 e.g. !!LOCALBASE!! and then replace that with ${LOCALBASE} in pre-configure.
 there are some examples of that in the tree.


skipfish.tgz
Description: GNU Zip compressed data