Re: [NEW] security/skipfish
Stuart, Thanks for pointing me towards arc4random_uniform(). After reading the manpage that makes perfect sense. I'll make that change and the others you suggest and resubmit. What's the typical rhythm for ports changes going in? First 3 months post release? Thanks, Bryan On Mon, Jul 27, 2015 at 7:10 AM, Stuart Henderson st...@openbsd.org wrote: On 2015/07/26 15:22, Bryan C. Everly wrote: Steven, My apologies. I missed your arc4random() comment in the original message. The attached tarball contains all of your suggestions now. : -#define R(_ceil) ((u32)(random() % (_ceil))) : +#define R(_ceil) ((u32)(arc4random() % (_ceil))) this should use arc4random_uniform : +sprintf(fq_fname, /usr/local/share/skipfish/%s, fname); /usr/local in the patch should change to ${TRUEPREFIX} so that the ${SUBST_CMD} in pre-configure does the right thing : +#define SIG_FILE /usr/local/share/skipfish/signatures/signatures.conf is this supposed to be a user-editable file? if so, it should use ${SYSCONFDIR} (with SUBST_CMD as necessary, and add an associated @sample line in the plist to copy it into place. : ${INSTALL_DATA_DIR} ${PREFIX}/share/skipfish : ${INSTALL_DATA_DIR} ${PREFIX}/share/skipfish/assets INSTALL_DATA_DIR creates parent directories, no need for the first line here. We're heading into release mode and commits to ports need to slow right down now, so don't be disheartened if this doesn't make it in before 5.8.
Re: [NEW] security/skipfish
Stuart, I believe I have incorporated the changes you suggested in the attached tarball. If you could please look it over and give me feedback, I'd appreciate it. Thanks, Bryan On Mon, Jul 27, 2015 at 7:10 AM, Stuart Henderson st...@openbsd.org wrote: On 2015/07/26 15:22, Bryan C. Everly wrote: Steven, My apologies. I missed your arc4random() comment in the original message. The attached tarball contains all of your suggestions now. : -#define R(_ceil) ((u32)(random() % (_ceil))) : +#define R(_ceil) ((u32)(arc4random() % (_ceil))) this should use arc4random_uniform : +sprintf(fq_fname, /usr/local/share/skipfish/%s, fname); /usr/local in the patch should change to ${TRUEPREFIX} so that the ${SUBST_CMD} in pre-configure does the right thing : +#define SIG_FILE /usr/local/share/skipfish/signatures/signatures.conf is this supposed to be a user-editable file? if so, it should use ${SYSCONFDIR} (with SUBST_CMD as necessary, and add an associated @sample line in the plist to copy it into place. : ${INSTALL_DATA_DIR} ${PREFIX}/share/skipfish : ${INSTALL_DATA_DIR} ${PREFIX}/share/skipfish/assets INSTALL_DATA_DIR creates parent directories, no need for the first line here. We're heading into release mode and commits to ports need to slow right down now, so don't be disheartened if this doesn't make it in before 5.8. skipfish.tgz Description: GNU Zip compressed data
Re: [NEW] security/skipfish
Bryan C. Everly [2015-07-25, 12:52:21]: $COMMENT: active web application security reconnaissance tool pkg/DESCR: Skipfish is an active web application security reconnaissance tool. It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks. The final report generated by the tool is meant to serve as a foundation for professional web application security assessments. Key features: High speed: pure C code, highly optimized HTTP handling, minimal CPU footprint - easily achieving 2000 requests per second with responsive targets. Ease of use: heuristics to support a variety of quirky web frameworks and mixed-technology sites, with automatic learning capabilities, on-the-fly wordlist creation, and form autocompletion. Cutting-edge security logic: high quality, low false positive, differential security checks, capable of spotting a range of subtle flaws, including blind injection vectors. I'd appreciate any feedback on this one. I'm working on porting several penetration testing tools to OpenBSD so this will be the first of many. I figure if you have feedback for me on this one, I can incorporate it into the others and not waste people's time. Thanks to @jggimi for his help in how I approach the mailing list. Thanks to Sebastian for the initial feedback on the port. Questions? Comments? your makefile is missing some WANTLIB or LIB_DEPENDS. src/types.h uses random(3), maybe replace that with arc4random(3). you have some patches which hardcode /usr/local/ - it's better to patch for e.g. !!LOCALBASE!! and then replace that with ${LOCALBASE} in pre-configure. there are some examples of that in the tree.
Re: [NEW] security/skipfish
Steven, Thanks for your feedback! If you wouldn't mind taking a look at the attached to see if I got everything correct, I'd appreciate it. If it's good, are you ok committing it on my behalf? Thanks, Bryan On Sun, Jul 26, 2015 at 5:16 AM, Steven Mestdagh ste...@openbsd.org wrote: Bryan C. Everly [2015-07-25, 12:52:21]: $COMMENT: active web application security reconnaissance tool pkg/DESCR: Skipfish is an active web application security reconnaissance tool. It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks. The final report generated by the tool is meant to serve as a foundation for professional web application security assessments. Key features: High speed: pure C code, highly optimized HTTP handling, minimal CPU footprint - easily achieving 2000 requests per second with responsive targets. Ease of use: heuristics to support a variety of quirky web frameworks and mixed-technology sites, with automatic learning capabilities, on-the-fly wordlist creation, and form autocompletion. Cutting-edge security logic: high quality, low false positive, differential security checks, capable of spotting a range of subtle flaws, including blind injection vectors. I'd appreciate any feedback on this one. I'm working on porting several penetration testing tools to OpenBSD so this will be the first of many. I figure if you have feedback for me on this one, I can incorporate it into the others and not waste people's time. Thanks to @jggimi for his help in how I approach the mailing list. Thanks to Sebastian for the initial feedback on the port. Questions? Comments? your makefile is missing some WANTLIB or LIB_DEPENDS. src/types.h uses random(3), maybe replace that with arc4random(3). you have some patches which hardcode /usr/local/ - it's better to patch for e.g. !!LOCALBASE!! and then replace that with ${LOCALBASE} in pre-configure. there are some examples of that in the tree. skipfish.tgz Description: GNU Zip compressed data