2.01b: A number of improvements

- Substantial improvement to SQL injection checks.
- Improvements to directory traversal checks (courtesy of Niels Heinen).
- Fix to numerical brute-force logic.
- Major improvement to directory brute force: much better duplicate elimination in some webserver configurations.
- Added a check for attacker-controlled prefixes on inline responses. This currently leads to UTF-7 BOM XSS, Flash, Java attacks (thanks to Niels Heinen).

ChangeLog

@@ -1,3 +1,19 @@
+Version 2.01b:
+--------------
+
+  - Substantial improvement to SQL injection checks.
+
+  - Improvements to directory traversal checks (courtesy of Niels Heinen).
+
+  - Fix to numerical brute-force logic.
+
+  - Major improvement to directory brute force: much better
+    duplicate elimination in some webserver configurations.
+
+  - Added a check for attacker-controlled prefixes on inline responses.
+    This currently leads to UTF-7 BOM XSS, Flash, Java attacks (thanks to
+    Niels Heinen).
+
 Version 2.00b:
 --------------
 

Makefile

@@ -20,7 +20,7 @@
 #
 
 PROGNAME   = skipfish
-VERSION    = 2.00b
+VERSION    = 2.01b
 
 OBJFILES   = http_client.c database.c crawler.c analysis.c report.c
 INCFILES   = alloc-inl.h string-inl.h debug.h types.h http_client.h \

analysis.c

@@ -1553,14 +1553,14 @@ void content_checks(struct http_request* req, struct http_response* res) {
 
   if (is_javascript(res) && !res->json_safe &&
       (!req->method || !strcmp((char*)req->method, "GET")) &&
-      !strstr((char*)res->payload, "if (") &&
-      !strstr((char*)res->payload, "if(") &&
-      !strstr((char*)res->payload, "for (") &&
-      !strstr((char*)res->payload, "for(") &&
-      !strstr((char*)res->payload, "while (") &&
-      !strstr((char*)res->payload, "while(") &&
-      !strstr((char*)res->payload, "function ") &&
-      !strstr((char*)res->payload, "function("))
+      !inl_findstr(res->payload, (u8*)"if (", 1024) &&
+      !inl_findstr(res->payload, (u8*)"if(", 1024) &&
+      !inl_findstr(res->payload, (u8*)"for (", 1024) &&
+      !inl_findstr(res->payload, (u8*)"for(", 1024) &&
+      !inl_findstr(res->payload, (u8*)"while (", 1024) &&
+      !inl_findstr(res->payload, (u8*)"while(", 1024) &&
+      !inl_findstr(res->payload, (u8*)"function ", 1024) &&
+      !inl_findstr(res->payload, (u8*)"function(", 1024))
     problem(PROB_JS_XSSI, req, res, NULL, req->pivot, 0);
 
   tmp = res->payload;

assets/index.html

@@ -297,6 +297,7 @@
   "30601": "HTML form with no apparent XSRF protection",
   "30602": "JSON response with no apparent XSSI protection",
   "30701": "Incorrect caching directives (lower risk)",
+  "30801": "User-controlled response prefix (BOM / plugin attacks)",
 
   "40101": "XSS vector in document body",
   "40102": "XSS vector via arbitrary URLs",

config.h

@@ -102,15 +102,16 @@
 /* Crawler / probe constants: */
 
 #define BOGUS_FILE     "sfi9876"        /* Name that should not exist      */
+#define BOGUS_EXT      "sfish"          /* Nonsensical file extension      */
 #define BOGUS_PARAM    "9876sfi"        /* Meaningless parameter           */
 #define MAX_404        4                /* Maximum number of 404 sigs      */
 #define PAR_MAX_DIGITS 6                /* Max digits in a fuzzable int    */
 #define PAR_INT_FUZZ   100              /* Fuzz by + / - this much         */
 
 #ifdef QUEUE_FILO
-#define DICT_BATCH     200              /* Brute-force queue block         */
+#define DICT_BATCH     100              /* Brute-force queue block         */
 #else
-#define DICT_BATCH     1000             /* Brute-force queue block         */
+#define DICT_BATCH     600              /* Brute-force queue block         */
 #endif /* ^QUEUE_FILO */
 
 /* Single query for IPS detection - Evil Query of Doom (tm). */