spinkham / skipfish Goto Github PK
View Code? Open in Web Editor NEWWeb application security scanner created by lcamtuf for google - Unofficial Mirror
Home Page: http://code.google.com/p/skipfish
License: Apache License 2.0
Web application security scanner created by lcamtuf for google - Unofficial Mirror
Home Page: http://code.google.com/p/skipfish
License: Apache License 2.0
command :
skipfish -W /root/medium.txt -S /root/medium.txt -o scanreports http://zero.webappsecurity.com
Error:
Wordlist '/root/medium.txt': syntax error in line 0.
could you pls help me out above issue
thank you in advance
As openssl 1.1 is now default, it seems to have build issues....
$ make
cc -L/usr/local/lib/ -L/opt/local/lib src/skipfish.c -o skipfish
-O3 -Wno-format -Wall -funsigned-char -g -ggdb -I/usr/local/include/ -I/opt/local/include/ -DVERSION="2.10b" src/http_client.c src/database.c src/crawler.c src/analysis.c src/report.c src/checks.c src/signatures.c src/auth.c src/options.c -lcrypto -lssl -lidn -lz -lpcre
src/http_client.c: In function 'check_ssl':
src/http_client.c:1965:10: error: dereferencing pointer to incomplete type 'SSL_CIPHER {aka const struct ssl_cipher_st}'
if(!(cp->algo_strength & SSL_MEDIUM) && !(cp->algo_strength & SSL_HIGH))
^~
src/http_client.c:1982:34: error: dereferencing pointer to incomplete type 'X509 {aka struct x509_st}'
if (ASN1_UTCTIME_cmp_time_t(p->cert_info->validity->notBefore, cur_time)
^~
src/http_client.c:2027:11: warning: 'ASN1_STRING_data' is deprecated [-Wdeprecated-declarations]
buf = (char*)ASN1_STRING_data(name->d.dNSName);
^~~
In file included from /usr/include/openssl/e_os2.h:13:0,
from /usr/include/openssl/ssl.h:45,
from src/http_client.c:37:
/usr/include/openssl/asn1.h:553:1: note: declared here
DEPRECATEDIN_1_1_0(unsigned char *ASN1_STRING_data(ASN1_STRING *x))
^
src/report.c: In function 'collect_samples':
src/report.c:447:5: warning: this 'for' clause does not guard... [-Wmisleading-indentation]
for (i=0;i<m_samp_cnt;i++)
^~~
src/report.c:450:7: note: ...this statement, but the latter is misleadingly indented as if it were guarded by the 'for'
if (i == m_samp_cnt) {
^~
make: *** [Makefile:48: skipfish] Error 1
Hi,
Is anyone else getting OOM errors? I'm on a pretty decent spec machine, but it just doesn't want to run on a large site! I'm testing it using:
./skipfish -B .google-analytics.com -B .googleapis.com --flush-to-disk -r 800000 -M -L -e -m 5 -g 10 -o output_folder11 http://www.graphicsfactory.com
It runs for a while, and then gets "Killed!". Looking in kern.log, I can see its running out of memory:
Jul 18 06:38:33 admin kernel: skipfish invoked oom-killer: gfp_mask=0x24201ca(GFP_HIGHUSER_MOVABLE|__GFP_COLD), nodemask=0, order=0, oom_score_adj=0
Jul 18 06:38:33 admin kernel: skipfish cpuset=/ mems_allowed=0
Jul 18 06:38:33 admin kernel: CPU: 0 PID: 9319 Comm: skipfish Not tainted 4.9.15-x86_64-linode81 #1
Jul 18 06:38:33 admin kernel: Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.1-0-gb3ef39f-prebuilt.qemu-project.org 04/01/2014
Jul 18 06:38:33 admin kernel: 0000000000000000 ffffffff817012a5 0000000000000000 ffffc90006677c90
Jul 18 06:38:33 admin kernel: ffff880075edcb00 ffffffff8122edc7 0000000000000000 ffff880100000000
Jul 18 06:38:33 admin kernel: ffff88013fc18a20 ffff88012279d780 0000000000000001 ffffffff8102b6b9
Jul 18 06:38:33 admin kernel: Call Trace:
Jul 18 06:38:33 admin kernel: [<ffffffff817012a5>] ? dump_stack+0x5d/0x88
Jul 18 06:38:33 admin kernel: [<ffffffff8122edc7>] ? dump_header+0x7f/0x221
Jul 18 06:38:33 admin kernel: [<ffffffff8102b6b9>] ? __switch_to+0x1f9/0x5c0
Jul 18 06:38:33 admin kernel: [<ffffffff811377ce>] ? pick_next_task_fair+0x37e/0x440
Jul 18 06:38:33 admin kernel: [<ffffffff811d4d5a>] ? oom_kill_process+0x25a/0x440
Jul 18 06:38:33 admin kernel: [<ffffffff811092d5>] ? has_ns_capability_noaudit+0x15/0x20
Jul 18 06:38:33 admin kernel: [<ffffffff811d497c>] ? oom_badness+0x10c/0x180
Jul 18 06:38:33 admin kernel: [<ffffffff811d51f2>] ? out_of_memory+0x112/0x470
Jul 18 06:38:33 admin kernel: [<ffffffff811d9d1f>] ? __alloc_pages_nodemask+0xd2f/0xe80
Jul 18 06:38:33 admin kernel: [<ffffffff816db5af>] ? __blk_run_queue+0x2f/0x40
Jul 18 06:38:33 admin kernel: [<ffffffff8121b1ca>] ? alloc_pages_current+0x9a/0x120
Jul 18 06:38:33 admin kernel: [<ffffffff811d33ab>] ? filemap_fault+0x35b/0x540
Jul 18 06:38:33 admin kernel: [<ffffffff8120d88b>] ? page_add_file_rmap+0x3b/0x60
Jul 18 06:38:33 admin kernel: [<ffffffff8131318f>] ? ext4_filemap_fault+0x3f/0x60
Jul 18 06:38:33 admin kernel: [<ffffffff811fee9c>] ? __do_fault+0x6c/0xd0
Jul 18 06:38:33 admin kernel: [<ffffffff812046c8>] ? handle_mm_fault+0x8b8/0xdf0
Jul 18 06:38:33 admin kernel: [<ffffffff8105a8e5>] ? __do_page_fault+0x195/0x520
Jul 18 06:38:33 admin kernel: [<ffffffff81c2fcf8>] ? async_page_fault+0x28/0x30
Jul 18 06:38:33 admin kernel: Mem-Info:
Jul 18 06:38:33 admin kernel: active_anon:693249 inactive_anon:273191 isolated_anon:0
Jul 18 06:38:33 admin kernel: active_file:158 inactive_file:249 isolated_file:0
Jul 18 06:38:33 admin kernel: unevictable:0 dirty:1 writeback:4 unstable:0
Jul 18 06:38:33 admin kernel: slab_reclaimable:3729 slab_unreclaimable:11567
Jul 18 06:38:33 admin kernel: mapped:5680 shmem:43627 pagetables:6374 bounce:0
Jul 18 06:38:33 admin kernel: free:6892 free_pcp:356 free_cma:0
Jul 18 06:38:33 admin kernel: Node 0 active_anon:2772996kB inactive_anon:1092764kB active_file:632kB inactive_file:996kB unevictable:0kB isolated(anon):0kB isolated(file):0kB mapped:22720kB dirty:4kB writeback:16kB shmem:174508kB writeb$
Jul 18 06:38:33 admin kernel: Node 0 DMA free:15732kB min:28kB low:40kB high:52kB active_anon:160kB inactive_anon:0kB active_file:0kB inactive_file:16kB unevictable:0kB writepending:0kB present:15992kB managed:15908kB mlocked:0kB slab_r$
Jul 18 06:38:33 admin kernel: lowmem_reserve[]: 0 2968 3927 3927
Am I doing something wrong? It's a large site to test, but 4gb of RAM should be more than enough!
Thanks
Andy
In the past I remember using SkipFish and having no issues, worked fast and gave great reports. Now I'm having a constant problem with loading any type of word list. Here's the output of The error:
skipfish web application scanner - version 2.10b
[-] PROGRAM ABORT : Wordlist '<WORD_LIST>': syntax error in line 0.
Stop location : load_keywords(), src/database.c:1198
Happens with every word list. I tried using cat -A to check for hidden characters and removing them with tr, but that didn't help. Especially since the error starts at line 0, which I don't quite understand.
Most if not all W-lists are in txt format.
Running without a wordlist will sometimes run ok, assuming that skipfish is using its small wordlist in /usr/share/wordlists, but its hardly close to what it was capable of before.
Here's a quick look at what I'm running:
Linux kali 6.8.11-arm64 #1 SMP Kali 6.8.11-1kali2 (2024-05-30) aarch64 GNU/Linux
Let me know if any more info would be useful, Thanks !
Hey I am doing data analytics, on malicious traffic.
What i want to know is does skipish has a data repository, or log file where all the attack infomation is stored after the attack is perfromed.
Like Payload , what malicious scripts were used to perform the attack, on what link what payload was sent , netwrok traffic information . In short all the necessary details to perfrom a machine learning analysis , complete request data response
Because some tools and application has general log files and they dont give enough information to perfrom data analytics .
Does skipish provide enough Attack information and network traffic information to perfrom data analytics
Hello,
I've obviously installed all dependancies and also set CFLAGS=-I/usr/includes
but i get 2 error while compilation :
cc -L/usr/local/lib/ -L/opt/local/lib src/skipfish.c -o skipfish \
-O3 -Wno-format -Wall -funsigned-char -g -ggdb -I/usr/local/include/ -I/opt/local/include/ -I/usr/include/ -DVERSION=\"2.10b\" src/http_client.c src/database.c src/crawler.c src/analysis.c src/report.c src/checks.c src/signatures.c src/auth.c src/options.c -lcrypto -lssl -lidn -lz -lpcre
src/http_client.c: In function ‘check_ssl’:
src/http_client.c:1965:10: error: dereferencing pointer to incomplete type ‘SSL_CIPHER’ {aka ‘const struct ssl_cipher_st’}
if(!(cp->algo_strength & SSL_MEDIUM) && !(cp->algo_strength & SSL_HIGH))
^~
src/http_client.c:1982:34: error: dereferencing pointer to incomplete type ‘X509’ {aka ‘struct x509_st’}
if (ASN1_UTCTIME_cmp_time_t(p->cert_info->validity->notBefore, cur_time)
Hello,
I am very new to Skipfish and network security tools in general, and am trying to install the tool and play around so I can prepare a class presentation on this, so I apologize if this question is obvious or easily fixable.
When I try to run the command make in order to properly build Skipfish, I run into errors with not having openssl/ssl.h:
make
cc -L/usr/local/lib/ -L/opt/local/lib src/skipfish.c -o skipfish
-O3 -Wno-format -Wall -funsigned-char -g -ggdb -I/usr/local/include/ -I/opt/local/include/ -DVERSION="2.09b" src/http_client.c src/database.c src/crawler.c src/analysis.c src/report.c src/checks.c src/signatures.c src/auth.c -lcrypto -lssl -lidn -lz -lpcre
In file included from src/skipfish.c:41:
In file included from src/crawler.h:26:
src/http_client.h:26:10: fatal error: 'openssl/ssl.h' file not found
#include <openssl/ssl.h>
^~~~~~~~~~~~~~~
1 error generated.
This then runs through multiple times and ends up generating "Error 1". If it is relevant, I am on a mac with LibreSSL 2.8.3. I have looked into installing a current version of OpenSSL but there is regrettably little documentation online and I would prefer not to overwrite the current SSL version that I have. Any assistance would be much appreciated.
Can skipfish generate results in XML format
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.