Steven, Thanks for your feedback!
If you wouldn't mind taking a look at the attached to see if I got
everything correct, I'd appreciate it. If it's good, are you ok
committing it on my behalf?
Thanks,
Bryan
On Sun, Jul 26, 2015 at 5:16 AM, Steven Mestdagh <ste...@openbsd.org> wrote:
> Bryan C. Everly [2015-07-25, 12:52:21]:
>> $COMMENT: active web application security reconnaissance tool
>>
>> pkg/DESCR:
>>
>> Skipfish is an active web application security reconnaissance tool. It
>> prepares an interactive sitemap for the targeted site by carrying out
>> a recursive crawl and dictionary-based probes. The resulting map is
>> then annotated with the output from a number of active (but hopefully
>> non-disruptive) security checks. The final report generated by the
>> tool is meant to serve as a foundation for professional web
>> application security assessments.
>>
>> Key features:
>>
>> High speed: pure C code, highly optimized HTTP handling, minimal CPU
>> footprint - easily achieving 2000 requests per second with responsive
>> targets.
>>
>> Ease of use: heuristics to support a variety of quirky web frameworks
>> and mixed-technology sites, with automatic learning capabilities,
>> on-the-fly wordlist creation, and form autocompletion.
>>
>> Cutting-edge security logic: high quality, low false positive,
>> differential security checks, capable of spotting a range of subtle
>> flaws, including blind injection vectors.
>>
>> ----
>>
>> I'd appreciate any feedback on this one. I'm working on porting
>> several penetration testing tools to OpenBSD so this will be the first
>> of many. I figure if you have feedback for me on this one, I can
>> incorporate it into the others and not waste people's time.
>>
>> Thanks to @jggimi for his help in how I approach the mailing list.
>>
>> Thanks to Sebastian for the initial feedback on the port.
>>
>> ----
>>
>> Questions? Comments?
>
> your makefile is missing some WANTLIB or LIB_DEPENDS.
>
> src/types.h uses random(3), maybe replace that with arc4random(3).
>
> you have some patches which hardcode /usr/local/ - it's better to patch for
> e.g. !!LOCALBASE!! and then replace that with ${LOCALBASE} in pre-configure.
> there are some examples of that in the tree.
skipfish.tgz
Description: GNU Zip compressed data
