Steven, Thanks for your feedback!
If you wouldn't mind taking a look at the attached to see if I got everything correct, I'd appreciate it. If it's good, are you ok committing it on my behalf? Thanks, Bryan On Sun, Jul 26, 2015 at 5:16 AM, Steven Mestdagh <ste...@openbsd.org> wrote: > Bryan C. Everly [2015-07-25, 12:52:21]: >> $COMMENT: active web application security reconnaissance tool >> >> pkg/DESCR: >> >> Skipfish is an active web application security reconnaissance tool. It >> prepares an interactive sitemap for the targeted site by carrying out >> a recursive crawl and dictionary-based probes. The resulting map is >> then annotated with the output from a number of active (but hopefully >> non-disruptive) security checks. The final report generated by the >> tool is meant to serve as a foundation for professional web >> application security assessments. >> >> Key features: >> >> High speed: pure C code, highly optimized HTTP handling, minimal CPU >> footprint - easily achieving 2000 requests per second with responsive >> targets. >> >> Ease of use: heuristics to support a variety of quirky web frameworks >> and mixed-technology sites, with automatic learning capabilities, >> on-the-fly wordlist creation, and form autocompletion. >> >> Cutting-edge security logic: high quality, low false positive, >> differential security checks, capable of spotting a range of subtle >> flaws, including blind injection vectors. >> >> ---- >> >> I'd appreciate any feedback on this one. I'm working on porting >> several penetration testing tools to OpenBSD so this will be the first >> of many. I figure if you have feedback for me on this one, I can >> incorporate it into the others and not waste people's time. >> >> Thanks to @jggimi for his help in how I approach the mailing list. >> >> Thanks to Sebastian for the initial feedback on the port. >> >> ---- >> >> Questions? Comments? > > your makefile is missing some WANTLIB or LIB_DEPENDS. > > src/types.h uses random(3), maybe replace that with arc4random(3). > > you have some patches which hardcode /usr/local/ - it's better to patch for > e.g. !!LOCALBASE!! and then replace that with ${LOCALBASE} in pre-configure. > there are some examples of that in the tree.
skipfish.tgz
Description: GNU Zip compressed data