Commit Graph

998 Commits

Author SHA1 Message Date
Miroslav Stampar
8c6b761044 Replacing doc/COPYING to LICENSE 2017-10-11 14:50:46 +02:00
Miroslav Stampar
12f802c70f Minor text update 2017-09-11 10:41:50 +02:00
Miroslav Stampar
96ffb4b911 Fixes #2693 2017-09-11 10:38:19 +02:00
Miroslav Stampar
cb2258fea4 Fixes #2603 2017-08-28 13:02:08 +02:00
Miroslav Stampar
c871cedae4 Adding hidden option '--force-dbms' to skip fingerprinting 2017-08-28 12:30:42 +02:00
Miroslav Stampar
8b0c50f25d Update related to the #2663 2017-08-23 13:17:37 +02:00
Miroslav Stampar
62ae149464 Minor patch 2017-07-29 03:35:05 +02:00
Miroslav Stampar
5745d650f8 Fixes #2635 2017-07-29 02:42:20 +02:00
Miroslav Stampar
0f9c81965b Implementation on request 2017-07-26 00:24:13 +02:00
Miroslav Stampar
d12b65d38c Fixes #2624 2017-07-25 23:32:30 +02:00
Louis-Philippe Huberdeau
e38267a61e Include tracking properties in the HAR to identify which test the requests were associated to 2017-07-18 15:46:52 -04:00
Miroslav Stampar
1678b606a2 Update for #2597 2017-07-03 16:55:24 +02:00
Louis-Philippe Huberdeau
0d756a8823 Parse request data and convert to HAR, include in injection data 2017-06-23 11:50:21 -04:00
Miroslav Stampar
864711b434 Minor improvement 2017-06-05 16:48:14 +02:00
Miroslav Stampar
996ad59126 Minor patch 2017-06-05 16:28:19 +02:00
Miroslav Stampar
359bfb2704 Minor adjustment 2017-05-26 14:14:35 +02:00
Miroslav Stampar
644ea2e3aa Minor patch 2017-05-26 14:08:08 +02:00
Miroslav Stampar
4ce08dcfa3 Patch for an Issue #2536 2017-05-17 00:22:18 +02:00
Miroslav Stampar
d3a08a2d22 Implementation for an Issue #2505 2017-05-07 23:12:42 +02:00
Miroslav Stampar
fc8eede952 Minor cleanup and one bug fix 2017-04-19 14:46:27 +02:00
Miroslav Stampar
c8a0c525fc Fixes #2489 2017-04-19 14:19:39 +02:00
Miroslav Stampar
5f2bb88037 Some code refactoring 2017-04-18 15:48:05 +02:00
Miroslav Stampar
7ebba5614a Moving brute from techniques to utils 2017-04-18 13:53:41 +02:00
Miroslav Stampar
d9a931f77a Minor cleanup 2017-04-14 13:14:53 +02:00
Miroslav Stampar
0e206da7c0 Minor patches (pydiatra) 2017-04-14 13:08:51 +02:00
Miroslav Stampar
9b3d229294 Fixes #2471 2017-04-10 19:21:22 +02:00
Miroslav Stampar
60e8c725f9 Fixes #2437 2017-03-12 23:24:13 +01:00
Miroslav Stampar
7960045cf9 Fixes #2277 and #2300 2017-02-27 13:58:07 +01:00
Miroslav Stampar
4b420e7579 Removing Google PageRank as it is dead now 2017-02-23 11:33:39 +01:00
Miroslav Stampar
38f16decef Update for an Issue #2384 2017-02-06 13:28:33 +01:00
Miroslav Stampar
03bbf552ef Patch for an Issue #2382 2017-02-06 11:14:45 +01:00
Miroslav Stampar
55272f7a3b New version preparation 2017-01-02 14:19:18 +01:00
Francisco Blas Izquierdo Riera (klondike)
025e9ac5b4
Fix the logic used for --param-exclude
The current logic will skip all existing parameters if no param-exclude is defined.
This breaks previous behaviour, makes it harder to use the tool and is quite confusing.

The new logic will always check the parameter is set before running any other checks instead of shortcircuit an empoty(always true) regexp.
2016-12-28 12:25:05 +01:00
Miroslav Stampar
89bbf5284c Adding new option --param-exclude on private request 2016-12-25 23:16:44 +01:00
Miroslav Stampar
edc6f47758 Some refactoring 2016-12-19 23:47:39 +01:00
Hanno Heinrichs
2cc604e356 Fix several typos 2016-10-26 21:41:57 +02:00
Miroslav Stampar
24eaf55dc8 Removing bad decision for -d (user should be able to choose) 2016-10-17 22:32:23 +02:00
Miroslav Stampar
6130185ac6 Minor consistency update with the wiki 2016-10-11 00:35:39 +02:00
Miroslav Stampar
171cf6f54d Minor fine tuning for SQLi heuristic check 2016-10-04 11:32:06 +02:00
Miroslav Stampar
dc8301689e Implementation for an Issue #2204 2016-10-02 11:13:40 +02:00
Miroslav Stampar
332726356c Minor language update 2016-09-29 14:03:46 +02:00
Miroslav Stampar
381deb68ff Implementation for an Issue #2137 2016-09-27 13:26:11 +02:00
Miroslav Stampar
7151df16f6 Adding extra validation step in case of boolean-based blind (e.g. if unexpected 500 occurs) 2016-09-27 11:21:12 +02:00
Miroslav Stampar
8994bf2dba Further dealing with time-based SQLi (Issue #1973) 2016-09-27 10:32:22 +02:00
Miroslav Stampar
09617c8243 Introducing extra validation property in case of time-based SQLi (HTTP code) - Issue #1973 2016-09-27 10:20:36 +02:00
Miroslav Stampar
556b4d289e Minor cosmetic patch (removing multiple same content '...appears...' messages) 2016-09-26 17:02:40 +02:00
Miroslav Stampar
1b48ff223d Adding initial support for Informix (Issue #552) 2016-09-23 12:33:27 +02:00
Miroslav Stampar
56a918c408 Minor refactoring 2016-09-20 10:03:00 +02:00
Miroslav Stampar
bcd62ecc5b Minor optimization (avoiding unnecessary deepcopies) 2016-09-20 09:56:08 +02:00
Miroslav Stampar
32dd4a938c Minor patch of message 2016-09-09 11:37:16 +02:00
Miroslav Stampar
6b91b7b7fa Minor cosmetics 2016-09-02 16:10:11 +02:00
Miroslav Stampar
cb43c03712 Definite patch for MemoryError(s) (fixes #1991) 2016-06-30 14:57:56 +02:00
Miroslav Stampar
8b4367d354 Revert of last commit 2016-06-26 01:42:21 +02:00
Miroslav Stampar
0a9d69a7d0 Minor patch 2016-06-26 01:10:47 +02:00
Miroslav Stampar
0175acd028 Bug fix (in some cases lack of warning message for SQLi appearing) 2016-06-23 17:52:37 +02:00
Miroslav Stampar
78fdb27a0b More improvements 2016-06-03 15:51:52 +02:00
Miroslav Stampar
350baf0a0a Minor update 2016-06-03 14:29:32 +02:00
Miroslav Stampar
9886b646eb Proper update regarding the last commit 2016-06-03 14:18:28 +02:00
Miroslav Stampar
c5197b99a0 Minor patch and minor improvement 2016-06-03 13:59:32 +02:00
Miroslav Stampar
0e65043c84 Minor adjustment 2016-06-03 09:48:49 +02:00
Miroslav Stampar
229d3a7dd0 Patch for cases when error page looks more like original, than the False one does 2016-05-30 16:46:23 +02:00
Miroslav Stampar
b965e5bf1c Minor refactoring 2016-05-30 16:06:39 +02:00
Miroslav Stampar
3bd74c5351 Minor patch 2016-05-30 15:20:21 +02:00
Miroslav Stampar
55624ec1a2 Minor message update 2016-05-30 14:40:22 +02:00
Miroslav Stampar
83b82a5e98 Bug fix (wrong handler used in case of DBMS resolution) 2016-05-30 10:32:49 +02:00
Miroslav Stampar
69fd900108 Adding waf script for detection of generic/unknown 2016-05-27 16:34:41 +02:00
Miroslav Stampar
de9f23939f Major bug fix in WAF/IDS/IPS detection (question 'do you want..to try to detect backend WAF/IPS/IDS' never worked) 2016-05-27 13:41:03 +02:00
Miroslav Stampar
7a2ac23f0b Adding new waf script (sitelock) 2016-05-27 02:13:01 +02:00
Miroslav Stampar
a5f8cae599 Fixes #1892 2016-05-24 17:58:35 +02:00
Miroslav Stampar
c395958dff Fixes #1888 2016-05-24 14:55:19 +02:00
Miroslav Stampar
798b539eec Minor update 2016-05-24 14:50:56 +02:00
Miroslav Stampar
f7cae68378 More formal language 2016-05-22 21:44:17 +02:00
Miroslav Stampar
f6ff1a115a Better (automatic) picking of a --string candidate (especially in case of international pages) 2016-05-22 21:29:08 +02:00
Miroslav Stampar
32ee586e2a Minor language update 2016-05-22 14:30:32 +02:00
Miroslav Stampar
6623c3f877 Pesky bug fix (nobody noticed :) 2016-05-22 14:22:31 +02:00
Miroslav Stampar
30a4173249 I like users which don't know the difference between detection and identification 2016-05-22 12:40:23 +02:00
Miroslav Stampar
5e8b105677 Fixes #1880 2016-05-19 19:46:12 +02:00
Miroslav Stampar
1e07269fe3 Patch for an Issue #1860 2016-05-12 16:42:12 +02:00
Miroslav Stampar
be9381abc5 Implements #1845 2016-05-06 13:06:59 +02:00
Miroslav Stampar
c797129956 Fixes #1833 2016-05-02 11:10:12 +02:00
Miroslav Stampar
9dd5cd8eb6 Removing CloudFlare check 2016-04-29 00:17:07 +02:00
Miroslav Stampar
aa21550712 Minor patch for integer casting heuristics (circumvent auto-casting by DBMS itself) 2016-04-15 13:47:19 +02:00
Miroslav Stampar
66061e8c5f Fixes #1811 2016-04-15 12:04:54 +02:00
Miroslav Stampar
0245ce6228 Fixes #1782 2016-03-28 19:55:33 +02:00
Miroslav Stampar
d7cdb6cbd8 Minor update 2016-02-06 20:16:33 +01:00
Miroslav Stampar
62f94f6587 Adding comments (Issue #1681) 2016-01-26 07:52:25 +01:00
Miroslav Stampar
574b3a79aa Adding support for detection of CloudFlare responses 2016-01-21 10:16:23 +01:00
Miroslav Stampar
59695af101 Minor improvement of heuristic checks 2016-01-14 22:21:47 +01:00
Miroslav Stampar
bdcf3fffba Minor update related to the last (error results in OR boolean-based blind should not be the same as True to be able to do proper comparison) 2016-01-14 13:40:50 +01:00
Miroslav Stampar
c7ef9429ae Minor check for problematic injections 2016-01-14 13:16:44 +01:00
Miroslav Stampar
4c1fc095d8 Adding heuristic check for FI vulnerability 2016-01-14 09:59:13 +01:00
Miroslav Stampar
a8c6c6fca1 Minor update related to the last one 2016-01-13 23:47:34 +01:00
Miroslav Stampar
4e29e1b351 Fixing wrong commit #4f939b5719716dfe9bd085c4f67696bc11064edd 2016-01-13 23:34:42 +01:00
Miroslav Stampar
8362bdcf66 Fix for screw up made by #52dd92748a50bcee4fb979ea49185840ff6743b9 2016-01-13 23:16:27 +01:00
Miroslav Stampar
eb989469f3 Minor just in case update 2016-01-12 10:27:04 +01:00
Miroslav Stampar
48ac2101f2 Using only once the dummy checkWaf payload 2016-01-08 23:23:41 +01:00
Miroslav Stampar
d0d676ccce Update of copyright string 2016-01-06 00:06:12 +01:00
Miroslav Stampar
c6d4217495 Minor update (just in case) 2015-12-03 02:08:59 +01:00
Miroslav Stampar
d41cd53d31 Minor style fix (distinguish form from URL testing when --forms --crawl combo used) 2015-10-28 14:03:21 +01:00
Miroslav Stampar
78bbf5d63c Fixes #1451 2015-10-06 14:17:35 +02:00
Miroslav Stampar
53de0e8949 Implements #1442 2015-10-01 11:57:33 +02:00
Miroslav Stampar
81caf14b6d Adding switch --skip-waf 2015-09-21 14:57:44 +02:00
Miroslav Stampar
e81e474646 Minor adjustment 2015-09-21 14:46:34 +02:00
Miroslav Stampar
56f0b811a6 Minor patch 2015-09-21 13:23:56 +02:00
Miroslav Stampar
c05c0ff435 Minor patch with imports 2015-09-10 15:55:49 +02:00
Miroslav Stampar
f494004f44 Switching to the getSafeExString (where it can be used) 2015-09-10 15:51:33 +02:00
Miroslav Stampar
c1f829d131 Removing last remnants of bad handling the exceptions as strings 2015-09-08 11:15:31 +02:00
Miroslav Stampar
e623ee66ad Better approach for #1320 2015-07-30 23:29:31 +02:00
Miroslav Stampar
58002c5057 Minor cosmetics 2015-07-23 09:55:59 +02:00
Miroslav Stampar
21e8182ac6 Fixes #1305 2015-07-18 17:01:34 +02:00
Miroslav Stampar
00f190fc92 Fixes #1303 2015-07-17 10:14:35 +02:00
Miroslav Stampar
16f8e4c8ba Removing unused imports 2015-07-12 12:25:02 +02:00
Miroslav Stampar
10f8c6a0b6 Introducing --offline switch (to perform session only lookups) 2015-07-10 16:10:24 +02:00
Miroslav Stampar
9bdbdc136f Minor cosmetics update 2015-07-10 11:33:12 +02:00
Miroslav Stampar
0ba264bfa0 Minor patch 2015-07-10 09:51:11 +02:00
Miroslav Stampar
4baaa4a5ad Minor improvement 2015-07-10 09:24:14 +02:00
Miroslav Stampar
9ff115ce71 Minor patch 2015-07-10 01:33:53 +02:00
Miroslav Stampar
02470ea683 Further decreasing number of testing payloads 2015-07-10 01:19:46 +02:00
Miroslav Stampar
48b627f3ff Prevent double tests (e.g. in same final tests where suffix is cut by the comment) 2015-07-10 00:54:02 +02:00
Miroslav Stampar
ca2f63c672 Test speed up in case of boolean based blind 2015-07-10 00:37:59 +02:00
Miroslav Stampar
96327b6701 Fixes #1290 2015-07-05 01:47:01 +02:00
Miroslav Stampar
1f71d809d4 Fixes #1288 2015-07-03 08:55:33 +02:00
Miroslav Stampar
08caca387b Minor patch of automatic WAF heuristic check 2015-05-29 16:01:41 +02:00
Miroslav Stampar
17bfda1b9c Adding new switch ('--skip-static') 2015-05-18 20:57:15 +02:00
Miroslav Stampar
7587528ebd Fixes #1202 2015-03-26 11:40:19 +01:00
Miroslav Stampar
adc8ac267d Fixes #1190 2015-03-10 09:23:26 +01:00
Bernardo Damele
8281fe48e5 bug fix: test for boundaries with high levels if the test was extended 2015-03-01 11:02:05 +00:00
Bernardo Damele
2f08c8b666 bug fix: do not skil heuristic check if previous page (test for dynamicity) had DBMS message. Code cleanup 2015-02-27 13:57:28 +00:00
Bernardo Damele
475cc8b24b trivial code cleanup 2015-02-21 13:12:30 +00:00
Bernardo Damele
d235ee375b code cleanup 2015-02-21 12:59:44 +00:00
Bernardo Damele
52dd92748a rework some of the logic of the detection phase based on identified DBMS along the way 2015-02-21 02:23:42 +00:00
Bernardo Damele
4f939b5719 avoid false positive message when extensive heuristic check is performed following detection of boolean blind injection detection: do only heuristic DBMS fingerprint for DBMS specific tables 2015-02-20 18:36:34 +00:00
Bernardo Damele
214b9360e9 Minor fix to check for inline query payloads regardless of previously identified payloads and code cleanup 2015-02-20 18:30:42 +00:00
Bernardo Damele
79d4d970a5 trivial code cleanup 2015-02-20 15:42:28 +00:00
Bernardo Damele
201b605f9b Minor fix and consistency: do not ask to include all tests if level and risk are at the max settings already 2015-02-20 10:21:44 +00:00
Bernardo Damele
e17d212c23 bug fix introduced with 863d5a6281 2015-02-15 20:07:52 +00:00
Bernardo Damele
863d5a6281 --test-filter now ignores values of --risk and --level 2015-02-15 16:28:37 +00:00
Miroslav Stampar
2e5c11e427 Closes #1163 2015-02-13 10:59:03 +01:00
Miroslav Stampar
2e9bf47703 Heuristic check for WAF/IDS/IPS is now prone to tamper functions (Issue #1145) 2015-01-30 22:12:35 +01:00
Miroslav Stampar
b7cfaa6ca5 Minor style update 2015-01-22 08:55:37 +01:00
Miroslav Stampar
a603002acd Adding a choice to automatically turn on --identify-waf if protection has been detected 2015-01-20 09:38:18 +01:00
Miroslav Stampar
0c4d63fb00 Bug fix (reported by user over ML) 2015-01-08 09:00:21 +01:00
Miroslav Stampar
45bdefd29b Update of copyright 2015-01-06 15:02:16 +01:00
Miroslav Stampar
6fc41ca940 Heuristically checking for WAF/IDS/IPS by default 2015-01-06 14:01:47 +01:00
Miroslav Stampar
beffe85d6c Patch for an Issue #1085 2015-01-03 22:30:21 +01:00
Miroslav Stampar
e6de92ce88 Minor patch (unicode related) 2014-12-15 13:36:08 +01:00
Miroslav Stampar
1e06e7c386 Adding a debug message during name resolution 2014-12-11 13:29:26 +01:00
Miroslav Stampar
a7b21a2f62 Rerun advice update 2014-12-09 09:02:06 +01:00
Miroslav Stampar
034fae0f47 Patch for an Issue #992 2014-12-05 11:24:43 +01:00
Miroslav Stampar
9b32e69f26 Adding new WAF script (UrlScan) 2014-12-04 10:06:15 +01:00