Miroslav Stampar
|
55624ec1a2
|
Minor message update
|
2016-05-30 14:40:22 +02:00 |
|
Miroslav Stampar
|
83b82a5e98
|
Bug fix (wrong handler used in case of DBMS resolution)
|
2016-05-30 10:32:49 +02:00 |
|
Miroslav Stampar
|
69fd900108
|
Adding waf script for detection of generic/unknown
|
2016-05-27 16:34:41 +02:00 |
|
Miroslav Stampar
|
de9f23939f
|
Major bug fix in WAF/IDS/IPS detection (question 'do you want..to try to detect backend WAF/IPS/IDS' never worked)
|
2016-05-27 13:41:03 +02:00 |
|
Miroslav Stampar
|
7a2ac23f0b
|
Adding new waf script (sitelock)
|
2016-05-27 02:13:01 +02:00 |
|
Miroslav Stampar
|
a5f8cae599
|
Fixes #1892
|
2016-05-24 17:58:35 +02:00 |
|
Miroslav Stampar
|
c395958dff
|
Fixes #1888
|
2016-05-24 14:55:19 +02:00 |
|
Miroslav Stampar
|
798b539eec
|
Minor update
|
2016-05-24 14:50:56 +02:00 |
|
Miroslav Stampar
|
f7cae68378
|
More formal language
|
2016-05-22 21:44:17 +02:00 |
|
Miroslav Stampar
|
f6ff1a115a
|
Better (automatic) picking of a --string candidate (especially in case of international pages)
|
2016-05-22 21:29:08 +02:00 |
|
Miroslav Stampar
|
32ee586e2a
|
Minor language update
|
2016-05-22 14:30:32 +02:00 |
|
Miroslav Stampar
|
6623c3f877
|
Pesky bug fix (nobody noticed :)
|
2016-05-22 14:22:31 +02:00 |
|
Miroslav Stampar
|
30a4173249
|
I like users which don't know the difference between detection and identification
|
2016-05-22 12:40:23 +02:00 |
|
Miroslav Stampar
|
5e8b105677
|
Fixes #1880
|
2016-05-19 19:46:12 +02:00 |
|
Miroslav Stampar
|
1e07269fe3
|
Patch for an Issue #1860
|
2016-05-12 16:42:12 +02:00 |
|
Miroslav Stampar
|
be9381abc5
|
Implements #1845
|
2016-05-06 13:06:59 +02:00 |
|
Miroslav Stampar
|
c797129956
|
Fixes #1833
|
2016-05-02 11:10:12 +02:00 |
|
Miroslav Stampar
|
9dd5cd8eb6
|
Removing CloudFlare check
|
2016-04-29 00:17:07 +02:00 |
|
Miroslav Stampar
|
aa21550712
|
Minor patch for integer casting heuristics (circumvent auto-casting by DBMS itself)
|
2016-04-15 13:47:19 +02:00 |
|
Miroslav Stampar
|
66061e8c5f
|
Fixes #1811
|
2016-04-15 12:04:54 +02:00 |
|
Miroslav Stampar
|
0245ce6228
|
Fixes #1782
|
2016-03-28 19:55:33 +02:00 |
|
Miroslav Stampar
|
d7cdb6cbd8
|
Minor update
|
2016-02-06 20:16:33 +01:00 |
|
Miroslav Stampar
|
62f94f6587
|
Adding comments (Issue #1681)
|
2016-01-26 07:52:25 +01:00 |
|
Miroslav Stampar
|
574b3a79aa
|
Adding support for detection of CloudFlare responses
|
2016-01-21 10:16:23 +01:00 |
|
Miroslav Stampar
|
59695af101
|
Minor improvement of heuristic checks
|
2016-01-14 22:21:47 +01:00 |
|
Miroslav Stampar
|
bdcf3fffba
|
Minor update related to the last (error results in OR boolean-based blind should not be the same as True to be able to do proper comparison)
|
2016-01-14 13:40:50 +01:00 |
|
Miroslav Stampar
|
c7ef9429ae
|
Minor check for problematic injections
|
2016-01-14 13:16:44 +01:00 |
|
Miroslav Stampar
|
4c1fc095d8
|
Adding heuristic check for FI vulnerability
|
2016-01-14 09:59:13 +01:00 |
|
Miroslav Stampar
|
a8c6c6fca1
|
Minor update related to the last one
|
2016-01-13 23:47:34 +01:00 |
|
Miroslav Stampar
|
4e29e1b351
|
Fixing wrong commit #4f939b5719716dfe9bd085c4f67696bc11064edd
|
2016-01-13 23:34:42 +01:00 |
|
Miroslav Stampar
|
8362bdcf66
|
Fix for screw up made by #52dd92748a50bcee4fb979ea49185840ff6743b9
|
2016-01-13 23:16:27 +01:00 |
|
Miroslav Stampar
|
eb989469f3
|
Minor just in case update
|
2016-01-12 10:27:04 +01:00 |
|
Miroslav Stampar
|
48ac2101f2
|
Using only once the dummy checkWaf payload
|
2016-01-08 23:23:41 +01:00 |
|
Miroslav Stampar
|
d0d676ccce
|
Update of copyright string
|
2016-01-06 00:06:12 +01:00 |
|
Miroslav Stampar
|
c6d4217495
|
Minor update (just in case)
|
2015-12-03 02:08:59 +01:00 |
|
Miroslav Stampar
|
d41cd53d31
|
Minor style fix (distinguish form from URL testing when --forms --crawl combo used)
|
2015-10-28 14:03:21 +01:00 |
|
Miroslav Stampar
|
78bbf5d63c
|
Fixes #1451
|
2015-10-06 14:17:35 +02:00 |
|
Miroslav Stampar
|
53de0e8949
|
Implements #1442
|
2015-10-01 11:57:33 +02:00 |
|
Miroslav Stampar
|
81caf14b6d
|
Adding switch --skip-waf
|
2015-09-21 14:57:44 +02:00 |
|
Miroslav Stampar
|
e81e474646
|
Minor adjustment
|
2015-09-21 14:46:34 +02:00 |
|
Miroslav Stampar
|
56f0b811a6
|
Minor patch
|
2015-09-21 13:23:56 +02:00 |
|
Miroslav Stampar
|
c05c0ff435
|
Minor patch with imports
|
2015-09-10 15:55:49 +02:00 |
|
Miroslav Stampar
|
f494004f44
|
Switching to the getSafeExString (where it can be used)
|
2015-09-10 15:51:33 +02:00 |
|
Miroslav Stampar
|
c1f829d131
|
Removing last remnants of bad handling the exceptions as strings
|
2015-09-08 11:15:31 +02:00 |
|
Miroslav Stampar
|
e623ee66ad
|
Better approach for #1320
|
2015-07-30 23:29:31 +02:00 |
|
Miroslav Stampar
|
58002c5057
|
Minor cosmetics
|
2015-07-23 09:55:59 +02:00 |
|
Miroslav Stampar
|
21e8182ac6
|
Fixes #1305
|
2015-07-18 17:01:34 +02:00 |
|
Miroslav Stampar
|
00f190fc92
|
Fixes #1303
|
2015-07-17 10:14:35 +02:00 |
|
Miroslav Stampar
|
16f8e4c8ba
|
Removing unused imports
|
2015-07-12 12:25:02 +02:00 |
|
Miroslav Stampar
|
10f8c6a0b6
|
Introducing --offline switch (to perform session only lookups)
|
2015-07-10 16:10:24 +02:00 |
|
Miroslav Stampar
|
9bdbdc136f
|
Minor cosmetics update
|
2015-07-10 11:33:12 +02:00 |
|
Miroslav Stampar
|
0ba264bfa0
|
Minor patch
|
2015-07-10 09:51:11 +02:00 |
|
Miroslav Stampar
|
4baaa4a5ad
|
Minor improvement
|
2015-07-10 09:24:14 +02:00 |
|
Miroslav Stampar
|
9ff115ce71
|
Minor patch
|
2015-07-10 01:33:53 +02:00 |
|
Miroslav Stampar
|
02470ea683
|
Further decreasing number of testing payloads
|
2015-07-10 01:19:46 +02:00 |
|
Miroslav Stampar
|
48b627f3ff
|
Prevent double tests (e.g. in same final tests where suffix is cut by the comment)
|
2015-07-10 00:54:02 +02:00 |
|
Miroslav Stampar
|
ca2f63c672
|
Test speed up in case of boolean based blind
|
2015-07-10 00:37:59 +02:00 |
|
Miroslav Stampar
|
96327b6701
|
Fixes #1290
|
2015-07-05 01:47:01 +02:00 |
|
Miroslav Stampar
|
1f71d809d4
|
Fixes #1288
|
2015-07-03 08:55:33 +02:00 |
|
Miroslav Stampar
|
08caca387b
|
Minor patch of automatic WAF heuristic check
|
2015-05-29 16:01:41 +02:00 |
|
Miroslav Stampar
|
17bfda1b9c
|
Adding new switch ('--skip-static')
|
2015-05-18 20:57:15 +02:00 |
|
Miroslav Stampar
|
7587528ebd
|
Fixes #1202
|
2015-03-26 11:40:19 +01:00 |
|
Miroslav Stampar
|
adc8ac267d
|
Fixes #1190
|
2015-03-10 09:23:26 +01:00 |
|
Bernardo Damele
|
8281fe48e5
|
bug fix: test for boundaries with high levels if the test was extended
|
2015-03-01 11:02:05 +00:00 |
|
Bernardo Damele
|
2f08c8b666
|
bug fix: do not skil heuristic check if previous page (test for dynamicity) had DBMS message. Code cleanup
|
2015-02-27 13:57:28 +00:00 |
|
Bernardo Damele
|
475cc8b24b
|
trivial code cleanup
|
2015-02-21 13:12:30 +00:00 |
|
Bernardo Damele
|
d235ee375b
|
code cleanup
|
2015-02-21 12:59:44 +00:00 |
|
Bernardo Damele
|
52dd92748a
|
rework some of the logic of the detection phase based on identified DBMS along the way
|
2015-02-21 02:23:42 +00:00 |
|
Bernardo Damele
|
4f939b5719
|
avoid false positive message when extensive heuristic check is performed following detection of boolean blind injection detection: do only heuristic DBMS fingerprint for DBMS specific tables
|
2015-02-20 18:36:34 +00:00 |
|
Bernardo Damele
|
214b9360e9
|
Minor fix to check for inline query payloads regardless of previously identified payloads and code cleanup
|
2015-02-20 18:30:42 +00:00 |
|
Bernardo Damele
|
79d4d970a5
|
trivial code cleanup
|
2015-02-20 15:42:28 +00:00 |
|
Bernardo Damele
|
201b605f9b
|
Minor fix and consistency: do not ask to include all tests if level and risk are at the max settings already
|
2015-02-20 10:21:44 +00:00 |
|
Bernardo Damele
|
e17d212c23
|
bug fix introduced with 863d5a6281
|
2015-02-15 20:07:52 +00:00 |
|
Bernardo Damele
|
863d5a6281
|
--test-filter now ignores values of --risk and --level
|
2015-02-15 16:28:37 +00:00 |
|
Miroslav Stampar
|
2e5c11e427
|
Closes #1163
|
2015-02-13 10:59:03 +01:00 |
|
Miroslav Stampar
|
2e9bf47703
|
Heuristic check for WAF/IDS/IPS is now prone to tamper functions (Issue #1145)
|
2015-01-30 22:12:35 +01:00 |
|
Miroslav Stampar
|
b7cfaa6ca5
|
Minor style update
|
2015-01-22 08:55:37 +01:00 |
|
Miroslav Stampar
|
a603002acd
|
Adding a choice to automatically turn on --identify-waf if protection has been detected
|
2015-01-20 09:38:18 +01:00 |
|
Miroslav Stampar
|
0c4d63fb00
|
Bug fix (reported by user over ML)
|
2015-01-08 09:00:21 +01:00 |
|
Miroslav Stampar
|
45bdefd29b
|
Update of copyright
|
2015-01-06 15:02:16 +01:00 |
|
Miroslav Stampar
|
6fc41ca940
|
Heuristically checking for WAF/IDS/IPS by default
|
2015-01-06 14:01:47 +01:00 |
|
Miroslav Stampar
|
beffe85d6c
|
Patch for an Issue #1085
|
2015-01-03 22:30:21 +01:00 |
|
Miroslav Stampar
|
e6de92ce88
|
Minor patch (unicode related)
|
2014-12-15 13:36:08 +01:00 |
|
Miroslav Stampar
|
1e06e7c386
|
Adding a debug message during name resolution
|
2014-12-11 13:29:26 +01:00 |
|
Miroslav Stampar
|
a7b21a2f62
|
Rerun advice update
|
2014-12-09 09:02:06 +01:00 |
|
Miroslav Stampar
|
034fae0f47
|
Patch for an Issue #992
|
2014-12-05 11:24:43 +01:00 |
|
Miroslav Stampar
|
9b32e69f26
|
Adding new WAF script (UrlScan)
|
2014-12-04 10:06:15 +01:00 |
|
Miroslav Stampar
|
5c182a0ec4
|
Update for an Issue #431
|
2014-11-21 11:33:57 +01:00 |
|
Miroslav Stampar
|
f0802c6fb9
|
Update for an Issue #431
|
2014-11-21 11:20:54 +01:00 |
|
Miroslav Stampar
|
cf2d5fd453
|
Update for an Issue #431
|
2014-11-21 09:41:49 +01:00 |
|
Miroslav Stampar
|
05d5342f20
|
Update and patch for an Issue #2
|
2014-11-17 11:50:05 +01:00 |
|
Miroslav Stampar
|
fc1b05bec9
|
Implementation for an Issue #2
|
2014-10-23 11:23:53 +02:00 |
|
Miroslav Stampar
|
34aed7cde0
|
Bug fix (now it's possible to use multiple parsed requests without mixing associated headers)
|
2014-10-22 13:49:29 +02:00 |
|
Miroslav Stampar
|
c6a8feea8a
|
Fix for an Issue #831
|
2014-10-07 12:00:11 +02:00 |
|
Miroslav Stampar
|
f67a38dba9
|
Minor adjustment
|
2014-10-01 13:42:10 +02:00 |
|
Miroslav Stampar
|
a9454fbb43
|
Minor commit related to the last one (bypassing DBMS error trimming problem)
|
2014-10-01 13:35:20 +02:00 |
|
Miroslav Stampar
|
8c9014c39f
|
Adding a dummy (auxiliary) XSS check
|
2014-10-01 13:31:48 +02:00 |
|
Miroslav Stampar
|
bfc8ab0e35
|
Language update
|
2014-09-08 14:48:31 +02:00 |
|
Miroslav Stampar
|
53d0d5bf8b
|
Minor update (adding a warning message about potential dropping of requests because of protection mechanisms involved)
|
2014-09-08 14:33:13 +02:00 |
|
Miroslav Stampar
|
20ff402103
|
Minor patch
|
2014-08-30 22:04:55 +02:00 |
|
Miroslav Stampar
|
dc2ee8bfa0
|
Minor update
|
2014-08-30 21:53:09 +02:00 |
|
Miroslav Stampar
|
1a9a331422
|
Bug fix (proper extending of tests when dbms is known)
|
2014-08-30 21:34:23 +02:00 |
|
Miroslav Stampar
|
834f8e18c8
|
Minor patch for an Issue #802
|
2014-08-28 00:45:57 +02:00 |
|
Miroslav Stampar
|
b77d8d617b
|
Minor patch for an Issue #800
|
2014-08-28 00:31:49 +02:00 |
|
Miroslav Stampar
|
7828f61642
|
Minor style update
|
2014-08-20 13:35:41 +02:00 |
|
Miroslav Stampar
|
6795b51c7e
|
Another minor update
|
2014-08-20 01:59:30 +02:00 |
|
Miroslav Stampar
|
d08c1b7c04
|
Minor update
|
2014-08-20 01:45:42 +02:00 |
|
Miroslav Stampar
|
ebc964267f
|
Better reporting on filtered-chars cases
|
2014-08-20 01:11:26 +02:00 |
|
Miroslav Stampar
|
b31e141012
|
Fix for an Issue #772
|
2014-07-29 14:37:48 +02:00 |
|
Miroslav Stampar
|
0eb5fb1e5a
|
Update for an Issue #757
|
2014-07-19 23:02:14 +02:00 |
|
Miroslav Stampar
|
2a88436417
|
Patch for an Issue #724
|
2014-06-16 09:51:24 +02:00 |
|
Miroslav Stampar
|
cb0044b2c4
|
Minor beauty patch
|
2014-04-07 20:28:17 +02:00 |
|
Miroslav Stampar
|
9456dc68e7
|
Minor patch
|
2014-04-06 17:24:27 +02:00 |
|
Miroslav Stampar
|
cf250a0381
|
Minor patch (it would go boom if special character was inside the --param-del)
|
2014-04-06 17:02:32 +02:00 |
|
Miroslav Stampar
|
0ae8ac707e
|
Renaming conf.pDel to conf.paramDel
|
2014-04-06 16:48:46 +02:00 |
|
Miroslav Stampar
|
106102bd3c
|
Fix for an Issue #648
|
2014-03-21 20:28:29 +01:00 |
|
Miroslav Stampar
|
3b47418a1d
|
Fix for an Issue #640
|
2014-03-14 22:20:20 +01:00 |
|
Miroslav Stampar
|
2ffdee5733
|
Bug fix for PAYLOAD.WHERE.REPLACE payloads containing custom injection marker ([ORIGVALUE] was screwed)
|
2014-02-26 11:41:48 +01:00 |
|
Miroslav Stampar
|
edc8ef9d5b
|
Patch for an Issue #611 (original page used in case of tamper functions was wrong - e.g. if --tamper=base64encode was used)
|
2014-02-25 13:48:34 +01:00 |
|
Miroslav Stampar
|
2a423d61ef
|
Raising number of requests for false positive testing in case of higher levels
|
2014-02-23 19:40:01 +01:00 |
|
Miroslav Stampar
|
fe0ff6e679
|
Changing 'is injectable' to 'seems to be injectable' for boolean and time-based blind injection cases - for false positive cases
|
2014-02-09 17:50:16 +01:00 |
|
Miroslav Stampar
|
f97fcb7bb3
|
Adding a switch --invalid-string
|
2014-01-23 21:56:06 +01:00 |
|
Miroslav Stampar
|
f88f6dcd7e
|
Changing --invalid-bignum from float producing to int producing
|
2014-01-23 09:07:25 +01:00 |
|
Bernardo Damele
|
43a4e85749
|
updated copyright
|
2014-01-13 17:24:49 +00:00 |
|
Miroslav Stampar
|
6c80f2903b
|
Patch for an Issue #564
|
2013-12-27 11:02:59 +01:00 |
|
Miroslav Stampar
|
bf3fbb0ae0
|
Ignore Google analytics cookies
|
2013-12-04 09:56:37 +01:00 |
|
Miroslav Stampar
|
7ed05f01b3
|
Minor update
|
2013-10-27 00:24:57 +02:00 |
|
Miroslav Stampar
|
334c698d53
|
Adding change verbosity level in testing phase when Ctrl+C pressed
|
2013-10-17 16:54:53 +02:00 |
|
Moshe Kaplan
|
8cd641a2a6
|
minor typos corrected
"choosen" -> "chosen"
|
2013-10-15 13:26:24 -04:00 |
|
Miroslav Stampar
|
2dc570d7a8
|
Minor patch (for ORDER BY 'col' cases)
|
2013-10-10 23:08:20 +02:00 |
|
Miroslav Stampar
|
369006ca73
|
Bug fix
|
2013-10-07 12:54:25 +02:00 |
|
Miroslav Stampar
|
0cf2bdeb1c
|
Minor language update
|
2013-08-22 11:11:30 +02:00 |
|
Miroslav Stampar
|
38ee95e2c9
|
Minor language update
|
2013-08-13 18:58:24 +02:00 |
|
Miroslav Stampar
|
52a71546d0
|
Implementation for an Issue #507
|
2013-08-13 18:55:23 +02:00 |
|
Miroslav Stampar
|
941b2387c0
|
Minor fix
|
2013-07-31 09:22:45 +02:00 |
|
Miroslav Stampar
|
b921ff0729
|
Fix for an Issue #495
|
2013-07-27 11:20:43 +02:00 |
|
stamparm
|
e6f71c2130
|
Making 10% less requests in futile higher level/risk runs (using static template payloads for where==NEGATIVE)
|
2013-07-15 16:24:49 +02:00 |
|
stamparm
|
c9d3974205
|
Minor fix (templatePayload had duplicate string patterns for where==NEGATIVE)
|
2013-07-15 13:54:02 +02:00 |
|
stamparm
|
ac2d40e259
|
Revert of last commit (there is a chance that that big integer value is really valid :)
|
2013-07-15 13:34:38 +02:00 |
|
stamparm
|
a097ee1505
|
Switching --invalid-bignum to a pure integer constant (more generic - more statements require pure integer constant)
|
2013-07-15 13:31:56 +02:00 |
|
stamparm
|
d7c0805e7c
|
Removing leftover
|
2013-07-08 12:45:02 +02:00 |
|
stamparm
|
a548eb5c70
|
Minor text update
|
2013-07-08 12:44:14 +02:00 |
|
stamparm
|
d0e79a4d15
|
Minor text update
|
2013-07-08 12:38:36 +02:00 |
|
stamparm
|
a530817727
|
Minor typo fix
|
2013-07-08 11:52:46 +02:00 |
|
stamparm
|
8d3435ab0b
|
Removing reflective warning for parsing heuristic test
|
2013-07-08 11:48:33 +02:00 |
|
stamparm
|
04046f38eb
|
Minor update (Issue #475)
|
2013-07-01 12:26:57 +02:00 |
|
stamparm
|
f7d15cb465
|
Official naming is HSQLDB (and/or HyperSQL)
|
2013-07-01 11:57:47 +02:00 |
|
Miroslav Stampar
|
aeb83ba651
|
Merge pull request #475 from Meatballs1/hsql_clean
HSQL Payloads and Query Support
|
2013-07-01 02:38:04 -07:00 |
|
stamparm
|
fd5b665f7d
|
Removing arithmetic operations from false positive checking to minimize affect of character filtering ('>' and '=' have to stay because those are minimal requirements)
|
2013-06-26 10:55:34 +02:00 |
|
Meatballs
|
62000c6406
|
Remaining files
|
2013-06-24 14:42:58 +01:00 |
|