debian/0000755000000000000000000000000012064644377007203 5ustar debian/compat0000644000000000000000000000000211352125050010356 0ustar 7 debian/examples0000644000000000000000000000002412064636233010730 0ustar config/example.conf debian/manpages0000644000000000000000000000001712064620367010710 0ustar doc/skipfish.1 debian/control0000644000000000000000000000154212064644277010607 0ustar Source: skipfish Section: web Priority: extra Maintainer: Bartosz Fenski Build-Depends: debhelper (>= 7.0.50~), libssl-dev, zlib1g-dev, libidn11-dev, libpcre3-dev Standards-Version: 3.9.3 Homepage: http://code.google.com/p/skipfish/ Package: skipfish Architecture: any Depends: ${shlibs:Depends}, ${misc:Depends} Description: fully automated, active web application security reconnaissance tool Skipfish is an active web application security reconnaissance tool. It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks. The final report generated by the tool is meant to serve as a foundation for professional web application security assessments. debian/copyright0000644000000000000000000000605112064644021011122 0ustar Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-Name: skipfish Source: http://code.google.com/p/skipfish/ Files: * Copyright: 2009-2012 Google Inc Michal Zalewski Niels Heinen Sebastian Roschke License: Apache-2.0 On Debian systems the full text of the Apache License can be found in `/usr/share/common-licenses/Apache-2.0'. File: src/string-inl.h Copyright: 1990, 1993 The Regents of the University of California. Chris Torek License: BSD Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. . THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Files: assets/* Copyright: 2006-2007 Everaldo Coelho, Crystal Project License: LGPL-2.1 On Debian systems the full copy of the GNU LESSER GENERAL PUBLIC LICENSE version 2.1 can be found in `/usr/share/common-licenses/LGPL-2.1'. Files: debian/* Copyright: 2010-2012 Bartosz Fenski License: GPL-2+ This package is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. . This package is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. . You should have received a copy of the GNU General Public License along with this program. If not, see . On Debian systems, the complete text of the GNU General Public License version 2 can be found in "/usr/share/common-licenses/GPL-2". debian/docs0000644000000000000000000000002112064636074010042 0ustar README doc/*.txt debian/rules0000755000000000000000000000122011724110244010235 0ustar #!/usr/bin/make -f # Uncomment this to turn on verbose mode. #export DH_VERBOSE=1 %: dh $@ override_dh_install: dh_install -XCOPYING # don't run them override_dh_perl override_dh_icons override_dh_gconf override_dh_installxfonts \ override_dh_installwm override_dh_installudev override_dh_installppp \ override_dh_installpam override_dh_installlogrotate override_dh_installlogcheck \ override_dh_installmodules override_dh_installmime override_dh_installmenu \ override_dh_installinit override_dh_installinfo override_dh_installifupdown \ override_dh_installemacsen override_dh_installdebconf override_dh_installcron \ override_dh_installcatalogs: debian/watch0000644000000000000000000000022711544403305010217 0ustar version=3 opts="dversionmangle=s/\+dfsg//" \ http://code.google.com/p/skipfish/downloads/list http://skipfish.googlecode.com/files/skipfish-(.*)\.tgz debian/changelog0000644000000000000000000000371712064644337011061 0ustar skipfish (2.10b-1) unstable; urgency=low * The Akamai Technologies paid volunteer days release. * New upstream version. * Bumped Standards-Version (no changes needed). * Various path fixes because of upstream changes. * Added new libpcre3-dev build dependency. * Totally rewritten copyright file to comply with new copyright standard. -- Bartosz Fenski Thu, 20 Dec 2012 14:59:36 +0100 skipfish (2.05b-1) unstable; urgency=low * New upstream version. -- Bartosz Fenski Thu, 15 Mar 2012 10:18:34 +0100 skipfish (2.03b-1) unstable; urgency=low * New upstream version. -- Bartosz Fenski Wed, 15 Feb 2012 14:23:24 +0100 skipfish (2.02b-1) unstable; urgency=low * New upstream version. -- Bartosz Fenski Wed, 03 Aug 2011 15:07:13 +0200 skipfish (1.85b-1) unstable; urgency=low * New upstream version. * Fixed watchfile. * Bump Standards-Version (no changes needed). * Fixed copyright file to make lintian happy about BSD license. -- Bartosz Fenski Tue, 29 Mar 2011 17:52:17 +0200 skipfish (1.32b-1) unstable; urgency=low * New upstream release. -- Bartosz Fenski Tue, 20 Apr 2010 19:49:33 +0200 skipfish (1.29b-1) unstable; urgency=low * New upstream release. * Removed manpage since it's now included by upstream. -- Bartosz Fenski Mon, 05 Apr 2010 18:43:06 +0200 skipfish (1.26b-1) unstable; urgency=low * New upstream release. * Skip most dh_* scripts. * Includes manpage courtesy of Thorsten Schifferdecker (Closes: #575596) -- Bartosz Fenski Sat, 27 Mar 2010 10:34:13 +0100 skipfish (1.19b-1) unstable; urgency=low * New upstream release. -- Bartosz Fenski Wed, 24 Mar 2010 08:45:16 +0100 skipfish (1.13b-1) unstable; urgency=low * Initial release (Closes: #574756) -- Bartosz Fenski Tue, 22 Mar 2010 18:41:42 +0100 debian/patches/0000755000000000000000000000000012064637607010630 5ustar debian/patches/debian-paths0000644000000000000000000000374112064640363013110 0ustar Description: fixes paths for Debian Fixes paths for Debian Author: Bartosz Fenski Origin: Debian Forwarded: not-needed Last-Update: 2012-12-20 --- skipfish-2.10b.orig/signatures/signatures.conf +++ skipfish-2.10b/signatures/signatures.conf @@ -6,23 +6,23 @@ # The mime signatures warn about server responses that have an interesting # mime. For example anything that is presented as php-source will likely # be interesting -include signatures/mime.sigs +include /usr/share/skipfish/signatures/mime.sigs # The files signature will use the content to determine if a response # is an interesting file. For example, a SVN file. -include signatures/files.sigs +include /usr/share/skipfish/signatures/files.sigs # The messages signatures look for interesting server messages. Most # are based on errors, such as caused by incorrect SQL queries or PHP # execution failures. -include signatures/messages.sigs +include /usr/share/skipfish/signatures/messages.sigs # The apps signatures will help to find pages and applications who's # functionality is a security risk by default. For example, phpinfo() # pages that leak information or CMS admin interfaces. -include signatures/apps.sigs +include /usr/share/skipfish/signatures/apps.sigs # Context signatures are linked to injection tests. They look for strings # that are relevant to the current injection test and help to highlight # potential vulnerabilities. -include signatures/context.sigs +include /usr/share/skipfish/signatures/context.sigs --- skipfish-2.10b.orig/src/config.h +++ skipfish-2.10b/src/config.h @@ -29,10 +29,10 @@ /* Default paths to runtime files: */ -#define ASSETS_DIR "assets" +#define ASSETS_DIR "/usr/share/skipfish/assets" /* Default signature file */ -#define SIG_FILE "signatures/signatures.conf" +#define SIG_FILE "/usr/share/skipfish/signatures/signatures.conf" /* Various default settings for HTTP client (cmdline override): */ debian/patches/series0000644000000000000000000000001512064640317012031 0ustar debian-paths debian/install0000644000000000000000000000016012064637265010567 0ustar skipfish /usr/bin dictionaries /usr/share/skipfish/ assets /usr/share/skipfish/ signatures /usr/share/skipfish/ debian/source/0000755000000000000000000000000011351725731010473 5ustar debian/source/format0000644000000000000000000000001411351725731011701 0ustar 3.0 (quilt)