1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
|
-----
TODO:
-----
- Javascript formatter / prettyprinter: this would make it easier to inspect
"compiled" Javascript.
- Multiple report-related improvements:
- Proper CSS classes instead of current inline mess,
- Add better issue filtering capabilities based on host / path,
- Make it possible to edit target URLs in forms.
- Machine-readable output improvements: use a better output format with less
escaping necessary. Move most of escaping to ratproxy-report.sh instead.
- Better caching header analysis: current Expires/Date parsing logic is
very simplistic and may trigger false positives in some scenarios.
- Context-aware XSS testing: make XSS injection checks aware of the context, so
that only a small snippet of code would need to be injected (minimizes the risk
of query rejection).
- Better XSRF token checks: validate rudimentary alphabet distribution properties
with better resolution; "0aBaBaBaBaB" should not qualify as a valid token.
- Unified Javascript analyzer: simplified JS related checks are currently
dispersed through the code. This should be moved to a separate component and
much improved.
- Flash security lint: decompiled SWFs could be automatically surveyed for
problems.
- Code refactoring and improvements: modularize check logic, add configuration
file parsing in place of config.h, etc.
--------------------
Check-specific TODO:
--------------------
- Cookie injection: look for query payloads copied over to cookies.
- Data leakage: look for non-FQDN domain names, private IPs, and file://
references when a "production service" option is supplied.
- Common exception trace pattern detection.
- Enumeration of server types and versions.
- Checks for revealing or offensive comments, file names, etc.
- Perhaps a brute-force checker for UTF-8 character consumption, SQL
injection checks.
- Referer-based XSS: devise a scheme to check for this reliably.
|
