Whisker
by rain forest puppy, rfp (at) wiretrip (dot) net [email concealed]
Platforms: Perl (any system supporting perl)
Categories: Auditing, Network, Web
Version: 1.4
URL: http://www.wiretrip.net/rfp
Whisker is an advanced CGI vulnerability scanner. It is scriptable and has many good features, such as querying for system type and basing scans on the information gathered (ie, determining between IIS and Apache webservers)

- "Multi-threaded" front end (Unix only).
- More updates to server.db and scan.db.
- Changed the 'set' command to take .= (append) as well.
- Added multi-file scans
- Changed options around.
- whisker will internally 'read' the output from a .cfm script and determine if it really exists, eliminating *all* false reports.
- Added support for variables and tab's, cr's, and lf's in strings.
- You can now use a variable for 'server' and 'scan' matching
- Scan database files don't have to be in the current directory
- Whisker defaults to scan.db, so it's not required to specify -s <file>
- Whisker will automatically rescan servers with dumb.db if they need it
- NMAP information is now available inside the scripts
- Redid the bounce options
- Support for distributed proxies
- Ability to use other CGI scanners' databases
- Better timeout control (Unix only).
- Implemented ability to use 'GET' method, but still close the connection after all the headers have arrived.
- EXPERIMENTAL SSL support.
- SamSpade bounce by Styx was added
- Other little tweaks to variable handling and new variables added
- Netcraft changed their output, so I had to change to match it.

Privacy Statement
Copyright 2006, SecurityFocus