1.4.8
June 5, 2003

Major UI improvements, added a normalizer so URLs don't push behind the
spikeProxyUI directory. Cache is much nicer - disregards images. Fixed that
annoying ../../ bug.

read_query.py added. Useful for printing out saved requests from the command
line without loading the entire UI.

Various core engine fixes

1.4.7
January 26, 2003

Fixed the engine so it worked on a few more sites...cruel.com and
xgoogle.com in particular. Also fixed the rewrite request support so
it sent its data as a POST instead of a GET since people were
complaining that IE didn't let them use long GETs. Added support for
restricted pages and hosts.

Please let me know if you have a public page this doesn't work with.

A known bug is that crawling urls with ../ in them will do very bad
things. To be fixed in upcoming versions. Send me a patch! :>


1.4.6
Nov 18, 2002

o Fixed NTLM support for some people (thanks to cc_@hushmail.com). Removed
  print statement with the password from the log screen.

o Added "False 404 Detection" which can be customized through the 
  Configuration menu. Any request that comes in with a string specified
  as a "False 404" string will be transformed internally to a 404
  so the automatic routines won't false positive on that misconfigured
  server.

o Fixed a bug in the VulnXML from whisker database script.

o Added WHYGPL.txt

1.4.5
Nov 7, 2002

Added NTLM support. See the Usage statement for how to use it. It
should be otherwise transparent. It was tested on IIS 5.0, so your
milage may vary. Example:
./spkproxy.py -U Administrator -P jbone -D localhost
will automatically log in as Administrator with the password of jbone
and the domain of localhost wherever presented with an NTLM challenge.
This works even during scans, although scans will now take 3
times as long. 


Added "ordering" to arguments, since that was causing some problems
with some applications.

Added Frostman's SPIKE Proxy Usage document to directory.

Fixed other associated bugs, some of which were quite bad, so 
do upgrade.

Added Auto-Version-Check. You can disable this in spkproxy.py if
it bugs you.


1.4.3
Oct 23, 2002
   o Win32 now supported (really really long URLS may break due to 
     Win32 directory length restrictions)
   o fr0stman <fr0stman@sun-tzu-security.net> added many changes to logging
     and additional bugfixes that made various subsystems actually work
     including manual rewriting, and password and injection scanning.
   Note: To do password scanning, it is best to go into the configuration
         menu, and then remove everything from Success List, unless you
	 know explicitly what the server will say on success. Then
	 add something from the failure page into the failure list,
	 add a list of words to the passwordlist, and then start
	 your scan.
   o VulnXML added
     o Now has Nikto/Whisker functionality
     o script to convert from Nikto database to VulnXML added
     o Directory, File, and Site scanning is supported and tested.
     o IIS ASP Chunked overflow is properly detected
     o Variable scanning is theoretically there, but not tested
     o Any successful vulnerability check is saved off for review

1.3
Sep 26, 2002
Crawling
   o added form parser
   o added rawparser for when SGML parser fails
   o caught SGML parser failing exception nicely
   o removed If- headers when crawling
   o revitalized core logic to work better against various test pages
   o don't forget that crawling MUST start from a page - so to initiate 
     it go to a page and then you'll see the crawl option
Core engine
   o handles chunked responses much better
   o handles all responses better in general - many fixes to spkproxy.py 
     If a page doesn't work now, I'd like to know about it
   o Fixed servers that close sockets even if I have keep-alive on
   o added deletion of headers to header API
UI
   o Added stop-all-actions and start-actions to enable a user to stop a runaway argscan or dirscan or overflow or crawl
     To use this, just click on stop while the action is happening, and then later click on start again to enable
     automatic functionality
   o Added dirscan - to use this go to the root of where you want to start your scan
     o file extention scan looks for file.bak, file~, etc
     o directory scan looks for common directories. I have a long list in words, and if this is
       too long for you, replace words with shortwords and retry your dirscan
   o Added time to logging information, and extended logging information fields to 1500.
   o Slowed log page refresh to 25 seconds (you can always click refresh to get it immediately)




1.2
Sep 4, 2002
Crawling support added (click crawl on any page to crawl from that page)
  o if the SGML parser gives you an exception, that means that for
    some reason it can't handle that kind of file. Add that extention
    to the invalidHTMLExtentions array at the very top of spikeUI
  o the SPIKE Proxy crawler will NOT crawl past the site you are doing,
    and will not crawl from http to https or vice versa. If you want
    to do this, you have to go to a page on the https site and start
    a crawl from there
  o There is still no way to STOP a crawl other than Control-C or
    killall /usr/bin/python (more effective)
  o The crawler doesn't go downloading every jpg,png and .tgz file
    it finds. In fact, it ignores them. Download those files 
    manually if you like.

./cleanup.sh added to erase your saved pages tree.
POST fuzzing fixed 


1.1:
July 22
 Finished SPIKE Proxy UI
 Features:
   o argscan (ODBC error finder)
   o rewrite requests
   o fun 
   

1.0: 
 o first release to public

 Features:
 Fully threaded model
 Supports Connection: keep-alive
 Fast, efficient transfer
 Supports Chunked Encoding
 Supports Connection: close
 Supports changing User-Agent to IE 5.0 (default)
 Supports bizzare arguments (like ebay uses)
 Supports SSL (uses pyOpenSSL version 5.0pre or greater)
 Can log into Hotmail, unlike other proxies I've tried

 Non-Features:
 No user interface beyond printing out queries at the moment
 Use SPIKE v2.4 or > to create fuzz scripts, if such is
 your wont. This will be fixed in future releases.
