Skipfish is an active web application security reconnaissance tool from Google.
It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks. The final report generated by the tool is meant to serve as a foundation for professional web application security assessments.
Advantages
- Free and open source.
- High speed: pure C code, highly optimized HTTP handling, minimal CPU footprint – easily achieving 2000 requests per second with responsive targets.
- Ease of use: heuristics to support a variety of quirky web frameworks and mixed-technology sites, with automatic learning capabilities, on-the-fly wordlist creation, and form auto completion.
- Automatic wordlist construction based on site content analysis.
- Probabilistic scanning features to allow periodic, time-bound assessments of arbitrarily complex sites.
- Cutting-edge security logic: high quality, low false positive, differential security checks, capable of spotting a range of subtle flaws, including blind injection vectors.
Tests Implemented
A rough list of the security checks offered by the tool is outlined below.
- Server-side SQL injection (including blind vectors, numerical parameters).
- Explicit SQL-like syntax in GET or POST parameters.
- Server-side shell command injection (including blind vectors).
- Server-side XML / XPath injection (including blind vectors).
- Format string vulnerabilities.
- Integer overflow vulnerabilities.
- Stored and reflected XSS vectors in document body (minimal JS XSS support present).
- Stored and reflected XSS vectors via HTTP redirects.
- Stored and reflected XSS vectors via HTTP header splitting.
- Directory traversal (including constrained vectors).
- HTTP credentials in URLs.
- Self-signed SSL certificates.
- Internal warnings like failed resource fetch attempts, exceeded crawl limits, Failed 404 behaviour checks etc.
- And many more..
Download skipfish
The following list of products and tools provide web application security scanner functionality.
Commercial Tools
- Acunetix WVS by Acunetix
- AppScan by IBM
- Burp Suite Professional by PortSwigger
- Hailstorm by Cenzic
- MileScan Web Security Auditor by MileSCAN Technologies
- N-Stalker by N-Stalker
- Nessus by Tenable Network Security
- NetSparker by Mavituna Security
- NeXpose by Rapid7
- NTOSpider by NTObjectives
- Retina Web Security Scanner by eEye Digital Security
- WebApp360 by nCircle
- WebInspect by HP
- WebKing by Parasoft
Software-as-a-Service Providers
- AppScan OnDemand by IBM
- ClickToSecure by Cenzic
- QualysGuard Web Application Scanning by Qualys
- Sentinel by WhiteHat
- Veracode Web Application Security by Veracode
- WebInspect by HP
- WebScanService by Elanize KG
Free / Open Source Tools
- Grabber by Romain Gaucher
- Grendel-Scan by David Byrne and Eric Duprey
- Paros by Chinotec
- Powerfuzzer by Marcin Kozlowski
- SecurityQA Toolbar by iSEC Partners
- W3AF by Andres Riancho
- Wapiti by Nicolas Surribas
Be the first to start a conversation