Follow us on RSS or Twitter for the latest updates.

June 15, 2011

Skipfish 1.94b Released - Web Application Security Scanner


What is Skipfish?

Skipfish is an active web application security reconnaissance tool. It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks. The final report generated by the tool is meant to serve as a foundation for professional web application security assessments.

Why should I bother with this particular tool?

A number of commercial and open source tools with analogous functionality is readily available (e.g., Nikto, Websecurify, Netsparker, w3af, Arachni); stick to the one that suits you best. That said, skipfish tries to address some of the common problems associated with web security scanners. Specific advantages include:

High performance: 500+ requests per second against responsive Internet targets, 2000+ requests per second on LAN / MAN networks, and 7000+ requests against local instances have been observed, with a very modest CPU, network, and memory footprint. This can be attributed to:
  • Multiplexing single-thread, fully asynchronous network I/O and data processing model that eliminates memory management, scheduling, and IPC inefficiencies present in some multi-threaded clients.
  • Advanced HTTP/1.1 features such as range requests, content compression, and keep-alive connections, as well as forced response size limiting, to keep network-level overhead in check.
  • Smart response caching and advanced server behavior heuristics are used to minimize unnecessary traffic.
  • Performance-oriented, pure C implementation, including a custom HTTP stack.
Ease of use: skipfish is highly adaptive and reliable. The scanner features:
  • Heuristic recognition of obscure path- and query-based parameter handling schemes.
  • Graceful handling of multi-framework sites where certain paths obey a completely different semantics, or are subject to different filtering rules.
  • Automatic wordlist construction based on site content analysis.
  • Probabilistic scanning features to allow periodic, time-bound assessments of arbitrarily complex sites.
Well-designed security checks: the tool is meant to provide accurate and meaningful results:

Handcrafted dictionaries offer excellent coverage and permit thorough $keyword.$extension testing in a reasonable timeframe.
  • Three-step differential probes are preferred to signature checks for detecting vulnerabilities.
  • Ratproxy-style logic is used to spot subtle security problems: cross-site request forgery, cross-site script inclusion, mixed content, issues MIME- and charset mismatches, incorrect caching directives, etc.
  • Bundled security checks are designed to handle tricky scenarios: stored XSS (path, parameters, headers), blind SQL or XML injection, or blind shell injection.
  • Report post-processing drastically reduces the noise caused by any remaining false positives or server gimmicks by identifying repetitive patterns.
Some users had a problem getting it running, it does have a dependency – assuming you are on a Debian based distro, all you need to do is:

apt-get install libidn11

The minum syntax required to run the tool would be:

./skipfish -o /home/youruser -W dictionaries/standard.wl http://yoursite.com

That should be enough to get you started!

It’s a pretty powerful tool and likely to pick up issues that Nessus or Nikto might miss.

You can download Skipfish 1.94b here:

skipfish-1.94b.tgz

Or read more here.