Google released a new security tool Skipfish; a fully automated, active web application security reconnaissance tool. It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks. The final report generated by the tool is meant to serve as a foundation for professional web application security assessments.
Skipfish key features :
- High speed: pure C code, highly optimized HTTP handling, minimal CPU footprint – easily achieving 2000 requests per second with responsive targets.
- Ease of use: heuristics to support a variety of quirky web frameworks and mixed-technology sites, with automatic learning capabilities, on-the-fly wordlist creation, and form autocompletion.
- Cutting-edge security logic: high quality, low false positive, differential security checks, capable of spotting a range of subtle flaws, including blind injection vectors.
The second version 1.1 beta have just been released few hours ago. Available for Linux, FreeBSD 7.0+, MacOS X, and Windows (via Cygwin); under terms and conditions of the Apache License, version 2.0.
More information and download at http://code.google.com/p/skipfish/
3 Comments on "Skipfish, Web Application Security Scanner By Google"
WebCruiser – Web Vulnerability Scanner
WebCruiser – Web Vulnerability Scanner, a compact but powerful web security scanning tool that will aid you in auditing your site! It has a Vulnerability Scanner and a series of security tools.
It can support scanning website as well as POC( Prooving of concept) for web vulnerabilities: SQL Injection, Cross Site Scripting, XPath Injection etc. So, WebCruiser is also an automatic SQL injection tool, a XPath injection tool, and a Cross Site Scripting tool!
Function:
* Crawler(Site Directories And Files);
* Vulnerability Scanner(SQL Injection, Cross Site Scripting, XPath Injection etc.);
* POC(Proof of Concept): SQL Injection, Cross Site Scripting, XPath Injection etc.;
* GET/Post/Cookie Injection;
* SQL Server: PlainText/Union/Blind Injection;
* MySQL/DB2/Access: Union/Blind Injection;
* Oracle: Union/Blind/CrossSite Injection;
* Post Data Resend;
* Administration Entrance Search;
* Time Delay For Search Injection;
* Auto Get Cookie From Web Browser For Authentication;
* Report Output.
System Requirement: Windows with .Net Framework 2.0 or higher
http://sec4app.com/
http://websecurityscanner.blogspot.com/
My fav web application security scanner is Websecurify. I am not verse with security at all and the tool fits me well enough to use it on daily basis.
I also find that Websecurify is a lot faster than skipfish, which I have tried to use a couple of times with no success.
All in all, it is a great cross-platform tool (I am stuck with Mac, XCode and TextMate) and it is free.
My fav web application security scanner is Websecurify. I am not verse with security at all and the tool fits me well enough to use it on daily basis.
I also find that Websecurify is a lot faster than skipfish, which I have tried to use a couple of times with no success.
All in all, it is a great cross-platform tool (I am stuck with Mac, XCode and TextMate) and it is free.