Skipfish, Web Application Security Scanner By Google

Written by on March 22, 2010 in Tools - 3 Comments

Google released a new security tool Skipfish; a fully automated, active web application security reconnaissance tool. It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks. The final report generated by the tool is meant to serve as a foundation for professional web application security assessments.
skipfish screenshot
Skipfish key features :
High speed: pure C code, highly optimized HTTP handling, minimal CPU footprint – easily achieving 2000 requests per second with responsive targets.
Ease of use: heuristics to support a variety of quirky web frameworks and mixed-technology sites, with automatic learning capabilities, on-the-fly wordlist creation, and form autocompletion.
Cutting-edge security logic: high quality, low false positive, differential security checks, capable of spotting a range of subtle flaws, including blind injection vectors.
The second version 1.1 beta have just been released few hours ago. Available for Linux, FreeBSD 7.0+, MacOS X, and Windows (via Cygwin); under terms and conditions of the Apache License, version 2.0.
More information and download at http://code.google.com/p/skipfish/

3 Comments on "Skipfish, Web Application Security Scanner By Google"

  1. anonymous May 27, 2010 at 9:42 am · Reply

    WebCruiser – Web Vulnerability Scanner
    WebCruiser – Web Vulnerability Scanner, a compact but powerful web security scanning tool that will aid you in auditing your site! It has a Vulnerability Scanner and a series of security tools.
    It can support scanning website as well as POC( Prooving of concept) for web vulnerabilities: SQL Injection, Cross Site Scripting, XPath Injection etc. So, WebCruiser is also an automatic SQL injection tool, a XPath injection tool, and a Cross Site Scripting tool!
    Function:
    * Crawler(Site Directories And Files);
    * Vulnerability Scanner(SQL Injection, Cross Site Scripting, XPath Injection etc.);
    * POC(Proof of Concept): SQL Injection, Cross Site Scripting, XPath Injection etc.;
    * GET/Post/Cookie Injection;
    * SQL Server: PlainText/Union/Blind Injection;
    * MySQL/DB2/Access: Union/Blind Injection;
    * Oracle: Union/Blind/CrossSite Injection;
    * Post Data Resend;
    * Administration Entrance Search;
    * Time Delay For Search Injection;
    * Auto Get Cookie From Web Browser For Authentication;
    * Report Output.
    System Requirement: Windows with .Net Framework 2.0 or higher
    http://sec4app.com/
    http://websecurityscanner.blogspot.com/

  2. Pascal July 5, 2010 at 3:37 pm · Reply

    My fav web application security scanner is Websecurify. I am not verse with security at all and the tool fits me well enough to use it on daily basis.
    I also find that Websecurify is a lot faster than skipfish, which I have tried to use a couple of times with no success.
    All in all, it is a great cross-platform tool (I am stuck with Mac, XCode and TextMate) and it is free.

  3. Pascal July 5, 2010 at 3:37 pm · Reply

    My fav web application security scanner is Websecurify. I am not verse with security at all and the tool fits me well enough to use it on daily basis.
    I also find that Websecurify is a lot faster than skipfish, which I have tried to use a couple of times with no success.
    All in all, it is a great cross-platform tool (I am stuck with Mac, XCode and TextMate) and it is free.

Leave a Comment