skipfish - web application security scanner

What is skipfish?

Skipfish is an active web application security reconnaissance tool. It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks. The final report generated by the tool is meant to serve as a foundation for professional web application security assessments.

Why should I bother with this particular tool?

A number of commercial and open source tools with analogous functionality is readily available (e.g., Nikto, Nessus); stick to the one that suits you best. That said, skipfish tries to address some of the common problems associated with web security scanners. Specific advantages include:

High performance: 500+ requests per second against responsive Internet targets, 2000+ requests per second on LAN / MAN networks, and 7000+ requests against local instances have been observed, with a very modest CPU, network, and memory footprint. This can be attributed to:

Multiplexing single-thread, fully asynchronous network I/O and data processing model that eliminates memory management, scheduling, and IPC inefficiencies present in some multi-threaded clients.

Advanced HTTP/1.1 features such as range requests, content compression, and keep-alive connections, as well as forced response size limiting, to keep network-level overhead in check.

Smart response caching and advanced server behavior heuristics are used to minimize unnecessary traffic.

Performance-oriented, pure C implementation, including a custom HTTP stack.

Ease of use: skipfish is highly adaptive and reliable. The scanner features:

* Heuristic recognition of obscure path- and query-based parameter handling schemes.

* Graceful handling of multi-framework sites where certain paths obey a completely different semantics, or are subject to different filtering rules.

* Automatic wordlist construction based on site content analysis.

* Probabilistic scanning features to allow periodic, time-bound assessments of arbitrarily complex sites.

* Well-designed security checks: the tool is meant to provide accurate and meaningful results:

* Handcrafted dictionaries offer excellent coverage and permit thorough $keyword.$extension testing in a reasonable timeframe.

* Three-step differential probes are preferred to signature checks for detecting vulnerabilities.



* Ratproxy-style logic is used to spot subtle security problems: cross-site request forgery, cross-site script inclusion, mixed content, issues MIME- and charset mismatches, incorrect caching directives, etc.

* Bundled security checks are designed to handle tricky scenarios: stored XSS (path, parameters, headers), blind SQL or XML injection, or blind shell injection.

* Report post-processing drastically reduces the noise caused by any remaining false positives or server gimmicks by identifying repetitive patterns.

All right, I want to try it out. What do I need to know?

Read on here SkipfishDoc - skipfish - Project documentation - Project Hosting on Google Code