(update) Skipfish Active web application scanner v1.29b released

Skipfish is an active web application security reconnaissance tool. It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks.

Key Features:

  • High performance: 500+ requests per second against responsive Internet targets, 2000+ requests per second on LAN / MAN networks, and 7000+ requests against local instances has been observed, with a very modest CPU, network, and memory footprint. This can be attributed to:
  • Multiplexing single-thread, fully asynchronous network I/O and data processing model that eliminates memory management, scheduling, and IPC inefficiencies present in some multi-threaded clients.
  • Advanced HTTP/1.1 features such as range requests, content compression, and keep-alive connections, as well as forced response size limiting, to keep network-level overhead in check.
  • Smart response caching and advanced server behavior heuristics are used to minimize unnecessary traffic.
  • Performance-oriented, pure C implementation, including a custom HTTP stack.
PNG - 143.5 kb
  • Ease of use: skipfish is highly adaptive and reliable. The scanner
    features:
  • Heuristic recognition of obscure path- and query-based parameter
    handling schemes.
  • Graceful handling of multi-framework sites where certain paths obey a completely different semantics, or are subject to different filtering rules.
  • Automatic wordlist construction based on site content analysis.
  • Probabilistic scanning features to allow periodic, time-bound assessments of arbitrarily complex sites.
  • Well-designed security checks: the tool is meant to provide accurate and
    meaningful results:
  • Three-step differential probes are preferred to signature checks for detecting vulnerabilities.
  • Ratproxy-style logic is used to spot subtle security problems: cross-site request forgery, cross-site script inclusion, mixed content, issues MIME- and charset mismatches, incorrect caching directive, etc.
  • Bundled security checks are designed to handle tricky scenarios: stored XSS (path, parameters, headers), blind SQL or XML injection, or blind shell injection.
  • Report post-processing drastically reduces the noise caused by any
    remaining false positives or server gimmicks by identifying repetitive
    patterns.

The tool is believed to support Linux, FreeBSD, MacOS X, and Windows (Cygwin) environments.

Changes Version 1.29b:

  • Forms with no action= URL are now handled correctly.
  • New option (-u) to suppress realtime info,
  • Destination host displayed on stats screen.

Changelog Version 1.28b:

  • Forms with no action= URL are now handled correctly.
  • New option (-u) to suppress realtime info,
  • Destination host displayed on stats screen.