(Update) Skipfish Active web application scanner v1.08 beta just released
Skipfish is an active web application security reconnaissance tool. It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks.
- High performance: 500+ requests per second against responsive Internet targets, 2000+ requests per second on LAN / MAN networks, and 7000+ requests against local instances has been observed, with a very modest CPU, network, and memory footprint. This can be attributed to:
- Multiplexing single-thread, fully asynchronous network I/O and data processing model that eliminates memory management, scheduling, and IPC inefficiencies present in some multi-threaded clients.
- Advanced HTTP/1.1 features such as range requests, content compression, and keep-alive connections, as well as forced response size limiting, to keep network-level overhead in check.
- Smart response caching and advanced server behavior heuristics are used to minimize unnecessary traffic.
- Performance-oriented, pure C implementation, including a custom HTTP stack.
- Ease of use: skipfish is highly adaptive and reliable. The scanner
- Heuristic recognition of obscure path- and query-based parameter
- Graceful handling of multi-framework sites where certain paths obey a completely different semantics, or are subject to different filtering rules.
- Automatic wordlist construction based on site content analysis.
- Probabilistic scanning features to allow periodic, time-bound assessments of arbitrarily complex sites.
- Well-designed security checks: the tool is meant to provide accurate and
- Three-step differential probes are preferred to signature checks for detecting vulnerabilities.
- Ratproxy-style logic is used to spot subtle security problems: cross-site request forgery, cross-site script inclusion, mixed content, issues MIME- and charset mismatches, incorrect caching directive, etc.
- Bundled security checks are designed to handle tricky scenarios: stored XSS (path, parameters, headers), blind SQL or XML injection, or blind shell injection.
- Report post-processing drastically reduces the noise caused by any
remaining false positives or server gimmicks by identifying repetitive
The tool is believed to support Linux, FreeBSD, MacOS X, and Windows (Cygwin) environments.
Note and Changelog:
The issues with MacOS X & FreeBSD are fixed.
- A minor improvement to XHTML / XML detection.
- Several build fixes for FreeBSD, MacOS X.
- Minor documentation updates.
- Final workaround for FORTIFY_SOURCE on MacOS X.
- Workaround for *BSD systems with malloc J or Z options set
- A minor tweak to reject certain not-quite-URLs extracted from JS.
- Workaround for a glitch in glibc "fortify".
- Initial public release.