linux poison RSS
linux poison Email

Web Application Security Scanner by Google - Skipfish

Skipfish is an active web application security reconnaissance tool. It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks. The final report generated by the tool is meant to serve as a foundation for professional web application security assessments.

Keep in mind that all types of security testing can be disruptive. Although the skipfish scanner is designed not to carry out malicious attacks, it may accidentally interfere with the operations of the site. You must accept the risk, and plan accordingly. Run the scanner against test instances where feasible, and be prepared to deal with the consequences if things go wrong.

Use skipfish only against services you own, or have a permission to test.
Use skipfish at your own risk.

Skipfish features:
High speed: pure C code, highly optimized HTTP handling, minimal CPU footprint - easily achieving 2000 requests per second with responsive targets.

Ease of use: heuristics to support a variety of quirky web frameworks and mixed-technology sites, with automatic learning capabilities, on-the-fly wordlist creation, and form autocompletion.

Cutting-edge security logic: high quality, low false positive, differential security checks, capable of spotting a range of subtle flaws, including blind injection vectors.

Skipfish installation:
Open terminal from Applications > Accessories > Terminal, and type following command to install
sudo apt-get install skipfish
Using Skipfish:
Once you have the dictionary selected, you can try:
$ skipfish -o output_dir http://www.example.com/
Note that you can provide more than one starting URL if so desired; all of them will be crawled.

The tool will display some helpful stats while the scan is in progress (as shown in the image below). You can also switch to a list of in-flight HTTP requests by pressing return.


In the example above, skipfish will scan the entire www.example.com (including services on other ports, if linked to from the main page), and write a report to output_dir/index.html. You can then view this report with your favorite browser.



2 comments:

Post a Comment

Related Posts with Thumbnails