Recent
Skipfish – Automated web security scanner
A couple of days ago (March 19th) Michal Zalewski famous for tools such as p0f and his excellent book ‘Silence on the wire’ announced the release of an open source automated web security scanner called Skipfish from the Google Online Security Blog.
Key features:
High speed: pure C code, highly optimized HTTP handling, minimal CPU footprint – easily achieving 2000 requests per second with responsive targets.
Ease of use: heuristics to support a variety of quirky web frameworks and mixed-technology sites, with automatic learning capabilities, on-the-fly wordlist creation, and form autocompletion.
Cutting-edge security logic: high quality, low false positive, differential security checks, capable of spotting a range of subtle flaws, including blind injection vectors.
Skipfish works from dictionary files with the .wl extention. According to Skipfish these dictionaries are of critical importance to the quality of your scans. Each entry in the dictionary is either an extension (e) or wordlist (w).The dictionaries are used for “When a new directory, or a file-like query or POST parameter is discovered, the scanner attempts passing all possible
Naturally I ran Skipfish against DVWA to see how it performed and to see how many vulnerabilities it picked up. The first time I run it against DVWA I used the following command: “./skipfish -A admin:password -C security=low -o /home/user/Desktop/skipfish_dvwa -W /home/user/Desktop/skipfish/dictionaries/default.wl http://127.0.0.1/dvwa/login.php”.
The command above is supplying the DVWA HTTP Form username and password (-A admin:password), setting the cookie (-C security=low), giving the output directory (-o /home/user/Desktop/skipfish_dvwa), selecting the default dictionary (-W /home/user/Desktop/skipfish/dictionaries/default.wl) and finally selecting the target (http://127.0.0.1/dvwa/login.php).
50 million requests and 24 hours later Skipfish was still going. At first I thought this may have been how Skipfish worked and started Tweeting about my findings. I ran some further tests, this time limiting the depth of links Skipfish would follow to 3 and limiting the requests to 1 million. Skipfish now completed the scan within about 20 minutes however the scan was not very thorough.
The Skipfish reports are HTML based and are quite user friendly. Skipfish not only picked up lot’s of useful information however also found some critical vulnerabilities within another live web application I tested it against.
After noticing my Tweets Michal got in contact via email to offer me his help. He noted that the first scan was not normal Skipfish behaviour and helped with debugging. I plan to try and replicate the first scans behaviour during this coming week and send Michal the logs for him to debug.
All in all despite the first attempt, Skipfish found some very useful information which some other scanners I run did not pick up. I plan to use it further in future to try and understand and judge its performance better.
A big thanks to Michal for getting in contact and helping me out with debugging! =)
To download Skipfish: http://code.google.com/p/skipfish/ (don’t forget to comment on your experience!)
2 Responses to “Skipfish – Automated web security scanner”
DubZ
Cool i will download and install this later!
niloofar
Hi
thanks for ur good details about working with skipfish
I also have tested skipfish for dvwa same as u before,but I am really disappointed that it doesn’t point to any sql injections ?
I would like to know is it the same for u or not?
thanks
Niloofar