skipfish - Google's Free Web Security Testing Tool

Recently, Google and Michal Zalewski (lcamtuf), author of the other venerable passive web security tool ratproxy, have released a beta version of a second web application security tool, skipfish which performs very optimized security checks of well-known security issues.
As stated within their own documentation the primary design goals are to be high-performance, easy to use, and employ well designed security checks.  I will be comparing this tool to several other tools including AppScan, BurpSuite, and several others, and providing some findings of my own.
Thanks again Google / Michael, this type of continued support helps us and our clients find and fix vulnerabilities!

Update 1: redspin has a bit of an initial writeup on it.

Update 2:  Simple instructions for 10.6.2 OSX install:

a)  download and unpack both skipfish and libidn.
b)  ./configure and make libidn
c)  select a dictionary that you want to use for bruteforcing server resources (these are used to find server resources not linked from the applications being assessed).  Copy the selected file to the root skipfish directory as skipfish.wl
d) make skipfish
e) run skipfish with selected options:  skipfish -h for a list.


Popular Posts