Skipfish Security Scanner for Web Apps

Mar 24, 2010

Google's online security teams has come out with a free security scanner for web apps, named Skipfish.

The command line tool acts as Web crawler and prepares an interactive sitemap for the targeted site. The Web app is then subjected to a number of nondisruptive security probes, such as for cross-site scripting (XSS), cross-site request forgery (XSRF) and server-side SQL injection. The software can probe websites developed under multiple technologies and frameworks.

Skipfish produces HTML reports that read like sitemaps.

Skipfish is written in C and, according to its developers, shows great performance: Internet requests can produce over 500 responses per second, LAN/MAN requests over 2,000 responses and local requests over 7,000 responses per second. The developers implemented a custom HTTP stack for Skipfish.

The Skipfish developers indicate that their tool digs up many relevant security vulnerabilities, but not all. As with many security scanners, permission to test the website is the prerequisite, unless you own it outright.

Skipfish is open source software under Apache 2.0 licensing. The Google Code site has its own Skipfish page, with downloads of a source tarball and online documentation.

Related content

  • CubieTruck

    The CubieTruck small-board PC is a measuring instrument that copes well with Gigabit networks and offers a surprisingly affordable and efficient solution.

  • Stopping Drive-By Attacks

    You won't find a perfect solution to the growing problem of drive-by attacks, but many tools are available to help you keep malicious code off your network.

  • Command Line: SANE

    Running your scanner from the command line offers greater control of tasks. We show you how to get started.

  • Moth: Virtual Testbed for Web Application Security

    The Bonsai Information Security firm has released Moth, a VMware image with a set of vulnerable web applications and scripts. It serves for testing and developing security scanners and can be instructional in all matters application security.

  • ESAPI 1.4: Security Methods for the Web

    The Enterprise Security API (ESAPI), a set of documentation focusing on application software security, has released a new version 1.4. Javadocs were updated and old interfaces were replaced.

comments powered by Disqus

Issue 171/2015

Buy this issue as a PDF

Digital Issue: Price $9.99
(incl. VAT)


njobs Europe
Njobs Netherlands Njobs Deutschland Njobs United Kingdom Njobs Italia Njobs France Njobs Espana Njobs Poland
Njobs Austria Njobs Denmark Njobs Belgium Njobs Czech Republic Njobs Mexico Njobs India Njobs Colombia