Skipfish Security Scanner for Web Apps

Mar 24, 2010

Google's online security teams has come out with a free security scanner for web apps, named Skipfish.

The command line tool acts as Web crawler and prepares an interactive sitemap for the targeted site. The Web app is then subjected to a number of nondisruptive security probes, such as for cross-site scripting (XSS), cross-site request forgery (XSRF) and server-side SQL injection. The software can probe websites developed under multiple technologies and frameworks.

Skipfish produces HTML reports that read like sitemaps.

Skipfish is written in C and, according to its developers, shows great performance: Internet requests can produce over 500 responses per second, LAN/MAN requests over 2,000 responses and local requests over 7,000 responses per second. The developers implemented a custom HTTP stack for Skipfish.

The Skipfish developers indicate that their tool digs up many relevant security vulnerabilities, but not all. As with many security scanners, permission to test the website is the prerequisite, unless you own it outright.

Skipfish is open source software under Apache 2.0 licensing. The Google Code site has its own Skipfish page, with downloads of a source tarball and online documentation.

Related content

  • Stopping Drive-By Attacks

    You won't find a perfect solution to the growing problem of drive-by attacks, but many tools are available to help you keep malicious code off your network.

  • Web Security Dojo

    Protecting your own websites from attack either costs a lot of money or requires a lot of expertise. Web Security Dojo helps you learn to think like an expert.

  • CubieTruck

    The CubieTruck small-board PC is a measuring instrument that copes well with Gigabit networks and offers a surprisingly affordable and efficient solution.

  • Grendel Scan 1.0: Automatic Security Check for Web Applications

    Grendel Scan version 1.0, a Web application testing tools, was introduced at the Defcon Security Conference in Las Vegas.

  • Command Line: SANE

    Running your scanner from the command line offers greater control of tasks. We show you how to get started.

comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More

News