Skipfish 2.10 Beta

Fully automated, active web application security reconnaissance tool

  Add it to your Download Basket!

 Add it to your Watch List!


Rate it!

What's new in Skipfish 2.10 Beta:

  • Updated HTML tags and attributes that are checked for URL XSS injections to also include a few HTML5 specific ones
  • Updated test and description for semi-colon injection in HTML meta refresh tags (this is IE6 specific)
  • Relaxed HTML parsing a bit to allow spaces between HTML tag attributes and their values (e.g. "foo =bar").
  • Major update of LFI tests by adding more dynamic tests (double encoding, dynamic amount of ../'s for web.xml). The total amount of tests for this vulnerability is now 40 per injection point.
Read full changelog
send us
an update
245 KB
5.0/5 2
Home \ Security
5 Skipfish Screenshots:
Skipfish is an open source and powerful web application security reconnaissance tool.

Skipfish generates an interactive sitemap for the targeted website by carrying out dictionary-based probes and a recursive crawl.

The resulting map is then automatically annotated with the output from a number of active (yet hopefully non-disruptive) security checks.

The final report generated using the Skipfish tool is meant to be used as a foundation for professional web app security assessments.

A rough list of the security checks offered by the tool is outlined below.:

High risk flaws (potentially leading to system compromise):
· Server-side SQL / PHP injection (including blind vectors, numerical parameters).
· Explicit SQL-like syntax in GET or POST parameters.
· Server-side shell command injection (including blind vectors).
· Server-side XML / XPath injection (including blind vectors).
· Format string vulnerabilities.
· Integer overflow vulnerabilities.
· Locations accepting HTTP PUT.

Medium risk flaws (potentially leading to data compromise):
· Stored and reflected XSS vectors in document body (minimal JS XSS support present).
· Stored and reflected XSS vectors via HTTP redirects.
· Stored and reflected XSS vectors via HTTP header splitting.
· Directory traversal / file inclusion (including constrained vectors).
· Assorted file POIs (server-side sources, configs, etc).
· Attacker-supplied script and CSS inclusion vectors (stored and reflected).
· External untrusted script and CSS inclusion vectors.
· Mixed content problems on script and CSS resources (optional).
· Password forms submitting from or to non-SSL pages (optional).
· Incorrect or missing MIME types on renderables.
· Generic MIME types on renderables.
· Incorrect or missing charsets on renderables.
· Conflicting MIME / charset info on renderables.
· Bad caching directives on cookie setting responses.

Low risk issues (limited impact or low specificity):
· Directory listing bypass vectors.
· Redirection to attacker-supplied URLs (stored and reflected).
· Attacker-supplied embedded content (stored and reflected).
· External untrusted embedded content.
· Mixed content on non-scriptable subresources (optional).
· HTTP credentials in URLs.
· Expired or not-yet-valid SSL certificates.
· HTML forms with no XSRF protection.
· Self-signed SSL certificates.
· SSL certificate host name mismatches.
· Bad caching directives on less sensitive content.

Internal warnings:
· Failed resource fetch attempts.
· Exceeded crawl limits.
· Failed 404 behavior checks.
· IPS filtering detected.
· Unexpected response variations.
· Seemingly misclassified crawl nodes.

Non-specific informational entries:
· General SSL certificate information.
· Significantly changing HTTP cookies.
· Changing Server, Via, or X-... headers.
· New 404 signatures.
· Resources that cannot be accessed.
· Resources requiring HTTP authentication.
· Broken links.
· Server errors.
· All external links not classified otherwise (optional).
· All external e-mails (optional).
· All external URL redirectors (optional).
· Links to unknown protocols.
· Form fields that could not be autocompleted.
· Password entry forms (for external brute-force).
· File upload forms.
· Other HTML forms (not classified otherwise).
· Numerical file names (for external brute-force).
· User-supplied links otherwise rendered on a page.
· Incorrect or missing MIME type on less significant content.
· Generic MIME type on less significant content.
· Incorrect or missing charset on less significant content.
· Conflicting MIME / charset information on less significant content.
· OGNL-like parameter passing conventions.

How to install and run

Unarchive, open a Terminal window, go to the Skipfish's folder and run the following commands from the command line:

sudo make install

Next, you need to copy the desired dictionary file from dictionaries/ to skipfish.wl. Please read dictionaries/README-FIRST carefully to make the right choice. This step has a profound impact on the quality of scan results later on.

Once you have the dictionary selected, you can try:

./skipfish -o output_dir

Last updated on December 6th, 2012

Runs on: Mac OS X (-)

feature list requirements

#test web app #security scanner #security reconnaissance #test #security #web app #scan

Add your review!