Skipfish For Mac

Skipfish is an open source and powerful web application security reconnaissance tool.

Skipfish generates an interactive sitemap for the targeted website by carrying out dictionary-based probes and a recursive crawl.

The resulting map is then automatically annotated with the output from a number of active (yet hopefully non-disruptive) security checks.

The final report generated using the Skipfish tool is meant to be used as a foundation for professional web app security assessments.

High risk flaws (potentially leading to system compromise): · Server-side SQL / PHP injection (including blind vectors, numerical parameters). · Explicit SQL-like syntax in GET or POST parameters. · Server-side shell command injection (including blind vectors). · Server-side XML / XPath injection (including blind vectors). · Format string vulnerabilities. · Integer overflow vulnerabilities. · Locations accepting HTTP PUT.

Medium risk flaws (potentially leading to data compromise): · Stored and reflected XSS vectors in document body (minimal JS XSS support present). · Stored and reflected XSS vectors via HTTP redirects. · Stored and reflected XSS vectors via HTTP header splitting. · Directory traversal / file inclusion (including constrained vectors). · Assorted file POIs (server-side sources, configs, etc). · Attacker-supplied script and CSS inclusion vectors (stored and reflected). · External untrusted script and CSS inclusion vectors. · Mixed content problems on script and CSS resources (optional). · Password forms submitting from or to non-SSL pages (optional). · Incorrect or missing MIME types on renderables. · Generic MIME types on renderables. · Incorrect or missing charsets on renderables. · Conflicting MIME / charset info on renderables. · Bad caching directives on cookie setting responses.

Low risk issues (limited impact or low specificity): · Directory listing bypass vectors. · Redirection to attacker-supplied URLs (stored and reflected). · Attacker-supplied embedded content (stored and reflected). · External untrusted embedded content. · Mixed content on non-scriptable subresources (optional). · HTTP credentials in URLs. · Expired or not-yet-valid SSL certificates. · HTML forms with no XSRF protection. · Self-signed SSL certificates. · SSL certificate host name mismatches. · Bad caching directives on less sensitive content.

Internal warnings: · Failed resource fetch attempts. · Exceeded crawl limits. · Failed 404 behavior checks. · IPS filtering detected. · Unexpected response variations. · Seemingly misclassified crawl nodes.

Non-specific informational entries: · General SSL certificate information. · Significantly changing HTTP cookies. · Changing Server, Via, or X-... headers. · New 404 signatures. · Resources that cannot be accessed. · Resources requiring HTTP authentication. · Broken links. · Server errors. · All external links not classified otherwise (optional). · All external e-mails (optional). · All external URL redirectors (optional). · Links to unknown protocols. · Form fields that could not be autocompleted. · Password entry forms (for external brute-force). · File upload forms. · Other HTML forms (not classified otherwise). · Numerical file names (for external brute-force). · User-supplied links otherwise rendered on a page. · Incorrect or missing MIME type on less significant content. · Generic MIME type on less significant content. · Incorrect or missing charset on less significant content. · Conflicting MIME / charset information on less significant content. · OGNL-like parameter passing conventions.

How to install and run

Unarchive, open a Terminal window, go to the Skipfish's folder and run the following commands from the command line:

make sudo make install

Next, you need to copy the desired dictionary file from dictionaries/ to skipfish.wl. Please read dictionaries/README-FIRST carefully to make the right choice. This step has a profound impact on the quality of scan results later on.

Once you have the dictionary selected, you can try:

./skipfish -o output_dir http://www.example.com/some/starting/path.txt