SkillAgentSearch skills...

Skipfish

Web application security scanner created by lcamtuf for google - Unofficial Mirror

GenerateConvertImprove

Install / Use

/learn @spinkham/Skipfish
About this skill

Quality Score

0/100

Supported Platforms

Universal

README

=========================================== skipfish - web application security scanner

http://code.google.com/p/skipfish/

  1. What is skipfish?

Skipfish is an active web application security reconnaissance tool. It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks. The final report generated by the tool is meant to serve as a foundation for professional web application security assessments.

  1. Why should I bother with this particular tool?

A number of commercial and open source tools with analogous functionality is readily available (e.g., Nikto, Nessus); stick to the one that suits you best. That said, skipfish tries to address some of the common problems associated with web security scanners. Specific advantages include:

  • High performance: 500+ requests per second against responsive Internet targets, 2000+ requests per second on LAN / MAN networks, and 7000+ requests against local instances have been observed, with a very modest CPU, network, and memory footprint. This can be attributed to:

    • Multiplexing single-thread, fully asynchronous network I/O and data processing model that eliminates memory management, scheduling, and IPC inefficiencies present in some multi-threaded clients.

    • Advanced HTTP/1.1 features such as range requests, content compression, and keep-alive connections, as well as forced response size limiting, to keep network-level overhead in check.

    • Smart response caching and advanced server behavior heuristics are used to minimize unnecessary traffic.

    • Performance-oriented, pure C implementation, including a custom HTTP stack.

  • Ease of use: skipfish is highly adaptive and reliable. The scanner features:

    • Heuristic recognition of obscure path- and query-based parameter handling schemes.

    • Graceful handling of multi-framework sites where certain paths obey completely different semantics, or are subject to different filtering rules.

    • Automatic wordlist construction based on site content analysis.

    • Probabilistic scanning features to allow periodic, time-bound assessments of arbitrarily complex sites.

    • Well-designed security checks: the tool is meant to provide accurate and meaningful results:

      • Handcrafted dictionaries offer excellent coverage and permit thorough $keyword.$extension testing in a reasonable timeframe.

      • Three-step differential probes are preferred to signature checks for detecting vulnerabilities.

      • Ratproxy-style logic is used to spot subtle security problems: cross-site request forgery, cross-site script inclusion, mixed content, issues MIME- and charset mismatches, incorrect caching directives, etc.

      • Bundled security checks are designed to handle tricky scenarios: stored XSS (path, parameters, headers), blind SQL or XML injection, or blind shell injection.

      • Snort style content signatures which will highlight server errors, information leaks or potentially dangerous web applications.

      • Report post-processing drastically reduces the noise caused by any remaining false positives or server gimmicks by identifying repetitive patterns.

That said, skipfish is not a silver bullet, and may be unsuitable for certain purposes. For example, it does not satisfy most of the requirements outlined in WASC Web Application Security Scanner Evaluation Criteria (some of them on purpose, some out of necessity); and unlike most other projects of this type, it does not come with an extensive database of known vulnerabilities for banner-type checks.

  1. Most curious! What specific tests are implemented?

A rough list of the security checks offered by the tool is outlined below.

  • High risk flaws (potentially leading to system compromise):

    • Server-side query injection (including blind vectors, numerical parameters).
    • Explicit SQL-like syntax in GET or POST parameters.
    • Server-side shell command injection (including blind vectors).
    • Server-side XML / XPath injection (including blind vectors).
    • Format string vulnerabilities.
    • Integer overflow vulnerabilities.
    • Locations accepting HTTP PUT.

  • Medium risk flaws (potentially leading to data compromise):

    • Stored and reflected XSS vectors in document body (minimal JS XSS support).
    • Stored and reflected XSS vectors via HTTP redirects.
    • Stored and reflected XSS vectors via HTTP header splitting.
    • Directory traversal / LFI / RFI (including constrained vectors).
    • Assorted file POIs (server-side sources, configs, etc).
    • Attacker-supplied script and CSS inclusion vectors (stored and reflected).
    • External untrusted script and CSS inclusion vectors.
    • Mixed content problems on script and CSS resources (optional).
    • Password forms submitting from or to non-SSL pages (optional).
    • Incorrect or missing MIME types on renderables.
    • Generic MIME types on renderables.
    • Incorrect or missing charsets on renderables.
    • Conflicting MIME / charset info on renderables.
    • Bad caching directives on cookie setting responses.

  • Low risk issues (limited impact or low specificity):

    • Directory listing bypass vectors.
    • Redirection to attacker-supplied URLs (stored and reflected).
    • Attacker-supplied embedded content (stored and reflected).
    • External untrusted embedded content.
    • Mixed content on non-scriptable subresources (optional).
    • HTTPS -> HTTP submission of HTML forms (optional).
    • HTTP credentials in URLs.
    • Expired or not-yet-valid SSL certificates.
    • HTML forms with no XSRF protection.
    • Self-signed SSL certificates.
    • SSL certificate host name mismatches.
    • Bad caching directives on less sensitive content.

  • Internal warnings:

    • Failed resource fetch attempts.
    • Exceeded crawl limits.
    • Failed 404 behavior checks.
    • IPS filtering detected.
    • Unexpected response variations.
    • Seemingly misclassified crawl nodes.

  • Non-specific informational entries:

    • General SSL certificate information.
    • Significantly changing HTTP cookies.
    • Changing Server, Via, or X-... headers.
    • New 404 signatures.
    • Resources that cannot be accessed.
    • Resources requiring HTTP authentication.
    • Broken links.
    • Server errors.
    • All external links not classified otherwise (optional).
    • All external e-mails (optional).
    • All external URL redirectors (optional).
    • Links to unknown protocols.
    • Form fields that could not be autocompleted.
    • Password entry forms (for external brute-force).
    • File upload forms.
    • Other HTML forms (not classified otherwise).
    • Numerical file names (for external brute-force).
    • User-supplied links otherwise rendered on a page.
    • Incorrect or missing MIME type on less significant content.
    • Generic MIME type on less significant content.
    • Incorrect or missing charset on less significant content.
    • Conflicting MIME / charset information on less significant content.
    • OGNL-like parameter passing conventions.

Along with a list of identified issues, skipfish also provides summary overviews of document types and issue types found; and an interactive sitemap, with nodes discovered through brute-force denoted in a distinctive way.

NOTE: As a conscious design decision, skipfish will not redundantly complain about highly non-specific issues, including but not limited to:

  • Non-httponly or non-secure cookies,
  • Non-HTTPS or autocomplete-enabled forms,
  • HTML comments detected on a page,
  • Filesystem path disclosure in error messages,
  • Server of framework version disclosure,
  • Servers supporting TRACE or OPTIONS requests,
  • Mere presence of certain technologies, such as WebDAV.

Most of these aspects are easy to inspect in a report if so desired - for example, all the HTML forms are listed separately, so are new cookies or interesting HTTP headers - and the expectation is that the auditor may opt to make certain design recommendations based on this data where appropriate. That said, these occurrences are not highlighted as a specific security flaw.

  1. All right, I want to try it out. What do I need to know?

First and foremost, please do not be evil. Use skipfish only against services you own, or have a permission to test.

Keep in mind that all types of security testing can be disruptive. Although the scanner is designed not to carry out malicious attacks, it may accidentally interfere with the operations of the site. You must accept the risk, and plan accordingly. Run the scanner against test instances where feasible, and be prepared to deal with the consequences if things go wrong.

Also note that the tool is meant to be used by security professionals, and is experimental in nature. It may return false positives or miss obvious security problems - and even when it operates perfectly, it is simply not meant to be a point-and-click application

spinkham

View profile

View on GitHub
GitHub Stars849
CategoryDevelopment
Updated1d ago
Forks165
spinkham/skipfish

Languages

C

Security Score

95/100

Audited on Mar 30, 2026

No findings