Google releases Skipfish web-security scanner

Google releases Skipfish web-security scanner

Summary: The new open-source tool is designed to put web apps through their paces, managing over 2,000 tests a second

SHARE:
TOPICS: Security
0

Google has released an open-source web-security scanner called Skipfish that is designed to allow people to scan web applications for security holes.

The tool scans a web application for flaws including "tricky scenarios" such as blind SQL or XML injection, Google developer Michal Zalewski said in the Skipfish wiki.

Skipfish prepares a sitemap annotated with interactive crawl results, highlighting flaws, after a recursive crawl and dictionary-based probing of the target site. The tool can also generate a final report that can be used as a basis for a security assessment.

Zalewski wrote that there are already a number of both commercial and open-source scanning tools available, including Nikto and Nessus, and recommended that people use the tool that suits them. However, he added that Skipfish is high performance, with over 500 requests per second against internet targets, and over 2,000 requests per second on LANs, depending on the capabilities of the server being tested.

Skipfish is "not a silver bullet", Zalewski warned, saying the tool deliberately does not satisfy the majority of the requirements outlined in the Wasc Web Application Security Scanner Evaluation Criteria. In addition, Skipfish does not come with an extensive database of known vulnerabilities, said Zalewski.

Google asked people to use the tool responsibly. "First and foremost, please do not be evil," wrote Zalewski. "Use Skipfish only against services you own, or have a permission to test."

The tool, which is written in pure C, is provided under Apache Licence 2.0. The most recent version of Skipfish available is the 1.10 beta.

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for ZDNet.com. He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

0 comments
Log in or register to start the discussion