Google releases skipfish, an application security tool

As someone who manages web applications, skipfish is a really easy and quick way to run your website through a fairly comprehensive set of tests. Today, Google officially released the tool to the public in hopes to help make the web a safer place. On the flip side, a tool that does a good job of detecting vulnerabilities like this, will naturally be used by people looking to abuse it as well.

Skipfish runs through a set of tests which detect high, medium and low risk flaws. Some of the higher risk ones include:

Server-side SQL injection (including blind vectors, numerical parameters). Explicit SQL-like syntax in GET or POST parameters. Server-side shell command injection (including blind vectors). Server-side XML / XPath injection (including blind vectors). Format string vulnerabilities. Integer overflow vulnerabilities.

These specific flaws can lead to system compromise -- detecting them early, and proactively is surely something worth doing.

This isn't the only tool of its kind though. There are several free and commercial tools available that can do the same job (like Nikto2 and Nessus) -- in some cases better. In any case, it's about time people started taking security seriously, and using a tool like this is a good step in the right direction.