Google releases Skipfish web-security scanner

Google has released an open-source web-security scanner called Skipfish that is designed to allow people to scan web applications for security holes.

The tool scans a web application for flaws including "tricky scenarios" such as blind SQL or XML injection, Google developer Michal Zalewski said in the Skipfish wiki.

Skipfish prepares a sitemap annotated with interactive crawl results, highlighting flaws, after a recursive crawl and dictionary-based probing of the target site. The tool can also generate a final report that can be used as a basis for a security assessment.

Zalewski wrote that there are already a number of both commercial and open-source scanning tools available, including Nikto and Nessus, and recommended that people use the tool that suits them. However, he added that Skipfish is high performance, with over 500 requests per second against internet targets, and over 2,000 requests per second on LANs, depending on the capabilities of the server being tested.

Skipfish is "not a silver bullet", Zalewski warned, saying the tool deliberately does not satisfy the majority of the requirements outlined in the Wasc Web Application Security Scanner Evaluation Criteria. In addition, Skipfish does not come with an extensive database of known vulnerabilities, said Zalewski.

Google asked people to use the tool responsibly. "First and foremost, please do not be evil," wrote Zalewski. "Use Skipfish only against services you own, or have a permission to test."

The tool, which is written in pure C, is provided under Apache Licence 2.0. The most recent version of Skipfish available is the 1.10 beta.