Skipfish is an active web application security reconnaissance tool. It prepares aninteractive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks. The final report generated by the tool is meant to serve as a foundation for professional web application security assessments.
- High speed: pure C code, highly optimized HTTP handling, minimal CPU footprint - easily achieving 2000 requests per second with responsive targets.
- Ease of use: heuristics to support a variety of quirky web frameworks and mixed-technology sites, with automatic learning capabilities, on-the-fly wordlist creation, and form autocompletion.
- Cutting-edge security logic: high quality, low false positive, differential security checks, capable of spotting a range of subtle flaws, including blind injection vectors.
The tool is believed to support Linux, FreeBSD, MacOS X, and Windows (Cygwin) environments.
lastest update -
Skipfish version 2.10b with configuration file support, enhanced signatures and improved traversal tests.
Change log Version 2.10b:
- Updated HTML tags and attributes that are checked for URL XSS
injections to also include a few HTML5 specific ones
- Updated test and description for semi-colon injection in HTML meta
refresh tags (this is IE6 specific)
- Relaxed HTML parsing a bit to allow spaces between HTML tag attributes
and their values (e.g. "foo =bar").
- Major update of LFI tests by adding more dynamic tests (double
encoding, dynamic amount of ../'s for web.xml). The total amount of
tests for this vulnerability is now 40 per injection point.
- The RFI test is now a separate test and no longer requires special
compile options. The default RFI URL and it's payload check are
still defined in src/config.h.
- Using the --flush-to-disk flag will cause requests and responses
to be flushed to disk which reduces the memory footprint. (especially
noticable in large scans)
- Fixed a bug where in some conditions (e.g. a page looks similar to
another) links were not scraped from responses which lead to links
to be missed (thanks to Anurag Chaurasia for reporting)
- Added configuration file support with the --config flag. In
config/example.conf you can find flags and examples.
- Several signature keyword enhancements have been made. Most
significant are the "header" keyword, which allows header matching
and the "depend" keyword which allows signature chaining.
- Fixed basic authentication which was broken per 2.08b. Cheers to
Michael Stevens for reporting.
- Fixed -k scheduling where 1:0:0 would count as a second in stead of
an hour (also visa versa). Cheers to Claudio Criscione for reporting.
- Small fix to compile time warnings
For more information -