Skipfish generates an interactive sitemap of the target site, created by recursively crawling it and carrying out dictionary-based probes.
Works by performing some known security checks.
The generated report can be used by webmasters for improving their site's security.
Installation:
Unpack the archive and type 'make' to compile.
Copy the desired dictionary file from dictionaries/ to skipfish.wl
Execute ./skipfish -o output_dir http://www.example.com/some/starting/path
The final report is written to output_dir/index.html and can be viewed with any JavaScript-enabled browser.
Here are some key features of "Skipfish":
High performance:
· 500+ requests per second against responsive Internet targets, 2000+ requests per second on LAN / MAN networks, and 7000+ requests against local instances have been observed, with a very modest CPU, network, and memory footprint.
· Multiplexing single-thread, fully asynchronous network I/O and data processing model that eliminates memory management, scheduling, and IPC inefficiencies present in some multi-threaded clients.
· Advanced HTTP/1.1 features such as range requests, content compression, and keep-alive connections, as well as forced response size limiting, to keep network-level overhead in check.
· Smart response caching and advanced server behavior heuristics are used to minimize unnecessary traffic.
· Performance-oriented, pure C implementation, including a custom HTTP stack.
Ease of use:
· Heuristic recognition of obscure path- and query-based parameter handling schemes.
· Graceful handling of multi-framework sites where certain paths obey a completely different semantics, or are subject to different filtering rules.
· Automatic wordlist construction based on site content analysis.
· Probabilistic scanning features to allow periodic, time-bound assessments of arbitrarily complex sites.
Well-designed security checks:
· Three-step differential probes are preferred to signature checks for detecting vulnerabilities.
· Ratproxy-style logic is used to spot subtle security problems: cross-site request forgery, cross-site script inclusion, mixed content, issues MIME- and charset mismatches, incorrect caching directives, etc.
· Bundled security checks are designed to handle tricky scenarios: stored XSS (path, parameters, headers), blind SQL or XML injection, or blind shell injection.
· Report post-processing drastically reduces the noise caused by any remaining false positives or server gimmicks by identifying repetitive patterns.
Requirements:
· GNU Libidn
· Cygwin (on Windows)
What's New in This Release: [ read full changelog ]
· A horrible bug fix which caused instable pages not be marked as such. The result: false positives.
· A change to fprint_response() will help reduce false positives that could occur for differential tests (i.e. the query and shell injection tests)
· Suppress implicit cache warnings when dealing with 302, 303 and 307 redirects.
· Added --no-checks which allows a scan to be run without any injection tests. This still allows bruteforcing and combines well with the new ability to load URLs from previous scan results.
· We can now parse the pivots.txt, which can be found in the output directory of older scans. All URLs will be loaded which seriously speeds up recurring scans.
· Directory bruteforcing now includes a content negotiation trick where using a fake mime in the Accept: header will cause some servers to propose us files via a 406 response.
Find us on Google+
