New Web Application Security Tool from Google. Skipfish.

Having done some initial testing this new tool is powerful and comprehensive. It blends a number of other tool features into a neat little package. I did some testing on my local LAN and the web server was getting pounded with thousands of requests per second. Your access and error.log is really going to fill up with this one, not very subtle. 😉

What is skipfish?

Skipfish is an active web application security reconnaissance tool. It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks. The final report generated by the tool is meant to serve as a foundation for professional web application security assessments.


In 2021 Skipfish was accepted and migrated to Kali Linux packages

The last available download from the Skipfish Google Code Archive is 2012.

A rough list of the security checks offered by the tool is outlined below.

    * High risk flaws (potentially leading to system compromise):

          o Server-side SQL injection (including blind vectors, numerical parameters).
          o Explicit SQL-like syntax in GET or POST parameters.
          o Server-side shell command injection (including blind vectors).
          o Server-side XML / XPath injection (including blind vectors).
          o Format string vulnerabilities.
          o Integer overflow vulnerabilities.
          o Locations accepting HTTP PUT. 

    * Medium risk flaws (potentially leading to data compromise):

          o Stored and reflected XSS vectors in document body (minimal JS XSS support present).
          o Stored and reflected XSS vectors via HTTP redirects.
          o Stored and reflected XSS vectors via HTTP header splitting.
          o Directory traversal (including constrained vectors).
          o Assorted file POIs (server-side sources, configs, etc).
          o Attacker-supplied script and CSS inclusion vectors (stored and reflected).
          o External untrusted script and CSS inclusion vectors.
          o Mixed content problems on script and CSS resources (optional).
          o Incorrect or missing MIME types on renderables.
          o Generic MIME types on renderables.
          o Incorrect or missing charsets on renderables.
          o Conflicting MIME / charset info on renderables.
          o Bad caching directives on cookie setting responses. 

    * Low risk issues (limited impact or low specificity):

          o Directory listing bypass vectors.
          o Redirection to attacker-supplied URLs (stored and reflected).
          o Attacker-supplied embedded content (stored and reflected).
          o External untrusted embedded content.
          o Mixed content on non-scriptable subresources (optional).
          o HTTP credentials in URLs.
          o Expired or not-yet-valid SSL certificates.
          o HTML forms with no XSRF protection.
          o Self-signed SSL certificates.
          o SSL certificate host name mismatches.
          o Bad caching directives on less sensitive content. 

    * Internal warnings:

          o Failed resource fetch attempts.
          o Exceeded crawl limits.
          o Failed 404 behavior checks.
          o IPS filtering detected.
          o Unexpected response variations.
          o Seemingly misclassified crawl nodes. 

    * Non-specific informational entries:

          o General SSL certificate information.
          o Significantly changing HTTP cookies.
          o Changing Server, Via, or X-... headers.
          o New 404 signatures.
          o Resources that cannot be accessed.
          o Resources requiring HTTP authentication.
          o Broken links.
          o Server errors.
          o All external links not classified otherwise (optional).
          o All external e-mails (optional).
          o All external URL redirectors (optional).
          o Links to unknown protocols.
          o Form fields that could not be autocompleted.
          o Password entry forms (for external brute-force).
          o File upload forms.
          o Other HTML forms (not classified otherwise).
          o Numerical file names (for external brute-force).
          o User-supplied links otherwise rendered on a page.
          o Incorrect or missing MIME type on less significant content.
          o Generic MIME type on less significant content.
          o Incorrect or missing charset on less significant content.
          o Conflicting MIME / charset information on less significant content.
          o OGNL-like parameter passing conventions.