Skipfish, Google Enters the Web Scanner Fray

This morning the office was buzzing with Google hysteria. Google, releasing great security tools like RATproxy, has released a web application scanner similar to Nikto (and to a lesser extent Nessus web Checks) called Skipfish.

Now, we understand that not everyone is a Goog-Fanboy, but we love testing new apps.

We wrote a cursory install for a testbed machine here. Notice Skipfish has very low overhead in the dependencies area, which is great.

At first we tested Skipfish against a live domain we control. Below you can see the live statistics output. At first glance you notice that Google’s Skipfish is blazing fast. We got 600+ req/sec on a 10Mb connection, which is credit to it’s “pure C implementation, including a custom HTTP stack.” The live statistics are very verbose, breaking up both the “Scan Statistics” and “Database Statistics” :

We then decided to test against a very widespread testing environment, Mutillidae a set of vulnerable PHP’s scripts by Iron Geek. For kicks we also tested the same implementation with Nikto.

Before scanning we did a cursory review of the C source for detecting errors, which is pretty comprehensive and supports a large set of platforms. It’s Dictionary Bruting resource-list, by default, will auto-learn probable keywords and add any found resources to the wordlists file. Very cool.

In the twitter-verse many infosec friends were quick find faults in the code of the actual app, which is valid, but to the extent of a web app scanner we will live with inherent vulnerabilities if you deem Skipfish is a valuable tool.

After about a half day of using Skipfish, we have some mixed feelings. Although Google’s docs say that the input injection saves on requests it still managed to crash our janky Mutillidae install. It also Segfaulted and tanked our testing box when somehow hitting a loop and trying to parse out multiple same findings. BTW it is HEAVY on requests… like 1-2 million heavy.

Granted, on a successful completion, the output is pretty win. We like the “clickability” factor, and its conciseness on web 2.0 vulnerabilities.

The full doc explaining the injection tests of Skipfish can be found here towards the bottom of the page.

The Skinny:

We like it. As Google says, its not an end-all-be-all for web application scanners, but it definitely has some great logic, features, and is blazing fast. Also if you have seen the dev track the developer Michal Zalewski has been quick to update for problems (1.01b fixes some crashing problems) and has some great upcoming features planned (pause/resume, VIEWSTATE testing, etc.) Although no scanner will ever replace a smart web app assessment engineer, Skipfish shows some great potential in the security space and… its free. It wont replace any of our manual processes but we will definitely use it when applicable. Thanks Google.

** Updated:

After a full day of watching this puppy go we’d like to add that the scanning Skipfish does generates large amounts of http requests. We have heard reports of up to 10 million and that some people, testing against their providers, are being firewalled quickly. We recommend switching to the minimal .wl file and limiting your requests to say… 800k.

Posted on by jhaddix 3 Comments

3 thoughts on “Skipfish, Google Enters the Web Scanner Fray

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>