Googles SkipFish – Web App Security Scanner

Skipfish is an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks. The final report generated by the tool is meant to serve as a foundation for professional web application security assessments.

Installation on Ubuntu/BackTrack (via Redspin)

Use the following commands in the terminal windows to install and run Skipfish. Replace OUTPUT_FOLDER and TARGETSITE with the domain name and the target’s URL respectively. Also change the wget URL to the URL of the latest version of Skipfish download available.

wget http://skipfish.googlecode.com/files/skipfish-1.29b.tgz
tar zxvf skipfish-1.01b.tgz
sudo apt-get install libidn11-dev
cd skipfish
make
cp dictionaries/default.wl skipfish.wl
./skipfish -o OUTPUT_FOLDER http://www.TARGETSITE.com

Trial Run

Installed SkipFish and ran on the target site, specs below.

Guest OS : BackTrack4 VM

Host OS : Windows Vista

RAM : 512MB

Application Size : Medium ( < 1000 Unique Pages )

Internet Speed : 1 MBPS

Skipfish Verbose

Skipfish displays the scan run statistics continuously during the run. Once the scan run is complete, we get to see the scan summary (shown in the below screenshot).

Skipfish Running

Skipfish Console (Click to Enlarge)


Scan Output

Once the scan is complete, results are saved in HTML format. Its a simple tree interface that displays the details of the vulnerability along with the HTTP Header trace for each request.

NOTE: The target application which was used to test the application is a custom and private application and has been removed from the server. Please do not run scanner on any of the domains you dont own.

Skipfish Scanner

Skipfish Scan Report (Click to Enlarge)

Observations

  • Installation and setup is super easy.
  • Definitely not a heavy weight, memory hogging scanner.
  • Did not find some of the basic vulnerabilities other scanners had found.
  • Scan ran for ~14hours for that medium sized app.

Features

  • High speed: pure C code, highly optimized HTTP handling, minimal CPU footprint – easily achieving 2000 requests per second with responsive targets.
  • Ease of use: heuristics to support a variety of quirky web frameworks and mixed-technology sites, with automatic learning capabilities, on-the-fly wordlist creation, and form autocompletion.
  • Cutting-edge security logic: high quality, low false positive, differential security checks, capable of spotting a range of subtle flaws, including blind injection vectors.

The tool is believed to support Linux, FreeBSD 7.0+, MacOS X, and Windows (Cygwin) environments.


List of High and Medium Vulnerabilities Skipfish Attempts to Identify

A rough list of the security checks, for High and Medium vulnerabilties, offered by the tool is outlined below.

  • High risk flaws (potentially leading to system compromise):
    • Server-side SQL injection (including blind vectors, numerical parameters).
    • Explicit SQL-like syntax in GET or POST parameters.
    • Server-side shell command injection (including blind vectors).
    • Server-side XML / XPath injection (including blind vectors).
    • Format string vulnerabilities.
    • Integer overflow vulnerabilities.
    • Locations accepting HTTP PUT.
  • Medium risk flaws (potentially leading to data compromise):
    • Stored and reflected XSS vectors in document body (minimal JS XSS support present).
    • Stored and reflected XSS vectors via HTTP redirects.
    • Stored and reflected XSS vectors via HTTP header splitting.
    • Directory traversal (including constrained vectors).
    • Assorted file POIs (server-side sources, configs, etc).
    • Attacker-supplied script and CSS inclusion vectors (stored and reflected).
    • External untrusted script and CSS inclusion vectors.
    • Mixed content problems on script and CSS resources (optional).
    • Incorrect or missing MIME types on renderables.
    • Generic MIME types on renderables.
    • Incorrect or missing charsets on renderables.
    • Conflicting MIME / charset info on renderables.
    • Bad caching directives on cookie setting responses.

Google Skipfish Info
App Name Google Skipfish
License free
Type code
App URL Download
More Info link