Google Launches Free SkipFish Tool for Web App Security

Last week Google released SkipFish, a no-cost, open source "security reconnaissance tool" for Web-based applications.

SkipFish works by crawling a targeted site and then providing a list of any and all security issues it detects. According to Google, SkipFish works like other current open-source tools out there (it cites Nessus and Nikto2 as examples), but offers some advantages, including faster processing, better ease of use and more accurate results.

Written entirely in C, SkipFish can process more than 500 requests per second over the Internet and more than 2,000 requests per second on "responsive" local area and metro area networks, according to a Google statement. Google's project site states that SkipFish is "believed to support" Windows, Linux, MacOS and FreeBSD 7.0+.

Some of the issues the tool is designed to catch include:

  • Format String Vulnerabilities
  • Server-Side SQL Injection
  • Integer Overflow Vulnerabilities
  • Bad Caching Directives on Cookie Setting Responses
  • Attacker-Supplied Script
  • Server-Side Shell Command Injection

(For a complete list of what it targets, go here and scroll down to the "Most Curious!" section.)

According to Google's documentation for the tool, SkipFish does not meet the WASC Web Application Security Scanner Evaluation Criteria, and the "final report generated by the tool is meant to serve as a foundation for professional Web application security assessments."

In a blog post announcing the tool, Google's Michael Zalewski wrote, "The safety of the Internet is of paramount importance to Google, and helping Web developers build secure, reliable Web applications is an important part of the equation."

"As with ratproxy, we feel that SkipFish will be a valuable contribution to the information security community," he continued, "making security assessments significantly more accessible and easier to execute."

For more information or to download SkipFish, go here.

About the Author

Becky Nagel is the vice president of Web & Digital Strategy for 1105's Converge360 Group, where she oversees the front-end Web team and deals with all aspects of digital projects at the company, including launching and running the group's popular virtual summit and Coffee talk series . She an experienced tech journalist (20 years), and before her current position, was the editorial director of the group's sites. A few years ago she gave a talk at a leading technical publishers conference about how changes in Web browser technology would impact online advertising for publishers. Follow her on twitter @beckynagel.