News

Google Launches Free SkipFish Tool for Web App Security

• By Becky Nagel
• March 26, 2010

Last week Google released SkipFish, a no-cost, open source "security reconnaissance tool" for Web-based applications.

SkipFish works by crawling a targeted site and then providing a list of any and all security issues it detects. According to Google, SkipFish works like other current open-source tools out there (it cites Nessus and Nikto2 as examples), but offers some advantages, including faster processing, better ease of use and more accurate results.

Written entirely in C, SkipFish can process more than 500 requests per second over the Internet and more than 2,000 requests per second on "responsive" local area and metro area networks, according to a Google statement. Google's project site states that SkipFish is "believed to support" Windows, Linux, MacOS and FreeBSD 7.0+.

Some of the issues the tool is designed to catch include:

• Format String Vulnerabilities
• Server-Side SQL Injection
• Integer Overflow Vulnerabilities
• Bad Caching Directives on Cookie Setting Responses
• Attacker-Supplied Script
• Server-Side Shell Command Injection

(For a complete list of what it targets, go here and scroll down to the "Most Curious!" section.)

According to Google's documentation for the tool, SkipFish does not meet the WASC Web Application Security Scanner Evaluation Criteria, and the "final report generated by the tool is meant to serve as a foundation for professional Web application security assessments."

In a blog post announcing the tool, Google's Michael Zalewski wrote, "The safety of the Internet is of paramount importance to Google, and helping Web developers build secure, reliable Web applications is an important part of the equation."

"As with ratproxy, we feel that SkipFish will be a valuable contribution to the information security community," he continued, "making security assessments significantly more accessible and easier to execute."

For more information or to download SkipFish, go here.