Google Launches Free SkipFish Tool for Web App Security

Last week Google released SkipFish, a no-cost, open source "security reconnaissance tool" for Web-based applications.

SkipFish works by crawling a targeted site and then providing a list of any and all security issues it detects. According to Google, SkipFish works like other current open-source tools out there (it cites Nessus and Nikto2 as examples), but offers some advantages, including faster processing, better ease of use and more accurate results.

Written entirely in C, SkipFish can process more than 500 requests per second over the Internet and more than 2,000 requests per second on "responsive" local area and metro area networks, according to a Google statement. Google's project site states that SkipFish is "believed to support" Windows, Linux, MacOS and FreeBSD 7.0+.

Some of the issues the tool is designed to catch include:

  • Format String Vulnerabilities
  • Server-Side SQL Injection
  • Integer Overflow Vulnerabilities
  • Bad Caching Directives on Cookie Setting Responses
  • Attacker-Supplied Script
  • Server-Side Shell Command Injection

(For a complete list of what it targets, go here and scroll down to the "Most Curious!" section.)

According to Google's documentation for the tool, SkipFish does not meet the WASC Web Application Security Scanner Evaluation Criteria, and the "final report generated by the tool is meant to serve as a foundation for professional Web application security assessments."

In a blog post announcing the tool, Google's Michael Zalewski wrote, "The safety of the Internet is of paramount importance to Google, and helping Web developers build secure, reliable Web applications is an important part of the equation."

"As with ratproxy, we feel that SkipFish will be a valuable contribution to the information security community," he continued, "making security assessments significantly more accessible and easier to execute."

For more information or to download SkipFish, go here.

About the Author

Becky Nagel is vice president of AI for 1105 Media, where she specializes in training internal and external customers on maximizing their business potential via a wide variety of generative AI technologies as well as developing cutting-edge AI content and events. She's the author of "ChatGPT Prompt 101 Guide for Business Uses," regularly leads research studies on generative AI business usage, and serves as the director of AI Boardroom, a new resource for C-level executives looking to excel in the AI era. Prior to her current position she was a technical leader for 1105 Media's Web, advertising and production teams as well as editorial director for a suite of enterprise technology publications, including serving as founding editor of She has 20 years of enterprise technology journalism experience, and regularly speaks and writes about generative AI, AI, edge computing and other cutting-edge technologies. She can be reached at [email protected].