The safety of the Internet is of paramount importance to Google, and helping web developers build secure, reliable web applications is an important part of the equation. To advance this goal, we have released projects such as ratproxy, a passive security assessment tool; and Browser Security Handbook, a comprehensive guide for web developers. We also worked with the community to improve the security of third-party browsers.
Today, we are happy to announce the availability of skipfish - our free, open source, fully automated, active web application security reconnaissance tool. We think this project is interesting for a few reasons:
- High speed: written in pure C, with highly optimized HTTP handling and a minimal CPU footprint, the tool easily achieves 2000 requests per second with responsive targets.
- Ease of use: the tool features heuristics to support a variety of quirky web frameworks and mixed-technology sites, with automatic learning capabilities, on-the-fly wordlist creation, and form autocompletion.
- Cutting-edge security logic: we incorporated high quality, low false positive, differential security checks capable of spotting a range of subtle flaws, including blind injection vectors.
To download the scanner, please visit this page; detailed project documentation is available here.
This is cool and all but Google, you really need to figure out how to protect against social engineering attacks.
ReplyDeleteKeep them coming. Great to see some new tools for us to use.
ReplyDeleteYour "Browser Security Handbook" is NOT a "handbook", or any kind of book at all. It is a wiki! There is a pretty damned big difference.
ReplyDeleteI understand the utility of a wiki, but don't call things what they are not.
The tool runs beautifully.
ReplyDeleteThanks.
why there's no code in svn?
ReplyDeleteany plans to support NSS besides/instead of OpenSSL?
ReplyDeleteany plans to support windows? i've tried hard to compile it with msvc, mingw and cygwin. all failed. cygwin at least compiles, but fails to link. msvc support would be very nice.
um never mind the question about windows support, i got it compile under cygwin, i just had to use the cygwin builds of libidn, openssl and zlib.
ReplyDeletehi, i've setted up a page for my windows builds of skipfish:
ReplyDeletehttp://nss.daydreamer.nu/?q=node/16
enjoy!
Nice work again Google. Very cool.
ReplyDelete@Lonny Man, you've really got to learn to chill out. Google have written a handbook in Wiki form, but it's still a handbook. ;)
Running the tool now, my local server doesn't seem to be able to respond to 2000 requests a second though! More like 4!
ReplyDeleteHi,
ReplyDeleteCan someone here please tell me how to run skipfish on windows vista.
I have been told to do a research on this tool. But I dont understand what am supposed to do. People say we can do it with cgywin for windows user. But I have no idea wat to do with cgywin. Can someone please tell me how to get it run?
Please dont say open cgywin and type ./skipfish - H..... something like this.
Thanks.