According to search engine giant Google, Skipfish is an active web application security reconnaissance tool that prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes.
The resulting map, Google says, "is then annotated with the output from a number of active (but hopefully non-disruptive) security checks."
"The final report generated by the tool is meant to serve as a foundation for professional web application security assessments."
Interestingly, despite its description, Skipfish does not appear to be a replacement for commercial scanners, as Google notes that the scanner does not cover all of the checking and evaluation criteria set by the Web Application Security group.
Michal Zalewski, the reknowned Polish white hat hacker and security staffer with Google said that the Skipfish scanner operates at high speed and has been coded in C, with highly optimised HTTP handling and a minimal CPU footprint, making it capable of achieving 2,000 requests per second with responsive targets.
Skipfish is billed by Google as featuring heuristics to support a variety of quirky web frameworks and mixed-technology sites, with automatic learning capabilities, on-the-fly wordlist creation, and form autocompletion.
The security tool is now available for download as source code and Google says it should compile and work on POSIX-compliant environments including Linux, FreeBSD, MacOS X and even on Windows using Cygwin, the unix-like command line interface for Windows.
Skipfish 1.05 beta is available for download now.