Released as an open source tool under the Apache license, skipfish from Google prepares an interactive site map for a targeted site by recursively crawling through webpages and using dictionary attacks to probe sites. It then targets the site with a variety of active security checks designed to test for vulnerabilities, including blind injection vectors.
The tool, written in C, competes with existing scanners such as Nikto and Nessus. However, Google says that it delivers some specific benefits, including fast operation. It says that it can process 2000 requests per second on a local area network, and 7000 requests against local instances. The company attributes this to a custom HTTP stack, along with smart response caching.
It tests for explicit SQL-like syntax in GET and POST parameters, server-side shell command injection and XML injection, along with vulnerabilities in format strings, and potential integer overflows. The new tool from Google will also be able to pick up other program flaws, including attacker-supplied embedded content, expired and self-signed SSL certificates, HTTP credentials in URLs and bad caching directives.
"Please do not be evil," Google said in the documentation for the skipfish talk. "Keep in mind that all types of security testing can be disruptive. Although the scanner is designed not to carry out malicious attacks, it may accidentally interfere with the operations of the site."
The tool uses heuristics to support a variety of web frameworks and sites that combines different technologies.