Google releases skipfish
This Friday Google has publicly released skipfish, a free security tool which scans web applications looking for vulnerabilities. Google again shows its effort in enhancing the security of web platforms after the 2008 release of ratproxy, a similar tool focused on non-disruptive testing and high yield from a low traffic footprint.
The idea behind skipfish consists in recursively crawling a web applications, following links and forms which lead to targets in the current host. The output is a generated sitemap whose nodes are annotated with possible security issues found via heuristics run on the behavior and content encountered. For example, skipfish points out shell command and SQL injection vectors by injecting typical patterns and looking for error conditions in the response.
skipfish is written in pure C, with a custom http stack to perform blazingly fast (up to 2000 requests per second have been reported on local instances.) The source code can be compiled on POSIX-compliant systems, so that skipfish runs on Linux, Mac OS X and Windows via cygwin.
skipfish is definitely one of the tools to keep in the web developer box. No security tool, and particularly a scanner, should be employed single-handedly: there are vulnerabilities which are impossible or non practical to test remotely (see buffer overflows) and have been deliberately left out from skipfish’s vision, as known limitations.
A combination of several tools could instead be helpful: nowadays more and more software is being transported on the cloud, and the web has evolved from a browsing platform to a full-featured set of remote applications, whose field Google leads with Gmail, Google Docs and its other products. Automated scanning is one of the ways to go to outline critical entry-points while optimizing the time spent on analysis.