Chris Elleman Technical Stuff

14 Oct/11 Off

Skipfish - Free Web Security Scanning Software

So at the media company we've been having problems with hackers, so there is a renewed focus on security (never a bad thing). We have a comporate tool called HP WebInspect, but I've been waiting for almost a week to get my logons, so in the meantime a quick search has revealed Google Skipfish.

Skipfish is written in C so it should run very fast; you download it and then have to compile it, I tried it on SUSE Linux Enterprise 11, I had to install the following additional libraries to get it to compile.

  • libidn
  • libidn-devel
  • openssl-devel

I then ran with the following commands:

cp dictionaries/minimal.wl dictionary.wl             # does around 50,000 requests
mkdir output                                         # make an output directory
./skipfish -W dictionary.wl -o output http://<url>   # run with a URL to test

I ran this on an Amazon large instance, testing against an Amazon micro instance running tomcat and it took just over 3 mins. The HTML output is very readable, so we are going to trial running it as a post deployment process on our UAT environment.