Skipfish – New Web Security Scanner By Google !

On Mar 19, on Friday morning, Michal Zalewski announced on Google Security Blog : "Meet skipfish, our automated web security scanner" and this had to be taken seriously.

Recently I've seen a lot  of free  "web malware scanners", some of them released by prestigious security vendors , *cough* Qualys *cough* and some of them released by unknown -to me at least – developers of WP-Secure Plugin for WordPress  SiteSecurityMonitor.com .

Google developers took a different approach and they built an ol' school console application written in pure C which is lighting fast and thanks to it's asynchronous processing is able to inject hundreds of HTTP requests / second.

The source code is released under Apache license and it's available for download here.

I don't have a Linux box available right now to make it and test it myself but the documentation surely fires up your interest on the features implemented in skipfish: Server-side SQL injection, Integer overflow vulnerabilities, Stored and reflected XSS, MIME Manipulation, HTTP credentials in URLs, Unexpected response variations and many many others. 

We owe a big thanks to the Google security team and I hope skipfish will be developed further.

Thank you for reading this post. You can now Read Comment (1) or Leave A Trackback.  Print This Post

Post Info

This entry was posted on Sunday, March 21st, 2010 .

Tagged with: Application Security Testing, Google, Tools, Vuln. Scanner, Web Applications

You can follow any responses to this entry through the Comments Feed. You can Leave A Comment, or A Trackback.

Previous Post: SC Magazine 2010 Awards Winners »
Next Post: My Twitter Notes on 2010-05-02 »

Read More

Related Reading:

• Googlehacks and Anti-Googlehacks
• Secret Feature / Vulnerability in Google Webmaster Tools
• WordPress Exploit Scanner
• Google MD5 Hash Search Engine
• Scanners: New Nessus Release; New eEye Web Scanner

• Back to the Homepage

Latest Posts:

• Securing Your Network from Web Threats
• My Twitter Notes on 2010-07-25
• New NetWitness Visualize : Welcome To The Future!
• My Twitter Notes on 2010-07-18
• My Twitter Notes on 2010-07-11
• My Twitter Notes on 2010-06-27
• Qualys and Imperva Integration: Natural Evolution
• My Twitter Notes on 2010-06-20
• Pro CERT – First Romanian Commercial CERT
• GFI EventsManager 2010 Review

One Response to “Skipfish – New Web Security Scanner By Google !”

• 1
  anonymous
  May 26th, 2010 00:16

  WebCruiser – Web Vulnerability Scanner
  WebCruiser – Web Vulnerability Scanner, a compact but powerful web security scanning tool! It has a Crawler and a Vulnerability Scanner(SQL Injection, Cross Site Scripting, XPath Injection etc. ).
  It can support scanning website as well as POC( Prooving of concept) for web vulnerabilities: SQL Injection, Cross Site Scripting, XPath Injection etc. So, WebCruiser is also an automatic SQL injection tool, a XPath injection tool, and a Cross Site Scripting tool!
  Function:
  * Crawler(Site Directories And Files);
  * Vulnerability Scanner(SQL Injection, Cross Site Scripting, XPath Injection etc.);
  * POC(Proof of Concept): SQL Injection, Cross Site Scripting, XPath Injection etc.;
  * GET/Post/Cookie Injection;
  * SQL Server: PlainText/Union/Blind Injection;
  * MySQL/DB2/Access: Union/Blind Injection;
  * Oracle: Union/Blind/CrossSite Injection;
  * Post Data Resend;
  * Administration Entrance Search;
  * Time Delay For Search Injection;
  * Auto Get Cookie From Web Browser For Authentication;
  * Report Output.
  http://sec4app.com

Leave a Reply

Name (required)

Email (will not be published) (required)

Website

Notify me of followup comments via e-mail

Dragos Lungu Dot Com

Security Tools and Tips

• Subscribe
• HOME
• About
• My Services
My Reviews