Skipfish: Google's New Tool to Harden Web App Security
A new open source web application security hole scanner is available from Google on the Google Code site. The tool, named Skipfish, is similar to Nmap and Nessus because it allows web developers to test their applications for possible vulnerabilities, but Google says it is even faster than the competition. Skipfish can be used to determine if code is vulnerable to common attacks such as cross-site scripting (XSS), SQL, and XML injection attacks.
Google's new security scanner is written in pure C. Skipfish uses fully automated heuristics to support a wide variety of web frameworks and mixed-technology websites. It has automated learning capabilities, on-the-fly wordlist creation, and form autocompletion. It also includes a sophisticated post-processing functionality for individual tests that is designed to help users interpret the final report. The Skipfish security logic includes high quality, low false positive, differential security checks that will detect a range of subtle flaws, including blind injection vectors.
Skipfish running in a Linux/Unix command line
According to Google, Skipfish can easily process over 2k HTTP requests per second (if the server being tested can handle that load). Individual tests across local networks have yielded 7k+ requests per second with a low CPU load and memory footprint. This kind of performance is achieved with a serial I/O model that performs asynchronous process responses and provides more scalability than multi-threaded, synchronous request processing. HTTP 1.1 range requests, keep-alive connections, and data compression give Skipfish optimized HTTP connection handling to regulate its network bandwidth requirements.
In Google's online security blog, Michal Zalewski said, "The safety of the Internet is of paramount importance to Google, and helping web developers build secure, reliable web applications is an important part of the equation." Google has released tools such as ratproxy, a passive security assessment tool, and the Browser Security Handbook to give web developers the tools and information they need to build more secure web applications. Google has been using Skipfish to test their own web applications for insecure interfaces. However, by no means do they suggest using Skipfish as your only vulnerability-detection tool since the security checks are not comprehensive enough to satisfy most of the Web Application Security Consortium's security scanner evaluation criteria.
Skipfish is at version 1.10 beta currently and it is released under the Apache v2 License.