Bangalore: Google continue to contribute to the open source community and has now launched open-source web-security scanner called Skipfish that is designed to allow people to scan web applications for security holes. The tool scans a web application for flaws including “tricky scenarios” such as blind SQL or XML injection, Google developer Michal Zalewski said in the Skipfish wiki, according to ZDNet.
Zalewski wrote that there are already a number of both commercial and open-source scanning tools available, including Nikto and Nessus, and recommended that people use the tool that suits them. However, he added that Skipfish is high performance, with over 500 requests per second against internet targets, and over 2,000 requests per second on LANs, depending on the capabilities of the server being tested.
Skipfish prepares a sitemap annotated with interactive crawl results, highlighting flaws, after a recursive crawl and dictionary-based probing of the target site. The tool can also generate a final report that can be used as a basis for a security assessment.
However, Zalewski warned that Skipfish is “not a silver bullet”, saying the tool deliberately does not satisfy the majority of the requirements outlined in the Wasc Web Application Security Scanner Evaluation Criteria. In addition, Skipfish does not come with an extensive database of known vulnerabilities.