Enterprise IT Watch Blog

Mar 22 2010   2:28PM GMT

Google skipfish, 0-day hunter

Michael Morisy Michael Morisy Profile: Michael Morisy

If web apps are really going to take off in the way Google hopes, the Big G knows it needs to tighten up the security holes on web apps at large, no matter how elegant their own solutions are.

Enter skipfish, Google’s automated web security scanner, which was launched Friday by Michał Zalewski in a post on the Google Online Security Blog:

Today, we are happy to announce the availability of skipfish – our free, open source, fully automated, active web application security reconnaissance tool. We think this project is interesting for a few reasons:

  • High speed: written in pure C, with highly optimized HTTP handling and a minimal CPU footprint, the tool easily achieves 2000 requests per second with responsive targets.
  • Ease of use: the tool features heuristics to support a variety of quirky web frameworks and mixed-technology sites, with automatic learning capabilities, on-the-fly wordlist creation, and form autocompletion.
  • Cutting-edge security logic: we incorporated high quality, low false positive, differential security checks capable of spotting a range of subtle flaws, including blind injection vectors.

For those worried that this just further enables malicious script kiddies to hunt out and play with gaping holes in your poorly designed web app (or that budget SaaS vendor your CIO chose), Google included this disclaimer:

First and foremost, please do not be evil. Use skipfish only against  services you own, or have a permission to test.

We’ll see how long that lasts, but at least there’s another (open source, no less!) tool from a reputable company to help catch problems before someone else does. If you’re interested in a second opinion, the folks at Securi Security also took a closer look at skipfish, and left with a favorable impression.

1  Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.
  • SQL attacks come from the darndest places - Enterprise IT Watch Blog
    [...] attack vector for the largest U.S. ID theft case ever. And while tools are arriving on the scene to help businesses root out potential problems before the bad guys do, there’s plenty of attack vectors just waiting to be exploited. The [...]
    0 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: