Google releases skipfish

Google today released a “web application security” tool called skipfish on google code for Linux, FreeBSD 7.0+, MacOS X, and Windows (Cygwin).

The tool features:

  • High speed: pure C code, highly optimized HTTP handling, minimal CPU footprint – easily achieving 2000 requests per second with responsive targets.
  • Ease of use: heuristics to support a variety of quirky web frameworks and mixed-technology sites, with automatic learning capabilities, on-the-fly wordlist creation, and form autocompletion.
  • Cutting-edge security logic: high quality, low false positive, differential security checks, capable of spotting a range of subtle flaws, including blind injection vectors.

Skipfish is supposed to run a number of tests that are categorized by severity including the following ones:

Server-side SQL injection (including blind vectors, numerical parameters).
Explicit SQL-like syntax in GET or POST parameters.
Server-side shell command injection (including blind vectors).
Server-side XML / XPath injection (including blind vectors).
Format string vulnerabilities.
Integer overflow vulnerabilities.

Let’s hope this tool really helps making the web a bit more secure – at least I am really curious to try it out and run it against my own server 🙂

Have fun with your own security audit,



Maximilian Hainlein

I'm working for crealytics as Social Media and Marketing Manager since 2011. My motto: "It's better to be the needle than the haystack."