From Aldeid

Contents 1 SkipFish 1.1 Description 1.2 Installation 1.2.1 Prerequisites 1.2.2 Skipfish 1.3 Usage 1.3.1 Basic usage 1.3.2 Options 1.3.2.1 Authentication and access options 1.3.2.2 Crawl scope options 1.3.2.3 Reporting options 1.3.2.4 Dictionary management options 1.3.2.5 Performance settings 1.3.3 Report

SkipFish

Description

SkipFish has been developed by Michal Zalewski (Google engineer). This tool automatizes vulnerability assessment on web applications. It is capable of processing between 500 requests per second for a remote scan and 7,000 requests per second for a local one. The tool is compatible with Linux, FreeBSD 7.0+, MacOS X, and Windows (Cygwin) environments

Installation

Prerequisites

# apt-get install libidn11-dev

Skipfish

# mkdir -p /usr/local/skipfish/
# cd /usr/local/skipfish/
# wget http://skipfish.googlecode.com/files/skipfish-1.10b.tgz
# tar xvf skipfish-1.10b.tgz
# cd skipfish/
# make

To check that it has been successfully installed, type:

# ./skipfish -h

Usage

Basic usage

# ./skipfish -W dictionaries/complete.wl -o report http://www.domain.com/index.php

Options

Authentication and access options

 -A user:pass   - use specified HTTP authentication credentials
 -F host:IP     - pretend that 'host' resolves to 'IP'
 -C name=val    - append a custom cookie to all requests
 -H name=val    - append a custom HTTP header to all requests
 -b (i|f)       - use headers consistent with MSIE / Firefox
 -N             - do not accept any new cookies

Crawl scope options

 -d max_depth   - maximum crawl tree depth (16)
 -c max_child   - maximum children to index per node (1024)
 -r r_limit     - max total number of requests to send (100000000)
 -p crawl%      - node and link crawl probability (100%)
 -q hex         - repeat probabilistic scan with given seed
 -I string      - only follow URLs matching 'string'
 -X string      - exclude URLs matching 'string'
 -S string      - exclude pages containing 'string'
 -D domain      - crawl cross-site links to another domain
 -B domain      - trust, but do not crawl, another domain
 -O             - do not submit any forms
 -P             - do not parse HTML, etc, to find new links

Reporting options

 -o dir         - write output to specified directory (required)
 -J             - be less noisy about MIME / charset mismatches
 -M             - log warnings about mixed content
 -E             - log all HTTP/1.0 / HTTP/1.1 caching intent mismatches
 -U             - log all external URLs and e-mails seen
 -Q             - completely suppress duplicate nodes in reports

Dictionary management options

 -W wordlist    - load an alternative wordlist (skipfish.wl)
 -L             - do not auto-learn new keywords for the site
 -V             - do not update wordlist based on scan results
 -Y             - do not fuzz extensions in directory brute-force
 -R age         - purge words hit more than 'age' scans ago
 -T name=val    - add new form auto-fill rule
 -G max_guess   - maximum number of keyword guesses to keep (256)

Performance settings

 -g max_conn    - max simultaneous TCP connections, global (50)
 -m host_conn   - max simultaneous connections, per target IP (10)
 -f max_fail    - max number of consecutive HTTP errors (100)
 -t req_tmout   - total request response timeout (20 s)
 -w rw_tmout    - individual network I/O timeout (10 s)
 -i idle_tmout  - timeout on idle HTTP connections (10 s)
 -s s_limit     - response size limit (200000 B)

Report