Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Is it safe to run Skipfish on a production server? - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Is it safe to run Skipfish on a production server?
Probably not...

Quoting Official Skipfish Documentation:Keep in mind that all types of security testing can be disruptive. Although the scanner is designed not to carry out malicious attacks, it may accidentally interfere with the operations of the site. You must accept the risk, and plan accordingly. Run the scanner against test instances where feasible, and be prepared to deal with the consequences if things go wrong.[/quote]
Source: http://code.google.com/p/skipfish/wiki/SkipfishDoc

Ideally, you would set up an identical testing/development environment for this.
Alex Stanford

154 Posts
In the SEC542 section on Skipfish, Kevin Johnson warned that Skipfish's main quality is speed. It runs insanely fast and can easily tip over the target. He also mentioned one of the main reasons for this logging. It fires so many requests at the target in such a short amount of time that the server can crash just trying to log it all. And if you're forwarding those logs to a central logging server, you might take down two for the price of one, depending on how beefy your log server is. JeffSoh

29 Posts
It's possible that it can add data, delete, and modify so never run on a production instance. Anonymous

Sign Up for Free or Log In to start participating in the conversation!