Michal Zalewski (lcamtuf), a Polish security researcher and author of many tools and books, is at it again. On Friday, he released a fully automated, active web application security tool known as skipfish. This tool allows developers and security professionals to have a solid reconnaissance tool which scans at high speed tools, easy to use, and has a number of different security checks with limited false positives. In my particular environment, we are extremely budget poor (taking a 2nd budget cuts within under 6 months left in the fiscal is bad and I know others have it worse than we do). So having the possibility to increase my tool set without spending a lot of money sits very well with our administration. From my initial testing yesterday, it did detect a few issues within a sample website which had not been detected prior. So in my book, this is a great plus. The tool is under the Apache 2.0 license and is located at http://code.google.com/p/skipfish/ . I see that today there has been a number of changes today to correct a number of issues since it was initially released yesterday. I expect that this tool will be much more stable within the next few days. Scott Fendley ISC Handler |
ScottF 191 Posts ISC Handler Mar 21st 2010 |
Thread locked Subscribe |
Mar 21st 2010 1 decade ago |
I compiled this on my Backtrack laptop and ran it against one of the products we have with Web administration. I have to say, this is definitely a different way of displaying the details of how a client connects and what are all the possibilities said client can access from within the application, as well as, from outside.
|
HackDefendr 65 Posts |
Quote |
Mar 22nd 2010 1 decade ago |
Is it safe to run skipfish on production server...?
|
HackDefendr 2 Posts |
Quote |
Aug 14th 2013 8 years ago |
Sign Up for Free or Log In to start participating in the conversation!