Google releases SkipFish, a new web application security tool


Mountain View must be starting to worry more about applying to it’s “Don’t be evil” mantra, by releasing a new web application security testing tool that has been under development internally. SkipFish is its name, and its sure to add another tool to your developer toolbox. On the flip side, this tool will definitely also pop up on the radar of the very people its trying to stop;

Why do i care?

SkipFish is very similar to a number of tools on the market, such as HP’s WebInspect, Nikto2 and Nessus and unlike WebInspect, SkipFish has a much lower price point (free). All these tools are designed to scan web sites for vulnerabilities, so that they can be addressed before the bad guys find them.

"We feel that Skipfish will be a valuable contribution to the information security community, making security assessments significantly more accessible and easier to execute."

Google developer Michal Zalewsk said in his post on the Google online security blog.

The tool appears to still be quite young in its development life cycle and should run on Windows, MacOSX and BSD, however no binaries have been provided.

Most web developers spend a lot of time getting things out the door and in my experience not paying close enough attention to forward thinking usage case testing such as dealing with Cross Site scripting and SQL injection vulnerabilities.

A closer look

Google’s ninja extraordinaire’s have written Skipfish from the ground up in C, making it extremely efficient while scanning your site. It has been released in code only form, so unless your willing to wait around for someone to compile it for you, you might need to get your hands dirty.

It is touted to scan through a multitude of Low, Medium and High Risks, including:

  • Server-side SQL injection (including blind vectors, numerical parameters).
  • Format string vulnerabilities.Server-side shell command injection (including blind vectors).
  • Integer overflow vulnerabilities.
  • Server-side XML / XPath injection (including blind vectors).
  • Explicit SQL-like syntax in GET or POST parameters.
  • And many more as detailed in the documentation here.

While as I stated above, Skipfish is by no means the only tool of its kind, it is great to see Google both releasing more internal code to the world, and making it easier for developers to dot their i’s and cross their t’s. Web Security is an important part of any web app developers job, so having more free tools around to make that job easier can only be a good thing.

I also must state that I find the copy on the Google code site that states:

“…The tool is believed to support Linux, FreeBSD 7.0+, MacOS X, and Windows (Cygwin) environments…”

quite interesting. What does “believed to” meant to mean – how mature is the tool in their internal use or compilation on these target systems?