skipfish

web application security scanner

skipfish

Skipfish is an active web application security reconnaissance tool. It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks. The final report generated by the tool is meant to serve as a foundation for professional web application security assessments.

Key features:

  • High speed: pure C code, highly optimized HTTP handling, minimal CPU footprint - easily achieving 2000 requests per second with responsive targets.
  • Ease of use: heuristics to support a variety of quirky web frameworks and mixed-technology sites, with automatic learning capabilities, on-the-fly wordlist creation, and form autocompletion.
  • Cutting-edge security logic: high quality, low false positive, differential security checks, capable of spotting a range of subtle flaws, including blind injection vectors.
The tool is believed to support Linux, FreeBSD, MacOS X, and Windows (Cygwin) environments.

Quick links

  • Download 2.10b (changelog)
  • How to run the scanner! (old)
  • View a sample screenshot

Documentation

  • What's new
  • Detailed documentation
  • Content signatures (updated)
  • Authenticated scans (updated)

Getting help

  • Known problems / workarounds
  • File a bug in the tracker

Project Information

Labels:
security web scanner http google crawler