first impressions of Google’s Skipfish WVS
after getting really interested in a late Google project, i spent few hours today with Google’s Skipfish v1.25b , which is a Google project for a web application security scanner , or as some times referred in the professional arena – a WVS ( web vulnerabilities scanner ) and is completely open source as i like it.
as i mentioned, i am playing with version v.1.25b ( although 1.26b is available at time of writing the article ) against a vulnerable demo web application that i wrote a few months back… and got some impressions on the current version.
first of all, i have to admit , its blazing fast … once given a destination to scan, the scan is fast , and the results are displayed in a very elegant way ( although a bit too hardcore ) moreover the depth and methods of detecting problems are quite impressive.
that being said .. the security checks themselves missed lots of the application vulnerabilities , including some quite basic SQL Injections which were there especially for security demonstrations. but i will give the credit and wait until this tool matures a little more before i try it again , and i am sure it will be much better.
the report is excellent , very insightful and shows track of the trace of the stream until the vulnerability has been detected , which is always good, nevertheless – i would like to see in future versions some different export mechanisms of reports, such as XML and PDF, to make it more usable in the IT security ecosystem environment.
there is a point to remember that at current time it is being written and managed by one person at Google , as compared to enterprise tools such as IBM’s Rational AppScan or Qualys etc, so you have to give credit here :)
for ease of use , it is easy , but i do expect a UI , since most people that will run this scanner will require some interaction with it that does not require any CLI / Linux skills, since it is not in their job requirements , they just need to run a tool and test for baseline ( unfortunately that also includes lots of “consultants” ).
if i am to rate this tool , i would rate it at its current version (1.25b) with 6.5 of 10 for now , since i really like the speed and the overall architecture of it , but i do see the need for some more maturity and some more robust security tests.
it detected 9 of 14 SQLi and 4 of 8 XSS , and none of the 4 persistent XSS vulnerabilities ( although it claims to detect it ) .. and yes , i have fed it some credentials as needed..
its a descent alternative to lots of the tools out there even in its current stage , and i would definitely go back to it when some holes are put to its belt.
Finally, just a quick install HOW-TO for it.
if you want to install it under CentOS ( i used 5.2 ) then do the following :
1. download and extract the tgz file anywhere ( example : tar zxpfv skipfish*.tgz )
2. install some neccesary packages for the install
- yum instll gcc
- yum install openssl-devel
- yum install libidn-devel
3. step into the folder extracted and run – make
4. there you go. :)
Labels: consulting, english, hacking, linux, software, technology
Hi Barry,
I would normally drop you a mail, but could not find any contact information on the web.
I am the author of skipfish. First of all, thanks for the review. Secondly, I was wondering if you would be willing to share the specifics of the false negatives you stumbled upon?
Getting actionable feedback from users is the only way for me to improve the tool, so your help would be greatly appreciated.
If you are willing to help out, please contact me at lcamtuf -at- gmail.com. Thanks!
Posted by Anonymous | 6:34 PM
i will ping you a note on email.
Barry.
Posted by barry | 8:22 PM