skipfish

A fully automated, active web application security reconnaissance tool. Key features:

  • High speed: pure C code, highly optimized HTTP handling, minimal CPU footprint – easily achieving 2000 requests per second with responsive targets.
  • Ease of use: heuristics to support a variety of quirky web frameworks and mixed-technology sites, with automatic learning capabilities, on-the-fly wordlist creation, and form autocompletion.
  • Cutting-edge security logic: high quality, low false positive, differential security checks, capable of spotting a range of subtle flaws, including blind injection vectors.

The post announing the tool:

http://googleonlinesecurity.blogspot.com/2010/03/meet-skipfish-our-automated-web.html

The project page at google code:

http://code.google.com/p/skipfish/

Skipfish documentation:

http://code.google.com/p/skipfish/wiki/SkipfishDoc

The tool is written by lcamtuf, who joined google a few years ago. 🙂

Tagged with: