Free app makes paid web scanners dead in the water

Google's SkipFish "blazingly fast"

Google’s upgraded version of its automated Web application scanner, SkipFish, has received glowing reviews from local security experts.

The free tool designed by Google software engineer Michal Zalewski, and launched late last week, scans for web application vulnerabilities.

Penetration testing firm HackLabs director Chris Gatford said the tool is “blazingly fast” and accurate.

The revamped SkipFish outperformed other free and commercial offerings during HackLab tests. Gatford said some full-featured web application scanners return HTTP request at a rate of about one or two a second.

“SkipFish fired more than 400 requests per second, that’s under less than ideal conditions, on a standard broadband connection and using its default settings,” Gatford said, adding it did return some errors.

Security blogger and RedSpin consultant Jason Haddixsaid the application returned 600 requests per second over a 10Mb connection, but reported some problems.

The massive request rate means the tool can also be used for malicious Denial of Service (DoS) attacks. Such an attack would require less compute-power — roughly 20 servers according to estimates — to crash a small corporate site.

Malicious users could employ the tool to discover application vulnerablilities for exploitation, but that possibility is available through many existing tools.

Gatford said SkipFish is a “smart move” by Google as it represents an attempt to improve online safety, a suggestion echoed by IBRS security analyst James Turner.

Zalewski has been quick to introduce fixes as testers report them. He fixed six flaws discovered by Gatford within hours of their publication on Twitter.

SkipFish is targeted for people who typically do not test web applications, but security experts say some knowledge or research is requirement to locate vulnerability fixes that Zalewski has reportedly planned, but not yet incorporated into the tool.

More about: Google, IBRS
References show all

Comments

1

Jason Haddix

Thu 08/04/2010 - 06:15

Hi Darren,

If you could link redspin.com and change my name to Jason Haddix that would be awesome.

We also have done two other skipfish articles for auto updating and installing:

http://www.redspin.com/blog/2010/04/07/keeping-current-with-skipfish/

http://www.redspin.com/blog/2010/03/19/installing-google-skipfish-on-ubuntudebian/

2

cmlh

Fri 16/04/2010 - 13:00

Darren,

It is recommended (by OWASP and others) that the availability (i.e. denial of service) be considered within the scope of executing a penetration(/webappsec) test of a web application.

There is no mention of http://code.google.com/p/ratproxy/ either and this complements the results of skipfish and was also released well before skipfish.

I can't locate the "flaws" (these may be false positives i.e. http://twitter.com/ChrisGatford/status/11021228119) or corresponding credit to Chris Gatford for reporting these at http://code.google.com/p/skipfish/issues/l or reference within @ChrisGatford twitter feed - can this be clarified considering false postives are meant to be confirmed by manual testing?

3

cmlh

Tue 03/08/2010 - 17:24

@darrenpauli

@ChrisGatford is yet to address my question - can you please chase this up with him?

In reply to http://twitter.com/darrenpauli/status/20200528586

Yes, it is fast but that selling point is determining the availability of the web server/application (DOS) only when compared to executing a webappsec scanner overnight and reviewing the results the next morning i.e. the speed doesn't really matter in the end - coverage does.

skipfish has a few issues which are highlighted in http://www.slideshare.net/cmlh/skipfish but then again so do particular commercial products.

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the Computerworld comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: skipfish, security, Google
Whitepapers
All whitepapers
Sign up now to get free exclusive access to reports, research and invitation only events.
Featured Download
/downloads/product/19/avg-anti-virus-free-edition/

AVG Anti-Virus Free Edition

Note: This review covers version 8.5 of the software. This software is now in version 9.0. Antivirus program AVG 8.5 Free offers solid features and ...

HP and IDG news, product videos and resources

Computerworld newsletter

Join the most dedicated community for IT managers, leaders and professionals in Australia