Google has released a free web security scanner called Skipfish late last week. According to the collaborative page maintained by Google, Skipfish “is an active web application security reconnaissance tool.” It is designed to operate within a range of web applications and is designed to reduce false-positives and work quickly without slowing down operations.
Skipfish is designed by Google to be quick, easy to use and register a low rate of false positives. “It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks. The final report generated by the tool is meant to serve as a foundation for professional web application security assessments,” according to Google.
The release of Skipfish is designed to address some of the common problems with other security scanning tools. However, the product is not necessarily a replacement for other security scanners as the product doesn’t meet the requirements of in WASC Web Application Security Scanner Evaluation Criteria and it does not include a large database with known vulnerabilities.
Skipfish is capable of identifying 58 different issues during scanning. According to the about page on Google, “the scanner is simply not designed for dealing with rogue and misbehaving HTTP servers – and offers no guarantees of safe (or sane) behavior there.”