Meet skipfish, our automated web security scanner

Friday, March 19, 2010 10:49 AM

The safety of the Internet is of paramount importance to Google, and helping web developers build secure, reliable web applications is an important part of the equation. To advance this goal, we have released projects such as ratproxy, a passive security assessment tool; and Browser Security Handbook, a comprehensive guide for web developers. We also worked with the community to improve the security of third-party browsers.

Today, we are happy to announce the availability of skipfish - our free, open source, fully automated, active web application security reconnaissance tool. We think this project is interesting for a few reasons:
  • High speed: written in pure C, with highly optimized HTTP handling and a minimal CPU footprint, the tool easily achieves 2000 requests per second with responsive targets.

  • Ease of use: the tool features heuristics to support a variety of quirky web frameworks and mixed-technology sites, with automatic learning capabilities, on-the-fly wordlist creation, and form autocompletion.

  • Cutting-edge security logic: we incorporated high quality, low false positive, differential security checks capable of spotting a range of subtle flaws, including blind injection vectors.
As with ratproxy, we feel that skipfish will be a valuable contribution to the information security community, making security assessments significantly more accessible and easier to execute.

To download the scanner, please visit this page; detailed project documentation is available here.
The comments you read here belong only to the person who posted them. We do, however, reserve the right to remove off-topic comments.


briandano said...

This is cool and all but Google, you really need to figure out how to protect against social engineering attacks.

Mark R said...

Keep them coming. Great to see some new tools for us to use.

Lonny said...

Your "Browser Security Handbook" is NOT a "handbook", or any kind of book at all. It is a wiki! There is a pretty damned big difference.

I understand the utility of a wiki, but don't call things what they are not.

Justin Freid said...

The tool runs beautifully.

oneec98032a79b6 said...

why there's no code in svn?

oneec98032a79b6 said...

any plans to support NSS besides/instead of OpenSSL?

any plans to support windows? i've tried hard to compile it with msvc, mingw and cygwin. all failed. cygwin at least compiles, but fails to link. msvc support would be very nice.

oneec98032a79b6 said...

um never mind the question about windows support, i got it compile under cygwin, i just had to use the cygwin builds of libidn, openssl and zlib.

berkeviktor said...

hi, i've setted up a page for my windows builds of skipfish:


Shane said...

Nice work again Google. Very cool.

@Lonny Man, you've really got to learn to chill out. Google have written a handbook in Wiki form, but it's still a handbook. ;)

itsbobby said...

Running the tool now, my local server doesn't seem to be able to respond to 2000 requests a second though! More like 4!

Lekha said...


Can someone here please tell me how to run skipfish on windows vista.

I have been told to do a research on this tool. But I dont understand what am supposed to do. People say we can do it with cgywin for windows user. But I have no idea wat to do with cgywin. Can someone please tell me how to get it run?

Please dont say open cgywin and type ./skipfish - H..... something like this.