Product Watch: Google Launches Free Web Application Scanning Tool

Google has developed a free, open-source Web application vulnerability scanning tool: The so-called Skipfish tool, written by renowned Web security researcher Michal Zalewski, who joined Google in 2007, is aimed at Web developers and security researchers.

Skipfish is written in C and handles 2,000 requests per second from "responsive targets," Google's Zalewski wrote in a blog post announcing Skipfish. The automated Web application security scanner also uses heuristics, he said.

Security experts say the tool is fast. It executed more than 2 million hits on Sucuri Security's server within a period of 10 minutes, says Sucuri Security founder David Dede, who tested the scanner. "It is very fast, especially to remotely scan a server to file all possible files or directories, Dede says.

Dede says the code is tight and optimized, and it conducts some "interesting" tests to look for SQL injection, cross-site scripting, and other types of Web vulnerabilities.

The trade-off, however, is that Skipfish is anything but subtle. Dede and other early testers of the tool say it's relatively "noisy" such that it wouldn't work in stealth mode. "We nicknamed it the '404 generator,'" Dede says. "If you are using it as a penetration tester, it will be easily discovered. If you are a developer looking for bugs in your application, that's not a big issue."

Google's Zalewski says the noisy "404" message function was intended: "One of the key features of the tool is the ability to discover sensitive files, such as backups or configs, that are unintentionally exposed as a part of the service. This is a common security problem," he says. "Our solution is to send a large number of blind probes for common file names based on special dictionaries, and most of these probes are expected to return 404 'file not found' errors. The behavior is similar to that of DirBuster, another open-source Web server testing tool."

HD Moore, creator of Metasploit and chief security officer for Rapid7, says Skipfish takes a different approach than other open-source security tools. "Most notably, the code base is written in C without a scripting language in sight. This provides a level of performance that is hard to match for Python, Perl, or Ruby-based scanning tools," says Moore, who also did some testing of the tool.

And Skipfish targets forms differently as well. "It uses a wicked-fast crawling engine along with dictionaries to dig just a little deeper than the alternatives. Its speed makes it feasible to run extensive tests on even large Websites," Moore says.

Moore says Skipfish does not generate a lot of "junk entries," instead highlighting only the important security issues that can be confirmed. "It's not perfect yet, but it's a great approach. Michal's stuff is always impressive in how out-of-the-box it tends to be," Moore says.

Skipfish can be downloaded here.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.