Christian Heinrich, profile picture
Uploaded byChristian Heinrich
KEY, PPTX4,421 views

skipfish

Skipfish is a fast web application security scanner developed by Michal Zalewski, which utilizes word lists for spidering and testing web applications. The document outlines its capabilities, installation instructions, usage commands, and performance tuning recommendations. Additionally, it discusses issues such as false positives and limitations within the tool.

Embed presentation

Download as KEY, PPTX
skipfish 10 November 2011 Ernst & Young, Sydney Australia Previously presented at: OWASP NL 30 June 2010
Overview Not an OWASP Project By Michal Zalewski Major contributions to webappsec with Google RatProxy; Browser Security Handbook; “Rise of the Robots” i.e. The inspiration for the OWASP “Google Hacking” Project
Overview Fast webappsec scanner which“spiders” using word lists Could be used to test www DOS
Overview Fast webappsec scanner which“spiders” using word lists Similar to Burp Scanner, etc Does not satisfy WASC Security Scanner Evaluation Criteria I don’t think lcamtuf intends too either :)
Overview 3.Fast webappsec scanner which“spiders” using word lists Similar to DirBuster maybe Nikto, etc “2007 entries resulting in about 42K HTTP Requests” Based on the recommended *minimal* Word List i.e. bigger wordlist = bigger number of HTTP Requests
Build/Install From Source Code Doesn’t build on OpenBSD (issue noted) Dependency on libidn Builds on backtrack
Release Cycle lcamtuf rapidly updates via minor releases i.e. RatProxy followed same development Insert http:// vis.cs.ucdavis.edu/ ~ogawa/codeswarm/
Build/Install http://www.shortinfosec.net/2010/03/compiling-latest-skipfish-for-windows.html Not mantained with each release i.e. v1.29b No mention of support on code.google.com i.e. Use at your own risk
Spidering ./skipfish -W /dev/null -LV ...
Word List keywords and extensions type hits total_age last_age keyword
Supplied Word Lists 1. Empty 2. extensions-only.wl Must be used in conjunction with ./skipfish -Y
Word List The following all contain 1.7K keywords:
Word List minimal.wl ~50,000 HTTP Requests medium.wl ~50,000 HTTP Requests x 2 complete.wl ~50,000 HTTP Requests x 3
Word List Insert sh script 1.Select wordlist from ./dictionaries/ 2.Copy as ../skipfish.wl *copy* .wl as skipfish may append skipfish.wl may depends on cmd line i.e. ./skipfish -V ...
Wordlist Custom Wordlist ./skipfish -W custom_wl ... Suppress Automatic Learning ./skipfish -L ... Suppress Amending Wordlist ./skipfish -V ...
Lightweight Brute Force ~1,700 HTTP Requests cp ./dictionaries/complete.wl dictionary.wl ./skipfish -W dictionary.wl -Y ...
Word List Limit Keyword Guess Size Jar ./skipfish -G ... Drop Old Dictionary Entries ./skipfish -R ... Don’t fuzz $keyword.$extension ./skipfish -Y ...
Basic Usage Output Directory ./skipfish -o output_dir URL ... Suppress Real-Time Statistics ./skipfish -u ...
Usage - Scheduling Percentage of links and directories ./skipfish -p percentage ... Repeat previous scan ./skipfish -q seed ...
Usage - Authentication HTTP Auth ./skipfish -A user:pass ... Cookie ./skipfish -C name=value ... Autocomplete Forms ./skipfish -T form_field=value ...
Usage - Cookie Cookie ./skipfish -C name=value ... Ignore new set-cookies from specific locations i.e. prevent URIs from being fetched, such as logout.aspx ./skipfish -X ... Ignore new set-cookies from all locations ./skipfish -N ...
Usage - HTTP Headers User Agent ./skipfish -b ffox or ie or phone... Custom HTTP Header ./skipfish -H Header ...
Usage - Scoping Spider from ./skipfish -I URI ... Parameters not to Fuzz, such as SessionID ./skipfish -K SessionID_parameter ... Include Domain ./skipfish -D FQDN... Exclude URI ./skipfish -S URI or -X URI ...
Usage - Scoping Limit crawl depth to number of sub directories/folders ./skipfish -d number ... Limit the number of child directories per parent ./skipfish -c number ... Limit Total HTTP Requests ./skipfish -r number ...
Usage - Scoping No parsing of Form ./skipfish -O ... No parsing of HTML ./skipfish -P ...
Usage - Low Impact Mixed TLS/SSLv3 and HTTP (i.e. Cleartext) ./skipfish -M ... Low severity i.e. images are out of scope Caching Directives of HTTP 1.0 vs 1.1 ./skipfish -E ... Information Leakage i.e. E-mail Addresses and URL ./skipfish -U ...
Usage - Reporting Suppress reporting of duplicates hosts ./skipfish -Q ... Suppress warning of “trusted” domains ./skipfish -B ... Purge binary content without affecting report quality ./skipfish -e ...
Delta Reporting sfscandiff non-destructively annotated by adding red background to all new or changed nodes; and blue background to all new or changed issues found
Issues Won’t detect common low risks, such as: cookie without HTTPonly or secure flags autocomplete enabled Forms
Issues (Credit ‘FX’) High Number of False Positives ASCII txt interpreted as JSON reply with XSSI Deviation between charset and MIME type Note ./skipfish -J ... No wordlist generation based on robots.txt
Issues (Credit ‘FX’) Resolved Does not write output while the tool is executing Total Size of HTTP Request vs File System Image
Issues Does not support intercepting web proxy No supporting log entires that skipfish was used Use wireshark instead i.e. TCP/80 and TCP/443
Benefits (Credit ‘FX’) Will display the source of CGI script Can detect IPS HTTP 500 for ASP.NET HttpRequestValidationException
Performance Tuning Number of connections to all hosts ./skipfish -g ... Recommended to be < 50 Per IP ./skipfish -m number ... 2 - 4 localhost 4 - 8 local network 10 - 20 external 30 - 50 hosts which lag or slow connections
Performance Tuning I/O Timeout ./skipfish -w number ... Total Request Timeout ./skipfish -t number ... Number of HTTP Errors before Terminating ./skipfish -f number ... Truncate HTTP Response ./skipfish -s number ...
Q&A Thanks Wouter - Ernst & Young Latest slides available from http://slideshare.net/cmlh http://github.com/cmlh/skipfish http://cmlh.id.au/contact

More Related Content

DOC
Online library managment thesis by bilal khattak
byBilal Khattak
 
DOCX
Attendance Management System project.doc.docx
byKamal Acharya
 
PDF
Ceph with CloudStack
byShapeBlue
 
PPTX
E-Examination
byAurobindo Nayak
 
PPTX
C2 Matrix A Comparison of Command and Control Frameworks
byJorge Orchilles
 
PPTX
Firewall, Router and Switch Configuration Review
byChristine MacDonald
 
DOCX
Hostel Management system Report
byPrasoon Rawat
 
PDF
Security Development Lifecycle Tools
byn|u - The Open Security Community
 
Online library managment thesis by bilal khattak
byBilal Khattak
 
Attendance Management System project.doc.docx
byKamal Acharya
 
Ceph with CloudStack
byShapeBlue
 
E-Examination
byAurobindo Nayak
 
C2 Matrix A Comparison of Command and Control Frameworks
byJorge Orchilles
 
Firewall, Router and Switch Configuration Review
byChristine MacDonald
 
Hostel Management system Report
byPrasoon Rawat
 
Security Development Lifecycle Tools
byn|u - The Open Security Community
 

What's hot

PDF
Attacking Oracle with the Metasploit Framework
byChris Gates
 
PDF
Derbycon - The Unintended Risks of Trusting Active Directory
byWill Schroeder
 
PPTX
NETWORK PENETRATION TESTING
byEr Vivek Rana
 
PPTX
Software theft
bychrispaul8676
 
PDF
Container Network Interface: Network Plugins for Kubernetes and beyond
byKubeAcademy
 
PPTX
Bloom's Taxonomy
bySALINI S
 
PPTX
Vapt pci dss methodology ppt v1.0
byNetwork Intelligence India
 
PPTX
The Design of Learning Environments
byMinh Nguyen
 
PDF
Neat tricks to bypass CSRF-protection
byMikhail Egorov
 
DOCX
Software requirements specification
byKrishnasai Gudavalli
 
PPTX
Akamai waf
byAysegul Ekinci
 
PPTX
Shallow parser for hindi language with an input from a transliterator
byShashank Shisodia
 
PDF
An Introduction to Rancher
byConner Swann
 
PDF
The Unintended Risks of Trusting Active Directory
byWill Schroeder
 
PPTX
Building your Car Hacking Labs & Car Hacking Community from Scratch
byJay Turla
 
PPTX
Exploratory testing
bySpoorthi Sham
 
DOCX
College Stationery Management System
byTushar Soni
 
DOCX
Configuration dns sous linux
byBalamine Gassama
 
PDF
Banking Management System SRS
byMadhur Jatiya
 
PPTX
OpenVAS: Vulnerability Assessment Scanner
byChandrak Trivedi
 
Attacking Oracle with the Metasploit Framework
byChris Gates
 
Derbycon - The Unintended Risks of Trusting Active Directory
byWill Schroeder
 
NETWORK PENETRATION TESTING
byEr Vivek Rana
 
Software theft
bychrispaul8676
 
Container Network Interface: Network Plugins for Kubernetes and beyond
byKubeAcademy
 
Bloom's Taxonomy
bySALINI S
 
Vapt pci dss methodology ppt v1.0
byNetwork Intelligence India
 
The Design of Learning Environments
byMinh Nguyen
 
Neat tricks to bypass CSRF-protection
byMikhail Egorov
 
Software requirements specification
byKrishnasai Gudavalli
 
Akamai waf
byAysegul Ekinci
 
Shallow parser for hindi language with an input from a transliterator
byShashank Shisodia
 
An Introduction to Rancher
byConner Swann
 
The Unintended Risks of Trusting Active Directory
byWill Schroeder
 
Building your Car Hacking Labs & Car Hacking Community from Scratch
byJay Turla
 
Exploratory testing
bySpoorthi Sham
 
College Stationery Management System
byTushar Soni
 
Configuration dns sous linux
byBalamine Gassama
 
Banking Management System SRS
byMadhur Jatiya
 
OpenVAS: Vulnerability Assessment Scanner
byChandrak Trivedi
 

Viewers also liked

KEY
ssh
byChristian Heinrich
 
KEY
tit
byChristian Heinrich
 
PPTX
Maltego Breach
byChristian Heinrich
 
PDF
TERMS THAT WOULD MAKE KINK LOOK INNOCENT
byKakajan Haytlyyev
 
PPTX
Cómo hablar de sexualidad con los adolescentes
byAlejandro Pooley
 
PPTX
Aberraciones sexuales
bydaniguzman
 
PPS
Sin City
byNico Musella
 
PPTX
BDSM
bySarah Borntrager
 
PPT
Amatorski as a 'music career' example?
byhilkeros
 
PDF
從u-boot 移植 NDS32 談 嵌入式系統開放原始碼開發的 一些經驗
byMacpaul Lin
 
PDF
Sobre la pornografía y el cine - Manuel Bláuab
byManuel Sierra Alonso
 
PDF
La Pornografía se Parece Al Fin Del Mundo - Art. Chris Hedges - Truthdig Feb...
byOscar Ayala A. International Consulting Services
 
PDF
부천오피, 목동오피,안양오피@(다솜넷)수원오피
bydasom013
 
PPT
Bdsm intro PART II/2/B
byCree Stetler
 
PPT
Bdsm intro
byCree Stetler
 
PPT
SpeakerText Pres
byMegan McCusker
 
PDF
Cuadernos BDSM 1
byLuis. A. Quintero. F
 
PDF
Magazines download. magazines online. pdf magazines
byDownmagaz
 
ssh
byChristian Heinrich
 
tit
byChristian Heinrich
 
Maltego Breach
byChristian Heinrich
 
TERMS THAT WOULD MAKE KINK LOOK INNOCENT
byKakajan Haytlyyev
 
Cómo hablar de sexualidad con los adolescentes
byAlejandro Pooley
 
Aberraciones sexuales
bydaniguzman
 
Sin City
byNico Musella
 
BDSM
bySarah Borntrager
 
Amatorski as a 'music career' example?
byhilkeros
 
從u-boot 移植 NDS32 談 嵌入式系統開放原始碼開發的 一些經驗
byMacpaul Lin
 
Sobre la pornografía y el cine - Manuel Bláuab
byManuel Sierra Alonso
 
La Pornografía se Parece Al Fin Del Mundo - Art. Chris Hedges - Truthdig Feb...
byOscar Ayala A. International Consulting Services
 
부천오피, 목동오피,안양오피@(다솜넷)수원오피
bydasom013
 
Bdsm intro PART II/2/B
byCree Stetler
 
Bdsm intro
byCree Stetler
 
SpeakerText Pres
byMegan McCusker
 
Cuadernos BDSM 1
byLuis. A. Quintero. F
 
Magazines download. magazines online. pdf magazines
byDownmagaz
 

Similar to skipfish

PDF
Porque VIM?
byAugusto Pascutti
 
DOCX
Unix commands
byDivya_Gupta19
 
PPTX
Introduction to Penetration Testing
byAndrew McNicol
 
PPT
Integris Security - Hacking With Glue ℠
byIntegris Security LLC
 
PDF
Linux cheat-sheet
byCraig Cannon
 
PDF
Linux Commandos Cheat
byAlvaro Gomes
 
PDF
Linux cheat-sheet
byZeeshan Rizvi
 
PDF
Intrusion Techniques
byFestival Software Livre
 
PPTX
Linux tech talk
byPrince Raj
 
PDF
Great Tools Heavily Used In Japan, You Don't Know.
byJunichi Ishida
 
PDF
Workshop on command line tools - day 1
byLeandro Lima
 
PPTX
Enumeration
byfsciallo
 
PDF
Linux commands cheat sheet by linoxide.com
byStavros Skamagkis
 
DOCX
List command linux a z
byJinyuan Loh
 
PPTX
OTG-Recon
bySedthakit Prasanphanich
 
PPT
Power point on linux commands,appache,php,mysql,html,css,web 2.0
byvenkatakrishnan k
 
PPT
Linux presentation
byAjaigururaj R
 
PDF
Teaching Your WAF New Tricks
byRobert Rowley
 
PDF
KALI-LINUX-COMMANDS.pdf.................
bysalmannawaz6566504
 
PDF
Hollywood mode off: security testing at scale
byClaudio Criscione
 
Porque VIM?
byAugusto Pascutti
 
Unix commands
byDivya_Gupta19
 
Introduction to Penetration Testing
byAndrew McNicol
 
Integris Security - Hacking With Glue ℠
byIntegris Security LLC
 
Linux cheat-sheet
byCraig Cannon
 
Linux Commandos Cheat
byAlvaro Gomes
 
Linux cheat-sheet
byZeeshan Rizvi
 
Intrusion Techniques
byFestival Software Livre
 
Linux tech talk
byPrince Raj
 
Great Tools Heavily Used In Japan, You Don't Know.
byJunichi Ishida
 
Workshop on command line tools - day 1
byLeandro Lima
 
Enumeration
byfsciallo
 
Linux commands cheat sheet by linoxide.com
byStavros Skamagkis
 
List command linux a z
byJinyuan Loh
 
OTG-Recon
bySedthakit Prasanphanich
 
Power point on linux commands,appache,php,mysql,html,css,web 2.0
byvenkatakrishnan k
 
Linux presentation
byAjaigururaj R
 
Teaching Your WAF New Tricks
byRobert Rowley
 
KALI-LINUX-COMMANDS.pdf.................
bysalmannawaz6566504
 
Hollywood mode off: security testing at scale
byClaudio Criscione
 

More from Christian Heinrich

PPTX
Maltego "Have I been pwned?"
byChristian Heinrich
 
PPT
CVSS
byChristian Heinrich
 
PDF
BSAMMBO
byChristian Heinrich
 
PPT
BSIMM
byChristian Heinrich
 
PPT
OWASP Top Ten
byChristian Heinrich
 
KEY
PA-DSS
byChristian Heinrich
 
PPT
Download Indexed Cache
byChristian Heinrich
 
Maltego "Have I been pwned?"
byChristian Heinrich
 
CVSS
byChristian Heinrich
 
BSAMMBO
byChristian Heinrich
 
BSIMM
byChristian Heinrich
 
OWASP Top Ten
byChristian Heinrich
 
PA-DSS
byChristian Heinrich
 
Download Indexed Cache
byChristian Heinrich
 

Recently uploaded

PDF
GenerationAI_Paris_2025_Architecting_Intelligence.pdf
byapidays
 
PDF
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
PDF
Towards a Vibrant AI Hardware Accelerator Ecosystem, invited talk at the 4th ...
byMichiaki Tatsubori
 
PDF
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
PDF
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
PPTX
CTO Strategy OS 2026: The Tech, AI & Cloud Playbook Boards Want
byridwansassman
 
PDF
UiPath Automation Developer Associate Training Series 2025 - Session 4
byDianaGray10
 
PDF
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
PDF
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
PDF
Founder & Tech Lead | Web Development & Digital Growth Consultant | Helping B...
byShyamal Das
 
PDF
Preserve workload integrity during cross-architecture migration
byPrincipled Technologies
 
PDF
20260212 Security-JAWS activity results for 2025 and activity goals for 2026
byTyphon 666
 
PDF
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 
PDF
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
PDF
From Artificial Intelligence to African Intelligence: Transforming Research &...
byMoses Kemibaro
 
PDF
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 
PDF
Reality Drift: Why Systems Keep Working After Meaning Drops Out
byReality Drift Archive | A. Jacobs
 
PDF
Bringing AI into R&D, Taking a Human-Centric Approach / Haim Yadid
byHaim Yadid
 
PDF
Effortless Distributed Systems with Aspire.pdf
byParticular Software
 
PDF
AI in the Real World: From University to Industry
byDarvan Shvan
 
GenerationAI_Paris_2025_Architecting_Intelligence.pdf
byapidays
 
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
Towards a Vibrant AI Hardware Accelerator Ecosystem, invited talk at the 4th ...
byMichiaki Tatsubori
 
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
CTO Strategy OS 2026: The Tech, AI & Cloud Playbook Boards Want
byridwansassman
 
UiPath Automation Developer Associate Training Series 2025 - Session 4
byDianaGray10
 
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
Founder & Tech Lead | Web Development & Digital Growth Consultant | Helping B...
byShyamal Das
 
Preserve workload integrity during cross-architecture migration
byPrincipled Technologies
 
20260212 Security-JAWS activity results for 2025 and activity goals for 2026
byTyphon 666
 
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
From Artificial Intelligence to African Intelligence: Transforming Research &...
byMoses Kemibaro
 
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 
Reality Drift: Why Systems Keep Working After Meaning Drops Out
byReality Drift Archive | A. Jacobs
 
Bringing AI into R&D, Taking a Human-Centric Approach / Haim Yadid
byHaim Yadid
 
Effortless Distributed Systems with Aspire.pdf
byParticular Software
 
AI in the Real World: From University to Industry
byDarvan Shvan
 

skipfish

  • 1.
    skipfish 10 November 2011 Ernst& Young, Sydney Australia Previously presented at: OWASP NL 30 June 2010
  • 2.
    Overview Not an OWASPProject By Michal Zalewski Major contributions to webappsec with Google RatProxy; Browser Security Handbook; “Rise of the Robots” i.e. The inspiration for the OWASP “Google Hacking” Project
  • 3.
    Overview Fast webappsec scannerwhich“spiders” using word lists Could be used to test www DOS
  • 4.
    Overview Fast webappsec scannerwhich“spiders” using word lists Similar to Burp Scanner, etc Does not satisfy WASC Security Scanner Evaluation Criteria I don’t think lcamtuf intends too either :)
  • 5.
    Overview 3.Fast webappsec scannerwhich“spiders” using word lists Similar to DirBuster maybe Nikto, etc “2007 entries resulting in about 42K HTTP Requests” Based on the recommended *minimal* Word List i.e. bigger wordlist = bigger number of HTTP Requests
  • 6.
    Build/Install From Source Code Doesn’t build on OpenBSD (issue noted) Dependency on libidn Builds on backtrack
  • 7.
    Release Cycle lcamtuf rapidlyupdates via minor releases i.e. RatProxy followed same development Insert http:// vis.cs.ucdavis.edu/ ~ogawa/codeswarm/
  • 8.
    Build/Install http://www.shortinfosec.net/2010/03/compiling-latest-skipfish-for-windows.html Not mantained with each release i.e. v1.29b No mention of support on code.google.com i.e. Use at your own risk
  • 9.
  • 10.
    Word List keywords andextensions type hits total_age last_age keyword
  • 11.
    Supplied Word Lists 1.Empty 2. extensions-only.wl Must be used in conjunction with ./skipfish -Y
  • 12.
    Word List The followingall contain 1.7K keywords:
  • 13.
    Word List minimal.wl ~50,000 HTTPRequests medium.wl ~50,000 HTTP Requests x 2 complete.wl ~50,000 HTTP Requests x 3
  • 14.
    Word List Insert sh script 1.Select wordlist from ./dictionaries/ 2.Copy as ../skipfish.wl *copy* .wl as skipfish may append skipfish.wl may depends on cmd line i.e. ./skipfish -V ...
  • 15.
    Wordlist Custom Wordlist ./skipfish -W custom_wl ... Suppress Automatic Learning ./skipfish -L ... Suppress Amending Wordlist ./skipfish -V ...
  • 16.
    Lightweight Brute Force ~1,700HTTP Requests cp ./dictionaries/complete.wl dictionary.wl ./skipfish -W dictionary.wl -Y ...
  • 17.
    Word List Limit KeywordGuess Size Jar ./skipfish -G ... Drop Old Dictionary Entries ./skipfish -R ... Don’t fuzz $keyword.$extension ./skipfish -Y ...
  • 18.
    Basic Usage Output Directory ./skipfish -o output_dir URL ... Suppress Real-Time Statistics ./skipfish -u ...
  • 19.
    Usage - Scheduling Percentageof links and directories ./skipfish -p percentage ... Repeat previous scan ./skipfish -q seed ...
  • 20.
    Usage - Authentication HTTPAuth ./skipfish -A user:pass ... Cookie ./skipfish -C name=value ... Autocomplete Forms ./skipfish -T form_field=value ...
  • 21.
    Usage - Cookie Cookie ./skipfish -C name=value ... Ignore new set-cookies from specific locations i.e. prevent URIs from being fetched, such as logout.aspx ./skipfish -X ... Ignore new set-cookies from all locations ./skipfish -N ...
  • 22.
    Usage - HTTPHeaders User Agent ./skipfish -b ffox or ie or phone... Custom HTTP Header ./skipfish -H Header ...
  • 23.
    Usage - Scoping Spiderfrom ./skipfish -I URI ... Parameters not to Fuzz, such as SessionID ./skipfish -K SessionID_parameter ... Include Domain ./skipfish -D FQDN... Exclude URI ./skipfish -S URI or -X URI ...
  • 24.
    Usage - Scoping Limitcrawl depth to number of sub directories/folders ./skipfish -d number ... Limit the number of child directories per parent ./skipfish -c number ... Limit Total HTTP Requests ./skipfish -r number ...
  • 25.
    Usage - Scoping Noparsing of Form ./skipfish -O ... No parsing of HTML ./skipfish -P ...
  • 26.
    Usage - LowImpact Mixed TLS/SSLv3 and HTTP (i.e. Cleartext) ./skipfish -M ... Low severity i.e. images are out of scope Caching Directives of HTTP 1.0 vs 1.1 ./skipfish -E ... Information Leakage i.e. E-mail Addresses and URL ./skipfish -U ...
  • 27.
    Usage - Reporting Suppressreporting of duplicates hosts ./skipfish -Q ... Suppress warning of “trusted” domains ./skipfish -B ... Purge binary content without affecting report quality ./skipfish -e ...
  • 28.
    Delta Reporting sfscandiff non-destructively annotated by adding red background to all new or changed nodes; and blue background to all new or changed issues found
  • 29.
    Issues Won’t detect commonlow risks, such as: cookie without HTTPonly or secure flags autocomplete enabled Forms
  • 30.
    Issues (Credit ‘FX’) HighNumber of False Positives ASCII txt interpreted as JSON reply with XSSI Deviation between charset and MIME type Note ./skipfish -J ... No wordlist generation based on robots.txt
  • 31.
    Issues (Credit ‘FX’) Resolved Does not write output while the tool is executing Total Size of HTTP Request vs File System Image
  • 32.
    Issues Does not supportintercepting web proxy No supporting log entires that skipfish was used Use wireshark instead i.e. TCP/80 and TCP/443
  • 33.
    Benefits (Credit ‘FX’) Willdisplay the source of CGI script Can detect IPS HTTP 500 for ASP.NET HttpRequestValidationException
  • 34.
    Performance Tuning Number ofconnections to all hosts ./skipfish -g ... Recommended to be < 50 Per IP ./skipfish -m number ... 2 - 4 localhost 4 - 8 local network 10 - 20 external 30 - 50 hosts which lag or slow connections
  • 35.
    Performance Tuning I/O Timeout ./skipfish -w number ... Total Request Timeout ./skipfish -t number ... Number of HTTP Errors before Terminating ./skipfish -f number ... Truncate HTTP Response ./skipfish -s number ...
  • 36.
    Q&A Thanks Wouter -Ernst & Young Latest slides available from http://slideshare.net/cmlh http://github.com/cmlh/skipfish http://cmlh.id.au/contact

Editor's Notes

  • #2 \n
  • #3  http://lcamtuf.coredump.cx/\nhttp://lcamtuf.blogspot.com/\n\nhttp://twitter.com/lcamtuf\n\nEmployed by Google\nImage Attribution http://www.knackery.net/hackers.php and http://lcamtuf.coredump.cx\n
  • #4 webappsec scanner e.g. Burp Scanner, IBM Rational AppScan, etc\nspider e.g. DirBuster, Nikto, etc\n\n&amp;#x201C;2007 entries (recommended by lcamtuf) resulting in about 42K HTTP Requests&amp;#x201D; quoted from Felix &amp;#x201C;FX&amp;#x201D; Linder article\n\nWASC applicable standard is Web Application Security Scanner Evaluation Criteria - quoted from lcamtuf documentation.\n\n
  • #5 webappsec scanner e.g. Burp Scanner, IBM Rational AppScan, etc\nspider e.g. DirBuster, Nikto, etc\n\n&amp;#x201C;2007 entries (recommended by lcamtuf) resulting in about 42K HTTP Requests&amp;#x201D; quoted from Felix &amp;#x201C;FX&amp;#x201D; Linder article\n\nWASC applicable standard is Web Application Security Scanner Evaluation Criteria - quoted from lcamtuf documentation.\n\n
  • #6 webappsec scanner e.g. Burp Scanner, IBM Rational AppScan, etc\nspider e.g. DirBuster, Nikto, etc\n\n&amp;#x201C;2007 entries (recommended by lcamtuf) resulting in about 42K HTTP Requests&amp;#x201D; quoted from Felix &amp;#x201C;FX&amp;#x201D; Linder article\n\nWASC applicable standard is Web Application Security Scanner Evaluation Criteria - quoted from lcamtuf documentation.\n\n
  • #7 RatProxy had a similar release cycle\n\nhttps://gist.github.com/1321223\n
  • #8 \n
  • #9 http://www.shortinfosec.net/2010/03/compiling-latest-skipfish-for-windows.html\n
  • #10 http://lcamtuf.blogspot.com/2010/11/understanding-and-using-skipfish.html\n
  • #11  extensions (a s extensions (a subset of keywords) ubset of keywords)\n
  • #12  -Y is &amp;#x201C;don&amp;#x2019;t fuzz $keyword.$extension&amp;#x201D;\n\n
  • #13 \n
  • #14 \n
  • #15 \n\n\n
  • #16 \n
  • #17 http://lcamtuf.blogspot.com/2010/11/understanding-and-using-skipfish.html\n
  • #18 \n
  • #19 \n\n
  • #20 \n\n
  • #21 -C is cookie, can you curl to determine cookie\n
  • #22 -C is cookie, can you curl to determine cookie\n\nhttp://lcamtuf.blogspot.com/2010/11/understanding-and-using-skipfish.html\n
  • #23 -H Custom HTTP Header\n\n
  • #24 -I i.e. capital &amp;#x201C;i&amp;#x201D;\n-S or -X i.e. Exclude locations\n\n\n
  • #25 -c Limits the number of child directories per parent - not clear in Google Code documentation\nNeed to read this -F Bypass the IP Address resolver - need to confirm that is the refer header or something else\n\n
  • #26 -c Limits the number of child directories per parent - not clear in Google Code documentation\n-F Bypass the IP Address resolver - need to confirm that is the refer header or something else\n\n
  • #27 \n
  • #28 -B suppress warning of trusted domains i.e. Cross Domain Content Inclusion\n-Q Suppress the reporting of duplicate nodes i.e. might miss something in report\n-p Used to perform a percentage of the scan (i.e. periodic scanning) supplement with -q\n-e http://lcamtuf.blogspot.com/2010/11/understanding-and-using-skipfish.html\n\n\n
  • #29 http://code.google.com/p/skipfish/wiki/SkipfishDoc\n
  • #30 These low risk are quoted from the documentation hosted on Google Code\n
  • #31 FX is Felix Lindner http://www.h-online.com/security/features/Testing-Google-s-Skipfish-1001315.html?view=print\n\n&amp;#x201C;some regular ASCII text files were interpreted as JSON responses without XSSI (Cross Site Script Inclusion) protection&amp;#x201D;\n\nskipfish -J was not mentioned by FX\n
  • #32 http://www.h-online.com/security/features/Testing-Google-s-Skipfish-1001315.html?view=print\n
  • #33 \n
  • #34 http://www.h-online.com/security/features/Testing-Google-s-Skipfish-1001315.html?view=print\n
  • #35 \n
  • #36 \n
  • #37 \n