Update Skipfish v-2.06b

Our Post Before : http://www.seclist.us/skipfish-v205.htmlSkipfish is an active web application security reconnaissance tool. It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks. The final report generated by the tool is meant to serve as a foundation for professional web application security assessments.

Sample Screenshot

Change log Version 2.06b:
– Crawler update which gives more control over the injection test
scheduling. This comes with the –checks and –checks-toggle
flags to display and enable/disable checks.

– Pages where the response varies are no longer completely
discarded. Instead now we only disable tests that require stability
which increases scan coverage.

– Split the traversal and disclosure test to increase coverage:
traversal checks require stable pages, the disclosure checks can be
performed on all.

– Updated dictionaries and converted them to use the dictionary
optimisations we introduced in 2.03b

– Fixed offline report viewing (thanks to Sebastian Roschke)

– Added NULL byte file disclosure tests

– Added JSP inclusion error check to analyse.c

– Added XSS injection tests for cookies

– Directory listings are now reported as individual (info-type) issues

– Added warning in case the negotiated SSL cipher turns out to be a
weak one (leaving the cipher enumeration to network scanners)

– Added experimental -v flag which can be used to enable (limited)
runtime reporting. This output is written to stderr and should be
redirected to a file, unless you use the -u flag.

– The man page has been rewritten and now includes detailed descriptions
and examples.

– A whole bunch of small bug fixes

Key features::

High speed: pure C code, highly optimized HTTP handling, minimal CPU footprint – easily achieving 2000 requests per second with responsive targets.
Ease of use: heuristics to support a variety of quirky web frameworks and mixed-technology sites, with automatic learning capabilities, on-the-fly wordlist creation, and form autocompletion.
Cutting-edge security logic: high quality, low false positive, differential security checks, capable of spotting a range of subtle flaws, including blind injection vectors.
The tool is believed to support Linux, FreeBSD, MacOS X, and Windows (Cygwin) environments.

Download : skipfish-2.06b.tgz (211 KB)
Find Other Version |
Read more in here : https://code.google.com/p/skipfish/