Update Skipfish v-2.10b : web application security scanner

Changelog Version 2.10b:
– Updated HTML tags and attributes that are checked for URL XSS
injections to also include a few HTML5 specific ones

– Updated test and description for semi-colon injection in HTML meta
refresh tags (this is IE6 specific)

– Relaxed HTML parsing a bit to allow spaces between HTML tag attributes
and their values (e.g. “foo =bar”).

– Major update of LFI tests by adding more dynamic tests (double
encoding, dynamic amount of ../’s for web.xml). The total amount of
tests for this vulnerability is now 40 per injection point.

– The RFI test is now a separate test and no longer requires special
compile options. The default RFI URL and it’s payload check are
still defined in src/config.h.

– Using the –flush-to-disk flag will cause requests and responses
to be flushed to disk which reduces the memory footprint. (especially
noticable in large scans)

– Fixed a bug where in some conditions (e.g. a page looks similar to
another) links were not scraped from responses which lead to links
to be missed (thanks to Anurag Chaurasia for reporting)

– Added configuration file support with the –config flag. In
config/example.conf you can find flags and examples.

– Several signature keyword enhancements have been made. Most
significant are the “header” keyword, which allows header matching
and the “depend” keyword which allows signature chaining.

– Fixed basic authentication which was broken per 2.08b. Cheers to
Michael Stevens for reporting.

– Fixed -k scheduling where 1:0:0 would count as a second in stead of
an hour (also visa versa). Cheers to Claudio Criscione for reporting.

– Small fix to compile time warnings


Skipfish is an active web application security reconnaissance tool. It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks. The final report generated by the tool is meant to serve as a foundation for professional web application security assessments.
Key features:
  • High speed: pure C code, highly optimized HTTP handling, minimal CPU footprint – easily achieving 2000 requests per second with responsive targets.
  • Ease of use: heuristics to support a variety of quirky web frameworks and mixed-technology sites, with automatic learning capabilities, on-the-fly wordlist creation, and form autocompletion.
  • Cutting-edge security logic: high quality, low false positive, differential security checks, capable of spotting a range of subtle flaws, including blind injection vectors.
  • The tool is believed to support Linux, FreeBSD, MacOS X, and Windows (Cygwin) environments.

Download : skipfish-2.10b.tgz (229 KB)
Find other version |
Read more in here : http://code.google.com/p/skipfish/

Our Post Before
  • http://seclist.us/update-skipfish-v-2-09b.html
Security List Network™ PRESENT