Published on 2010-03-26
Skipfish is a brute force security scanner produced by Google as an incentive for web developers to become more security aware. The installation was actually a breeze1. Just download, unpack and make.
wget http://skipfish.googlecode.com/files/skipfish-1.26b.tgz tar -xvzf skipfish-1.26b.tgz cd skipfish && make
In order to run the program you must provide it with a word list which it will use as a base for URL brute-forcing. Since this is a first run lets just pick something short and sweet, i.e. the distribution provided minimal wordlist.
ln -s dictionaries/minimal.wl skipfish.wl
The final step is to run it against a site which you are responsible for. For this exercise I use a django powered test site on my laptop, i.e. on localhost:8000
mkdir output_dir ./skipfish -o output_dir http://localhost:8000/
Well, now that that’s running it’s time to read up on the documentation right? When it has completed it’s run you will get a nice summary in the directory you provided as output_dir!
Happy Security Testing!
At least using FreeBSD-8.0↩