Running skipfish

Published on 2010-03-26

Skipfish is a brute force security scanner produced by Google as an incentive for web developers to become more security aware. The installation was actually a breeze1. Just download, unpack and make.

tar -xvzf skipfish-1.26b.tgz
cd skipfish && make

In order to run the program you must provide it with a word list which it will use as a base for URL brute-forcing. Since this is a first run lets just pick something short and sweet, i.e. the distribution provided minimal wordlist.

ln -s dictionaries/minimal.wl skipfish.wl

The final step is to run it against a site which you are responsible for. For this exercise I use a django powered test site on my laptop, i.e. on localhost:8000

mkdir output_dir
./skipfish -o output_dir http://localhost:8000/

Well, now that that’s running it’s time to read up on the documentation right? When it has completed it’s run you will get a nice summary in the directory you provided as output_dir!

Happy Security Testing!

  1. At least using FreeBSD-8.0