Last Updated: 2010-03-21 00:05:56 UTC
by Scott Fendley (Version: 1)
Michal Zalewski (lcamtuf), a Polish security researcher and author of many tools and books, is at it again. On Friday, he released a fully automated, active web application security tool known as skipfish. This tool allows developers and security professionals to have a solid reconnaissance tool which scans at high speed tools, easy to use, and has a number of different security checks with limited false positives. In my particular environment, we are extremely budget poor (taking a 2nd budget cuts within under 6 months left in the fiscal is bad and I know others have it worse than we do). So having the possibility to increase my tool set without spending a lot of money sits very well with our administration. From my initial testing yesterday, it did detect a few issues within a sample website which had not been detected prior. So in my book, this is a great plus.
The tool is under the Apache 2.0 license and is located at http://code.google.com/p/skipfish/ . I see that today there has been a number of changes today to correct a number of issues since it was initially released yesterday. I expect that this tool will be much more stable within the next few days.
Scott Fendley ISC Handler