Is it safe to run Skipfish on a production server? I am using it on a production server for finding vulnerabilities. |
Anonymous |
ReplyQuote Subscribe |
Aug 14th 2013 5 years ago |
Probably not...Quoting Official Skipfish Documentation:Keep in mind that all types of security testing can be disruptive. Although the scanner is designed not to carry out malicious attacks, it may accidentally interfere with the operations of the site. You must accept the risk, and plan accordingly. Run the scanner against test instances where feasible, and be prepared to deal with the consequences if things go wrong.[/quote] |
Alex Stanford 136 Posts |
Reply Quote |
Aug 14th 2013 5 years ago |
In the SEC542 section on Skipfish, Kevin Johnson warned that Skipfish's main quality is speed. It runs insanely fast and can easily tip over the target. He also mentioned one of the main reasons for this logging. It fires so many requests at the target in such a short amount of time that the server can crash just trying to log it all. And if you're forwarding those logs to a central logging server, you might take down two for the price of one, depending on how beefy your log server is. |
JeffSoh 31 Posts |
Reply Quote |
Aug 30th 2013 5 years ago |
It's possible that it can add data, delete, and modify so never run on a production instance. |
Anonymous - |
Reply Quote |
Apr 18th 2015 3 years ago |
Sign Up for Free or Log In to start participating in the conversation!