Is it safe to run Skipfish on a production server?
Is it safe to run Skipfish on a production server? I am using it on a production server for finding vulnerabilities. Anonymous

Probably not...

Quoting Official Skipfish Documentation:Keep in mind that all types of security testing can be disruptive. Although the scanner is designed not to carry out malicious attacks, it may accidentally interfere with the operations of the site. You must accept the risk, and plan accordingly. Run the scanner against test instances where feasible, and be prepared to deal with the consequences if things go wrong.[/quote]

Ideally, you would set up an identical testing/development environment for this.
Alex Stanford

136 Posts
In the SEC542 section on Skipfish, Kevin Johnson warned that Skipfish's main quality is speed. It runs insanely fast and can easily tip over the target. He also mentioned one of the main reasons for this logging. It fires so many requests at the target in such a short amount of time that the server can crash just trying to log it all. And if you're forwarding those logs to a central logging server, you might take down two for the price of one, depending on how beefy your log server is. JeffSoh

31 Posts
It's possible that it can add data, delete, and modify so never run on a production instance. Anonymous


Sign Up for Free or Log In to start participating in the conversation!