Skipfish
Skipfish is an active web application security reconnaissance tool. It prepares an interactive sitemap for the targeted site by carrying out recursive crawl and dictionary-based probes. Skipfish is useful for quickly analyzing web applications for potential security flaws.
web-application
security-testing
reconnaissance
Skipfish: Interactive Web Application Security Reconnaissance Tool
Skipfish is an active web application security reconnaissance tool, preparing an interactive sitemap for targeted sites through recursive crawl and dictionary-based probes, aiding quick analysis of potential security flaws.
What is Skipfish?
Skipfish is an open source, active web application security reconnaissance tool. It was created by Michal Zalewski for Google as an automated security testing tool.
Here are some key features of Skipfish:
- It carries out recursive crawl and dictionary-based probes on web applications to prepare an interactive sitemap.
- It has over 3,400 built-in vulnerability signatures to test for flaws like SQL injection, XSS, RFI etc.
- It can inspect web applications for security vulnerabilities much faster compared to manual testing.
- The interactive sitemap presents a hierarchical view of the website content to the user to analyze potential vulnerabilities.
- HTML reports provide overview of identified vulnerabilities with supporting information to reproduce & confirm findings.
- Command line usage allows integration into automated security testing suite.
In summary, Skipfish is very useful for developers, system admins and security professionals to quickly analyze web applications for potential security flaws in the functionality or configuration. However, the tool should be used carefully on production websites to avoid affecting functionality or availability.
Skipfish Features
Features
- Crawls websites to create interactive sitemaps
- Performs automated security scanning for vulnerabilities
- Has dictionary-based probes for discovering hidden content
- Command line interface
- Exports results to HTML and XML reports
Pricing
- Open Source
Pros
Fast and comprehensive security scanning
Easy to use command line interface
Free and open source
Generates useful reports
Custom dictionaries can improve results
Cons
Prone to causing denial-of-service on target sites
May generate false positives
Limited configuration options
No official support or updates since 2011
Official Links
The Best Skipfish Alternatives
Top Security & Privacy and Vulnerability Scanner and other similar apps like Skipfish
Here are some alternatives to Skipfish:
Suggest an alternative ❐
Shodan
Shodan is a search engine for finding Internet-connected devices and services. Unlike traditional search engines that index the content of web pages, Shodan specifically targets hardware and software that is connected to the Internet, ranging from home routers and webcams to industrial control systems and SCADA devices.Some key features and...
Nessus
Nessus is a comprehensive vulnerability scanning software developed by Tenable. It is used to scan networks, operating systems, web applications, databases, and other systems for vulnerabilities that could be exploited by attackers.Some key features of Nessus include:Ability to perform high-speed discovery, mapping, and assessment of vulnerabilities across networks, endpoints, web...
Nmap
Nmap (Network Mapper) is an open source tool for network exploration and security auditing. It allows users to discover hosts and services on a network, port scan them, and detect potential vulnerabilities.Some key features of Nmap include:Host discovery - it can quickly scan large networks and detect which devices are...
Zenmap
Zenmap is a multi-platform graphical user interface for the Nmap network scanner. It was originally developed as part of the Nmap Security Scanner project to provide a friendly yet powerful interface for utilizing Nmap.Key features of Zenmap include:Interactive network topology visualization using Nmap resultsPoint-and-click GUI for quickly selecting scan targets,...
Acunetix
Acunetix is a comprehensive web application security testing tool used to detect vulnerabilities and security issues in web applications and services. It features an automated web vulnerability scanner that can crawl and test websites, APIs, and web services to identify SQL injection, cross-site scripting (XSS), misconfigurations, and other security flaws.Key...
OWASP Zed Attack Proxy (ZAP)
OWASP Zed Attack Proxy (ZAP) is an open-source web application security scanner used to find vulnerabilities in web applications. It provides automated and manual tools to scan APIs, access control weaknesses, injection flaws, cross-site scripting, insecure configuration issues, and more.Key features of ZAP include:Automated scanner detects vulnerabilities like SQL injection,...
Nikto
Nikto is an open source web server security scanner that enables security professionals to perform comprehensive tests against web servers to check for insecure server configurations and vulnerabilities. It is designed to be easy to use, while also providing useful information to security experts.Some key features and capabilities of Nikto...
FOFA
FOFA is a powerful cyber threat intelligence search engine developed by Bit4WOOD in China. It allows users to search for a wide range of internet assets including websites, IP addresses, domains, network infrastructure, open ports, certificates, and data leaks.Some key features of FOFA include:Comprehensive coverage of internet assets across the...
PaladinVPN
PaladinVPN is a virtual private network (VPN) service designed to provide online privacy and security. It uses advanced encryption protocols to create a secure tunnel for your internet traffic, protecting it from prying eyes and hiding your IP address from websites and third parties.When connected to PaladinVPN, your internet traffic...
Websecurify
Websecurify is a powerful website security and malware detection tool. It provides automated vulnerability scanning and malware detection for websites. Key features include:Automatic discovery and scanning of entire website assets including pages, scripts, images, etc.Detection of common vulnerabilities like SQL injection, XSS, weak passwords, etc.Detection of malware, viruses, trojans, backdoors,...
W3af
w3af is an open-source web application security scanner used by developers and security professionals to identify vulnerabilities in web applications. It features over 200 plugins that allow it to find all types of web app vulnerabilities including cross-site scripting (XSS), SQL injection, remote code execution (RCE), and more.Some key features...
Nexpose
Nexpose is a comprehensive vulnerability management and penetration testing software developed and maintained by Rapid7. It enables organizations to identify security weaknesses across their networks, systems, web applications, databases, and endpoints.Key features of Nexpose include:Asset discovery - Automatically discovers devices, ports, services, vulnerabilities, and misconfigurations on the network.Risk-based vulnerability management...
NETworkManager by BornToBeRoot
NETworkManager is an open-source network monitoring and management utility for Windows. It provides a graphical interface to view current network connections and activity, troubleshoot issues, and manage network adapter settings.Some of the key features of NETworkManager include:Real-time monitoring of all TCP and UDP connectionsLookup and display process names associated with...
Arachni
Arachni is an feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of web applications. It is smart, optimized, stable, and portable making it a reliable tool for web application security assessments.Some key features of Arachni include:High performance web crawling capable of analyzing hundreds...
Mageni
Mageni is an open-source low-code application development platform focused on empowering businesses to build their own internal web applications. It features a visual, drag-and-drop interface that enables staff with no prior coding experience to rapidly develop custom apps that automate workflows, manage data, and streamline business processes.Some key capabilities and...
Wapiti
Wapiti is an open-source web application vulnerability scanner that is designed to audit the security of web applications and web services. It works by crawling a target website and scanning for vulnerabilities such as XSS, SQL injection, file inclusion, command execution, CRLF injection, and more.Some key features of Wapiti include:Detects...
Purplepee.co
Purplepee.co is a website that provides AI-powered alternatives and substitutions for various software products. Users can enter the name of a piece of software they currently use, and purplepee.co will suggest free, open source, or paid alternatives that offer similar features and functionality.The website has an intuitive interface where users...
Yang
Yang is an open-source modeling language developed by the IETF for defining data models and APIs for network configuration and operations. It is commonly used in networking devices and software to model data structures and interfaces in a standardized way.Some key features of Yang include:Tree-based hierarchical data models for complex...
IronWASP
IronWASP is an open-source web application penetration testing tool written in Python. It is designed for testing the security of web applications by simulating real-world attacks.Some key features of IronWASP include:Automated detection of common security vulnerabilities like SQL injection, XSS, and moreExtensible architecture allowing for custom plugins and attack modulesBuilt-in...
