skipfish

Skipfish

Skipfish is an active web application security reconnaissance tool. It prepares an interactive sitemap for the targeted site by carrying out recursive crawl and dictionary-based probes. Skipfish is useful for quickly analyzing web applications for potential security flaws.
skipfish image
web-application security-testing reconnaissance

Skipfish: Interactive Web Application Security Reconnaissance Tool

Skipfish is an active web application security reconnaissance tool, preparing an interactive sitemap for targeted sites through recursive crawl and dictionary-based probes, aiding quick analysis of potential security flaws.

What is Skipfish?

Skipfish is an open source, active web application security reconnaissance tool. It was created by Michal Zalewski for Google as an automated security testing tool.

Here are some key features of Skipfish:

  • It carries out recursive crawl and dictionary-based probes on web applications to prepare an interactive sitemap.
  • It has over 3,400 built-in vulnerability signatures to test for flaws like SQL injection, XSS, RFI etc.
  • It can inspect web applications for security vulnerabilities much faster compared to manual testing.
  • The interactive sitemap presents a hierarchical view of the website content to the user to analyze potential vulnerabilities.
  • HTML reports provide overview of identified vulnerabilities with supporting information to reproduce & confirm findings.
  • Command line usage allows integration into automated security testing suite.

In summary, Skipfish is very useful for developers, system admins and security professionals to quickly analyze web applications for potential security flaws in the functionality or configuration. However, the tool should be used carefully on production websites to avoid affecting functionality or availability.

Skipfish Features

Features

  1. Crawls websites to create interactive sitemaps
  2. Performs automated security scanning for vulnerabilities
  3. Has dictionary-based probes for discovering hidden content
  4. Command line interface
  5. Exports results to HTML and XML reports

Pricing

  • Open Source

Pros

Fast and comprehensive security scanning

Easy to use command line interface

Free and open source

Generates useful reports

Custom dictionaries can improve results

Cons

Prone to causing denial-of-service on target sites

May generate false positives

Limited configuration options

No official support or updates since 2011


The Best Skipfish Alternatives

Top Security & Privacy and Vulnerability Scanner and other similar apps like Skipfish


Shodan icon

Shodan

Shodan is a search engine for finding Internet-connected devices and services. Unlike traditional search engines that index the content of web pages, Shodan specifically targets hardware and software that is connected to the Internet, ranging from home routers and webcams to industrial control systems and SCADA devices.Some key features and...
Shodan image
Nessus icon

Nessus

Nessus is a comprehensive vulnerability scanning software developed by Tenable. It is used to scan networks, operating systems, web applications, databases, and other systems for vulnerabilities that could be exploited by attackers.Some key features of Nessus include:Ability to perform high-speed discovery, mapping, and assessment of vulnerabilities across networks, endpoints, web...
Nessus image
Nmap icon

Nmap

Nmap (Network Mapper) is an open source tool for network exploration and security auditing. It allows users to discover hosts and services on a network, port scan them, and detect potential vulnerabilities.Some key features of Nmap include:Host discovery - it can quickly scan large networks and detect which devices are...
Nmap image
Zenmap icon

Zenmap

Zenmap is a multi-platform graphical user interface for the Nmap network scanner. It was originally developed as part of the Nmap Security Scanner project to provide a friendly yet powerful interface for utilizing Nmap.Key features of Zenmap include:Interactive network topology visualization using Nmap resultsPoint-and-click GUI for quickly selecting scan targets,...
Zenmap image
Acunetix icon

Acunetix

Acunetix is a comprehensive web application security testing tool used to detect vulnerabilities and security issues in web applications and services. It features an automated web vulnerability scanner that can crawl and test websites, APIs, and web services to identify SQL injection, cross-site scripting (XSS), misconfigurations, and other security flaws.Key...
Acunetix image
OWASP Zed Attack Proxy (ZAP) icon

OWASP Zed Attack Proxy (ZAP)

OWASP Zed Attack Proxy (ZAP) is an open-source web application security scanner used to find vulnerabilities in web applications. It provides automated and manual tools to scan APIs, access control weaknesses, injection flaws, cross-site scripting, insecure configuration issues, and more.Key features of ZAP include:Automated scanner detects vulnerabilities like SQL injection,...
OWASP Zed Attack Proxy (ZAP) image
Nikto icon

Nikto

Nikto is an open source web server security scanner that enables security professionals to perform comprehensive tests against web servers to check for insecure server configurations and vulnerabilities. It is designed to be easy to use, while also providing useful information to security experts.Some key features and capabilities of Nikto...
Nikto image
FOFA icon

FOFA

FOFA is a powerful cyber threat intelligence search engine developed by Bit4WOOD in China. It allows users to search for a wide range of internet assets including websites, IP addresses, domains, network infrastructure, open ports, certificates, and data leaks.Some key features of FOFA include:Comprehensive coverage of internet assets across the...
FOFA image
PaladinVPN icon

PaladinVPN

PaladinVPN is a virtual private network (VPN) service designed to provide online privacy and security. It uses advanced encryption protocols to create a secure tunnel for your internet traffic, protecting it from prying eyes and hiding your IP address from websites and third parties.When connected to PaladinVPN, your internet traffic...
PaladinVPN image
Websecurify icon

Websecurify

Websecurify is a powerful website security and malware detection tool. It provides automated vulnerability scanning and malware detection for websites. Key features include:Automatic discovery and scanning of entire website assets including pages, scripts, images, etc.Detection of common vulnerabilities like SQL injection, XSS, weak passwords, etc.Detection of malware, viruses, trojans, backdoors,...
Websecurify image
W3af icon

W3af

w3af is an open-source web application security scanner used by developers and security professionals to identify vulnerabilities in web applications. It features over 200 plugins that allow it to find all types of web app vulnerabilities including cross-site scripting (XSS), SQL injection, remote code execution (RCE), and more.Some key features...
W3af image
Nexpose icon

Nexpose

Nexpose is a comprehensive vulnerability management and penetration testing software developed and maintained by Rapid7. It enables organizations to identify security weaknesses across their networks, systems, web applications, databases, and endpoints.Key features of Nexpose include:Asset discovery - Automatically discovers devices, ports, services, vulnerabilities, and misconfigurations on the network.Risk-based vulnerability management...
Nexpose image
NETworkManager by BornToBeRoot icon

NETworkManager by BornToBeRoot

NETworkManager is an open-source network monitoring and management utility for Windows. It provides a graphical interface to view current network connections and activity, troubleshoot issues, and manage network adapter settings.Some of the key features of NETworkManager include:Real-time monitoring of all TCP and UDP connectionsLookup and display process names associated with...
NETworkManager by BornToBeRoot image
Arachni icon

Arachni

Arachni is an feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of web applications. It is smart, optimized, stable, and portable making it a reliable tool for web application security assessments.Some key features of Arachni include:High performance web crawling capable of analyzing hundreds...
Arachni image
Mageni icon

Mageni

Mageni is an open-source low-code application development platform focused on empowering businesses to build their own internal web applications. It features a visual, drag-and-drop interface that enables staff with no prior coding experience to rapidly develop custom apps that automate workflows, manage data, and streamline business processes.Some key capabilities and...
Mageni image
Wapiti icon

Wapiti

Wapiti is an open-source web application vulnerability scanner that is designed to audit the security of web applications and web services. It works by crawling a target website and scanning for vulnerabilities such as XSS, SQL injection, file inclusion, command execution, CRLF injection, and more.Some key features of Wapiti include:Detects...
Wapiti image
Purplepee.co icon

Purplepee.co

Purplepee.co is a website that provides AI-powered alternatives and substitutions for various software products. Users can enter the name of a piece of software they currently use, and purplepee.co will suggest free, open source, or paid alternatives that offer similar features and functionality.The website has an intuitive interface where users...
Yang icon

Yang

Yang is an open-source modeling language developed by the IETF for defining data models and APIs for network configuration and operations. It is commonly used in networking devices and software to model data structures and interfaces in a standardized way.Some key features of Yang include:Tree-based hierarchical data models for complex...
Yang image
IronWASP icon

IronWASP

IronWASP is an open-source web application penetration testing tool written in Python. It is designed for testing the security of web applications by simulating real-world attacks.Some key features of IronWASP include:Automated detection of common security vulnerabilities like SQL injection, XSS, and moreExtensible architecture allowing for custom plugins and attack modulesBuilt-in...
IronWASP image