Fully Automated Web Application Security Scanner - Skipfish

Skipfish is an active web application security reconnaissance tool. It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes.

The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks. The final report generated by the tool is meant to serve as a foundation for professional web application security assessments.

Key features :-

• High speed : pure C code, highly optimized HTTP handling, minimal CPU footprint – easily achieving 2000 requests per second with responsive targets.
• Ease of use: heuristics to support a variety of quirky web frameworks and mixed-technology sites, with automatic learning capabilities, on-the-fly wordlist creation, and form autocompletion.
• Cutting-edge security logic: high quality, low false positive, differential security checks, capable of spotting a range of subtle flaws, including blind injection vectors.

You need to customize your HTTP requests when scanning big sites.

For scanning Wildcard domains

Lets Start with Fully Automated Web Application Security Scanner

• -H :- To insert any additional, non-standard headers.
• -F :- To define a custom mapping between a host and an IP.
• -d :- Limits crawl depth to a specified number of subdirectories.
• -c :- Limits the number of children per directory.
• -x :- Limits the total number of descendants per crawl tree branch.
• -r :- Limits the total number of requests to send in a scan.

Skipfish also provides the summary overviews of document types and issue types found, and an interactive sitemap, with nodes discovered through brute-force, denoted in a distinctive way.

Step 1 :-You need to download skipfish tool by executing this command in terminal window of kali linux.

git clone https://github.com/spinkham/skipfish.git

Step 2 :- Now you can run this tool easily, that give this command Skipfish -h and press enter button.

Step 3 :-Then Enter your Target Website. To scan the target and to write the output in the directory.

Here I have used "www.techtrick.in" for demo purpose.

skipfish -o /root/Desktop/TechTrick1 http://www.techtrick.in

Step 4 :-It will go on scanning through every request, external/Internal links and statistics.

Step 5 :-Once the scan completed it will create a professional web application security assessments.

Step 6 :- Output consist of various sections such as document type and Issue type overview.

Step 7 :-Here is your output report of Web Application Security Scanner.

Thank you for reading this article. Do let me know for any queries in comment section below.