Well this is another great vulnerability scanner for webapp's, I really like it so far and thought it was well worth a post. So to start off, download skipfish from here. It has a great interface and outputs the results to an HTML file.
To find out more about the tool and the huge number of probes it performs, read their documentation here.
Now assuming you've downloaded the package from the link above, we will need to untar it and compile it with the make command.
~$ tar -xvzf skipfish-2.02b.tgz
~$ cd ./skipfish-2.02b
~/skipfish-2.02b $ make
Now it should have compiled, but if you get an error along the lines of this;
make: cc: Command not found
make: *** [skipfish] Error 127
Then you may need to install GCC, you also will need libidn installed.
Now assuming we have it all compiled and ready to go, you should have file called "skipfish" in the current directory. You will have to either specify the worldlist you'd like skipfish to use or copy one from the dictionaries directory into the directory that has skipfish in it.
I'll be specifying one of the dictionaries that come with this tool.
Let's assume we're auditing this blog, we would issue the following command.
That'll get skipfish scanning, you can watch the process via the CLI and the results will be stored in the "outputdir" you specified. So you can view the results in your browser of choice.
~/skipfish-2.02b $ cd
~$ cd ./outputdir
~/outputdir $ firefox index.html
From there, you can analyze the results and perform your audit or fix your code.
No comments:
Post a Comment