Sunday, March 21, 2010

Skipfish

Today I had a chance to play with skipfish, which is a web vulnerability scanner. On my machine running OSX 10.5 I had a couple things I needed to do to get it running. I had to install libidn using mac ports, modify the Makefile, copy the dictionary and then make everything:
sudo port install libidn
cp dictionaries/default.wl skipfish.wl
make
I got an error during make "report.c:744: warning: passing argument 3 of ‘scandir’ from incompatible pointer type" which was fixed by editing the make and changing the line:
CFLAGS_GEN = -Wall -funsigned-char -g -ggdb -D_FORTIFY_SOURCE=0
change to:
CFLAGS_GEN = -Wall -funsigned-char -g -ggdb -D_FORTIFY_SOURCE=0 -I/opt/local/include -L/opt/local/lib
After typing make again Skipfish was compiled and working.
I needed form based authentication for my scan which has been tricky with other web scanners I have tried; skipfish was pretty easy and had a novel concept. Once you have logged into whatever site you are trying to test with a web browser, find your session cookie and pass it with the "-C" switch to skipfish. For example:
./skipfish -C JSESSIONID=MYSESSIONID1234 -X /logout.jsp -o /tmp/outputDir http://localhost:8080
Which will scan localhost using an existing session identified by MYSESSIONID1234 and will ignore any link with logout.jsp (so as not to destroy the session). The html report will be generated in the /tmp/outputDir folder.
The output is clean but uninformative, so you may need some hints to be able to do anything useful with it. Skipfish looks at fundamental problems anyway (SQL injection as opposed to say the existence of some specific DLL or known apache bug) so specific solutions are not appropriate. All in all a very easy to use useful tool.