Google needs the web to be as fast, as safe and as clean as possible, not out of some altruistic desire the 'make the world a better place', as it would have you believe, though that does play a part, but because a better web means more money for the company. It has released plenty of projects to make the web faster, but now it's looking at making it safer with a brand-new security tool dubbed skipfish.
"Today, we are happy to announce the availability of skipfish - our free, open source, fully automated, active web application security reconnaissance tool," said Google's Michal Zalewski. "We think this project is interesting for a few reasons:
· High speed: written in pure C, with highly optimized HTTP handling and a minimal CPU footprint, the tool easily achieves 2000 requests per second with responsive targets.
· Ease of use: the tool features heuristics to support a variety of quirky web frameworks and mixed-technology sites, with automatic learning capabilities, on-the-fly wordlist creation, and form autocompletion.
· Cutting-edge security logic: we incorporated high quality, low false positive, differential security checks capable of spotting a range of subtle flaws, including blind injection vectors."
Skipfish is a security test suite designed to help webmasters check their sites for vulnerabilities. Google offers a list of the type of tests skipfish performs, though it says it's not a complete one. There are plenty of active scanners out there and Google states that, even though skipfish has some advantages over them, like the ones listed above, it does have some limitations also and you should check out several of them if you want to be completely sure.
The tool is now available as source code and Google says it should compile and work on POSIX-compliant environments including Linux, FreeBSD, MacOS X and even on Windows using Cygwin. The current version, at the time of writing, is skipfish 1.05 which is labeled as a beta.
Skipfish 1.05 beta is available for download here.