Web應用安全掃描工具 Skipfish 2.04b 發布

skipfish是Google推出的一款免費、開源、Web應用程序安全檢測工具。skipfish主要特點:掃描速度快、易于使用、尖端的安全邏輯。

目前skipfish更新至2.04b版，新版本主要改變如下:

 Option -V eliminated in favor of -W / -S.
 Option -ladded to limit the maximum requests per second (contributed by Sebastian Roschke)
 Option -kadded to limit the maximum duration of a scan (contributed by Sebastian Roschke)
 Support for #ro, -W-; related documentation changes.
 HTTPS -> HTTP form detection.
 Added more diverse traversal and file disclosure tests (including file:// scheme tests)
 Improved injection detection in < script > sections, where a ‘ or ” is all we need to inject js code.
 Added check to see if our injection strings end up server Set-Cookie, Set-Cookie2 and Content-Type reponse headers
 URLs that give us a Javascript response are now tested with a “callback=” parameter to find JSONP issues.
 Fixed “response varies” bug in 404 detection where a stable page would be marked unstable.
 Bugfix to es / eg handling in dictionaries.
 Added the “complete-fast.wl” wordlist which is an es / eg optimized version of “complete.wl” (resulting in 20-30% fewer requests).

Google工程師邁克爾?扎勒維斯基（Michal Zalewski）稱，盡管Skipfish與Nikto和Nessus等其他開源掃描工具有相似的功能，但Skipfish還具備一些獨特的優點。 Skipfish通過HTTP協議處理且占用較低的CPU資源，因此它的運行速度比較快。Skipfish每秒鐘可以輕松處理2000個請求。

Skipfish采用先進的邏輯安全，這將有助于減小產生誤報的可能性。Skipfish的這項技術類似于Google于2008年發布的另外一款安全工具——ratproxy。