SKIPFISH(1)SKIPFISH(1)NAMEskipfish - web application security scanner
SYNOPSISskipfish [options] -o output-directory [ start-url | @url-file [ start-
url2 ... ]]
DESCRIPTIONskipfish is an active web application security reconnaissance tool. It
prepares an interactive sitemap for the targeted site by carrying out a
recursive crawl and dictionary-based probes. The resulting map is then
annotated with the output from a number of active (but hopefully non-
disruptive) security checks. The final report generated by the tool is
meant to serve as a foundation for professional web application secu‐
rity assessments.
OPTIONS SUMMARY
Authentication and access options:
-A user:pass - use specified HTTP authentication credentials
-F host=IP - pretend that ´host´ resolves to ´IP´
-C name=val - append a custom cookie to all requests
-H name=val - append a custom HTTP header to all requests
-b (i|f|p) - use headers consistent with MSIE / Firefox / iPhone
-N - do not accept any new cookies
Crawl scope options:
-d max_depth - maximum crawl tree depth (16)
-c max_child - maximum children to index per node (512)
-x max_desc - maximum descendants to index per branch (8192)
-r r_limit - max total number of requests to send (100000000)
-p crawl% - node and link crawl probability (100%)
-q hex - repeat probabilistic scan with given seed
-I string - only follow URLs matching ´string´
-X string - exclude URLs matching ´string´
-K string - do not fuzz parameters named ´string´
-D domain - crawl cross-site links to another domain
-B domain - trust, but do not crawl, another domain
-Z - do not descend into 5xx locations
-O - do not submit any forms
-P - do not parse HTML, etc, to find new links
Reporting options:
-o dir - write output to specified directory (required)
-M - log warnings about mixed content / non-SSL passwords
-E - log all caching intent mismatches
-U - log all external URLs and e-mails seen
-Q - completely suppress duplicate nodes in reports
-u - be quiet, disable realtime progress stats
Dictionary management options:
-W wordlist - use a specified read-write wordlist (required)
-S wordlist - load a supplemental read-only wordlist
-L - do not auto-learn new keywords for the site
-Y - do not fuzz extensions in directory brute-force
-R age - purge words hit more than ´age´ scans ago
-T name=val - add new form auto-fill rule
-G max_guess - maximum number of keyword guesses to keep (256)
Performance settings:
-l max_req - max requests per second (0..000000)
-g max_conn - max simultaneous TCP connections, global (40)
-m host_conn - max simultaneous connections, per target IP (10)
-f max_fail - max number of consecutive HTTP errors (100)
-t req_tmout - total request response timeout (20 s)
-w rw_tmout - individual network I/O timeout (10 s)
-i idle_tmout - timeout on idle HTTP connections (10 s)
-s s_limit - response size limit (200000 B)
-e - do not keep binary responses for reporting
Other settings:
-k duration - stop scanning after the given duration h:m:s
--config file - load specified configuration file
AUTHENTICATION AND ACCESS
Some sites require authentication, and skipfish supports this in dif‐
ferent ways. First there is basic HTTP authentication, for which you
can use the -A flag. Second, and more common, are sites that require
authentication on a web application level. For these sites, the best
approach is to capture authenticated session cookies and provide them
to skipfish using the -C flag (multiple if needed). Last, you'll need
to put some effort in protecting the session from being destroyed by
excluding logout links with -X and/or by rejecting new cookies with -N.
-F/--host <ip:hostname>
Using this flag, you can set the ´Host:´ header value to define
a custom mapping between a host and an IP (bypassing the
resolver). This feature is particularly useful for not-yet-
launched or legacy services that don't have the necessary DNS
entries.
-H/--header <header:value>
When it comes to customizing your HTTP requests, you can also
use the -H option to insert any additional, non-standard head‐
ers. This flag also allows the default headers to be overwrit‐
ten.
-C/--cookie <cookie:value>
This flag can be used to add a cookie to the skipfish HTTP
requests; This is particularly useful to perform authenticated
scans by providing session cookies. When doing so, keep in mind
that cetain URLs (e.g. /logout) may destroy your session; you
can combat this in two ways: by using the -N option, which
causes the scanner to reject attempts to set or delete cookies;
or by using the -X option to exclude logout URLs.
-b/--user-agent <i|f|p>
This flag allows the user-agent to be specified where ´i´ stands
for Internet Explorer, ´f´ for Firefox and ´p´ for iPhone. Using
this flag is recommended in case the target site shows different
behavior based on the user-agent (e.g some sites use different
templates for mobiles and desktop clients).
-N/--reject-cookies
This flag causes skipfish to ignore cookies that are being set
by the site. This helps to enforce stateless tests and also pre‐
vent that cookies set with ´-C´ are not overwritten.
-A/--auth <username:password>
For sites requiring basic HTTP authentication, you can use this
flag to specify your credentials.
--auth-form <URL>
The login form to use with form authentication. By default skip‐
fish will use the form's action URL to submit the credentials.
If this is missing than the login data is send to the form URL.
In case that is wrong, you can set the form handler URL with
--auth-form-target <URL> .
--auth-user <username>
The username to be used during form authentication. Skipfish
will try to detect the correct form field to use but if it fails
to do so (and gives an error), then you can specify the form
field name with --auth-user-field.
--auth-pass <password>
The password to be used during form authentication. Similar to
auth-user, the form field name can (optionally) be set with
--auth-pass-field.
--auth-verify-url <URL>
This URL allows skipfish to verify whether authentication was
successful. This requires a URL where anonymous and authenti‐
cated requests are answered with a different response.
CRAWLING SCOPE
Some sites may be too big to scan in a reasonable timeframe. If the
site features well-defined tarpits - for example, 100,000 nearly iden‐
tical user profiles as a part of a social network - these specific
locations can be excluded with -X or -S. In other cases, you may need
to resort to other settings: -d limits crawl depth to a specified num‐
ber of subdirectories; -c limits the number of children per directory;
-x limits the total number of descendants per crawl tree branch; and -r
limits the total number of requests to send in a scan.
-d/--max-crawl-depth <depth>
Limit the depth of subdirectories being crawled (see above).
-c/--max-crawl-child <childs>
Limit the amount of subdirectories per directory we crawl into
(see above).
-x/--max-crawl-descendants <descendants>
Limit the total number of descendants per crawl tree branch (see
above).
-r/--max-request-total <request>
The maximum number of requests can be limited with this flag.
-p/--crawl-probability <0-100>
By specifying a percentage between 1 and 100%, it is possible to
tell the crawler to follow fewer than 100% of all links, and try
fewer than 100% of all dictionary entries. This - naturally -
limits the completeness of a scan, but unlike most other set‐
tings, it does so in a balanced, non-deterministic manner. It is
extremely useful when you are setting up time-bound, but peri‐
odic assessments of your infrastructure.
-q/--seed <seed>
This flag sets the initial random seed for the crawler to a
specified value. This can be used to exactly reproduce a previ‐
ous scan to compare results. Randomness is relied upon most
heavily in the -p mode, but also influences a couple of other
scan management decisions.
-I/--include-string <domain/path>
With this flag, you can tell skipfish to only crawl and test
URLs that match a certain string. This can help to narrow down
the scope of a scan by only whitelisting certain sections of a
web site (e.g. -I /shop).
-X/--exclude-string <domain/path>
The -X option can be used to exclude files / directories from
the scan. This is useful to avoid session termination (i.e. by
excluding /logout) or just for speeding up your scans by exclud‐
ing static content directories like /icons/, /doc/, /manuals/,
and other standard, mundane locations along these lines.
-K/--skip-parameter <parameter name>
This flag allows you to specify parameter names not to fuzz.
(useful for applications that put session IDs in the URL, to
minimize noise).
-D/--include-domain <domain>
Allows you to specify additional hosts or domains to be in-scope
for the test. By default, all hosts appearing in the command-
line URLs are added to the list - but you can use -D to broaden
these rules. The result of this will be that the crawler will
follow links and tests links that point to these additional
hosts.
-B/--trust-domain <domain>
In some cases, you do not want to actually crawl a third-party
domain, but you trust the owner of that domain enough not to
worry about cross-domain content inclusion from that location.
To suppress warnings, you can use the -B option
-Z/--skip-error-pages
Do not crawl into pages / directories that give an error 5XX.
-O/--no-form-submits
Using this flag will cause forms to be ignored during the scan.
-P/--no-html-parsing
This flag will disable link extracting and effectively disables
crawling. Using -P is useful when you want to test one specific
URL or when you want to feed skipfish a list of URLs that were
collected with an external crawler.
TESTING SCOPE--checks
EXPERIMENTAL: Displays the crawler injection tests. The output
shows the index number (useful for --checks-toggle), the check
name and whether the check is enabled.
--checks-toggle <check1,check2,..>
EXPERIMENTAL: Every injection test can be enabled/disabled with
using this flag. As value, you need to provide the check numbers
which can be obtained with the --checks flag. Multiple checks
can be toggled via a comma separated value (i.e. --checks-toggle
1,2 )
--no-injection-tests
EXPERIMENTAL: Disables all injection tests for this scan and
limits the scan to crawling and, optionally, bruteforcing. As
with all scans, the output directory will contain a pivots.txt
file. This file can be used to feed future scans.
REPORTING OPTIONS
-o/--output <dir>
The report wil be written to this location. The directory is one
of the two mandatory options and must not exist upon starting
the scan.
-M/--log-mixed-content
Enable the logging of mixed content. This is highly recommended
when scanning SSL-only sites to detect insecure content inclu‐
sion via non-SSL protected links.
-E/--log-cache-mismatches
This will cause additonal content caching error to be reported.
-U/--log-external-urls
Log all external URLs and email addresses that were seen during
the scan.
-Q/--log-unique-nodes
Enable this to completely suppress duplicate nodes in reports.
-u/--quiet
This will cause skipfish to suppress all console output during
the scan.
-v/--verbose
EXPERIMENTAL: Use this flag to enable runtime reporting of, for
example, problems that are detected. Can be used multiple times
to increase verbosity and should be used in combination with -u
unless you run skipfish with stderr redirected to a file.
DICTIONARY MANAGEMENT
Make sure you've read the instructions provided in doc/dictionaries.txt
to select the right dictionary file and configure it correctly. This
step has a profound impact on the quality of scan results later on.
-S/--wordlist <file>
Load the specified (read-only) wordlist for use during the scan.
This flag is optional but use of a dictionary is highly recom‐
mended when performing a blackbox scan as it will highlight hid‐
den files and directories.
-W/--rw-wordlist <file>
Specify an initially empty file for any newly learned site-spe‐
cific keywords (which will come handy in future assessments).
You can use -W- or -W /dev/null if you don't want to store auto-
learned keywords anywhere. Typically you will want to use one of
the packaged dictonaries (i.e. complete.wl) and possibly add a
custom dictionary.
-L/--no-keyword-learning
During the scan, skipfish will try to learn and use new key‐
words. This flag disables that behavior and should be used when
any form of brute-forcing is not desired.
-Y/--no-extension-brute
This flag will disable extension guessing during directory
bruteforcing.
-R <age>
Use of this flag allows old words to be purged from wordlists.
It is intended to help keeping dictionaries clean when used in
recurring scans.
-T/--form-value <name=value>
Skipfish also features a form auto-completion mechanism in order
to maximize scan coverage. The values should be non-malicious,
as they are not meant to implement security checks - but rather,
to get past input validation logic. You can define additional
rules, or override existing ones, with the -T option (-T
form_field_name=field_value, e.g. -T login=test123 -T pass‐
word=test321 - although note that -C and -A are a much better
method of logging in).
-G <max guesses>
During the scan, a temporary buffer of newly detected keywords
is maintained. The size of this buffer can be changed with this
flag and doing so influences bruteforcing.
PERFORMANCE OPTIONS
The default performance setting should be fine for most servers but
when the report indicates there were connection problems, you might
want to tweak some of the values here. For unstable servers, the scan
coverage is likely to improve when using low values for rate and con‐
nection flags.
-l/--max-request-rate <rate>
This flag can be used to limit the amount of requests per sec‐
ond. This is very useful when the target server can't keep up
with the high amount of requests that are generated by skipfish.
Keeping the amount requests per second low can also help pre‐
venting some rate-based DoS protection mechanisms from kicking
in and ruining the scan.
-g/--max-connections <number>
The max simultaneous TCP connections (global) can be set with
this flag.
-m/--max-host-connections <number>
The max simultaneous TCP connections, per target IP, can be set
with this flag.
-f/--max-failed-requests <number>
Controls the maximum number of consecutive HTTP errors you are
willing to see before aborting the scan. For large scans, you
probably want to set a higher value here.
-t/--request-timeout <timeout>
Set the total request timeout, to account for really slow or
really fast sites.
-w/--network-timeout <timeout>
Set the network I/O timeout.
-i/--idle-timeout <timeout>
Specify the timeout for idle HTTP connections.
-s/--response-size <size>
Sets the maximum length of a response to fetch and parse (longer
responses will be truncated).
-e/--discard-binary
This prevents binary documents from being kept in memory for
reporting purposes, and frees up a lot of RAM.
--flush-to-disk
This causes request / response data to be flushed to disk
instead of being kept in memory. As a result, the memory usage
for large scans will be significant lower.
EXAMPLES
Scan type: config
skipfish--config config/example.conf http://example.com
Scan type: quick
skipfish-o output/dir/ http://example.com
Scan type: extensive bruteforce
skipfish [...other options..] -S dictionaries/complete.wl http://exam‐
ple.com
Scan type: without bruteforcing
skipfish [...other options..] -LY http://example.com
Scan type: authenticated (basic)
skipfish [...other options..] -A username:password http://example.com
Scan type: authenticated (cookie)
skipfish [...other options..] -C jsession=myauthcookiehere -X /logout
http://example.com
Scan type: flaky server
skipfish [...other options..] -l 5 -g 2 -t 30 -i 15 http://example.com
NOTES
The default values for all flags can be viewed by running ´./skipfish
-h´ .
AUTHORskipfish was written by Michal Zalewski <lcamtuf@google.com>, with con‐
tributions from Niels Heinen <heinenn@google.com>, Sebastian Roschke
<s.roschke@googlemail.com>, and other parties.
This manual page was written with the help of Thorsten Schifferdecker
<tsd@debian.systs.org>.
May 6, 2012 SKIPFISH(1)
