Automated Audit using SKIPFISH

Jump to: navigation, search

Last revision (mm/dd/yy): 07/04/2012

This type of article aims to provide to development team a easy/quick way to perform automated audit 
tests against their web application projects over implementation phase.


This page have to objective to show a SKIFISH sample script to automate audit of a web application.

Description taken from website:

Skipfish is an active web application security reconnaissance tool. It prepares an interactive sitemap for the targeted 
site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output 
from a number of active (but hopefully non-disruptive) security checks. The final report generated by the tool is meant 
to serve as a foundation for professional web application security assessments.

SKIPFISH homepage.

This script do not replace a manual audit but can be useful to perform a first validation.

Shell script

#Define global variables
#Clean up report directory if exists...
if [ -d $REPORT_DIR ];
 rm -rf $REPORT_DIR
#Initialize custom dictionary if do not exists...
if [ ! -f dictionaries/custom-dictionnary.wl ];
 touch dictionaries/custom-dictionnary.wl
#Define running mode (interactive or quiet)
#Start scan...
skipfish -b i -I $TARGET_ROOT_URL -X $URI_TO_IGNORE -Z -o $REPORT_DIR -M -Q $RUNNING_MODE -S dictionaries/extensions-only.wl 
-W dictionaries/custom-dictionnary.wl -Y -R 5 -G 256 -l 3 -g 10 -m 10 -f 20 -t 60 -w 60 -i 60 -s 1024000 -e $TARGET_URL

Global variables description:

  • REPORT_DIR: Target directory in which SkipFish will generate the scan report.
  • URI_TO_IGNORE: Comma separated uri list that the scan must ignore.
  • TARGET_URL: Target application url.
  • TARGET_ROOT_URL: Root url of the application (used to limit scan to the application).
  • INTERACTIVE_MODE: Used to indicate to SkipFish to run in interactive or quiet mode (no realtime progress statitics for quiet mode).

Options used to specify authentication and access behaviors:

  • -b: Use headers consistent with MSIE.

Options used to specify crawl scope behaviors:

  • -I: Only follow URLs matching url specified in $TARGET_ROOT_URL variable.
  • -X: Exclude URLs matching uri specified in $URI_TO_IGNORE variable.
  • -Z: Do not descend into 5xx locations.

Options used to specify reporting behaviors:

  • -o: Write output to directory specified in $REPORT_DIR variable.
  • -M: Log warnings about mixed content / non-SSL passwords.
  • -Q: Completely suppress duplicate nodes in reports.
  • -u: Be quiet, disable realtime progress stats.

Options used to specify dictionary management behaviors:

Here we configure scan to learn from the application scan and keep informations found for the next scan of the application. We also seed learning with a dictionary containing only extension element that the scan must use to discover files...

  • -S: Load a supplemental read-only wordlist, is the seeding dictionnary.
  • -W: Use a specified read-write wordlist , is the dictionary built using the informations gathered during the scan.
  • -Y: Do not fuzz extensions in directory brute-force.
  • -R: Purge, into the dictionary built from applicatin scan, words hit more than 5 scans ago.
  • -G: Maximum number of keyword guesses to keep, here we keep 256 keywords.

Options used to specify performance settings:

  • -l: Max requests per second, here we limit to 3.
  • -g: Max simultaneous TCP connections, here we limit to 10.
  • -m: Max simultaneous connections, per target IP, here we limit to 10.
  • -f: Max number of consecutive HTTP errors, here we limit to 20.
  • -t: Total request response timeout, here we limit to 1 minute.
  • -w: Individual network I/O timeout, here we limit to 1 minute.
  • -i: Timeout on idle HTTP connections, here we limit to 1 minute.
  • -s: Response size limit, here we limit to 1024 Kb.
  • -e: Do not keep binary responses for reporting.

Interactive mode & report

The interactive mode give realtime progress stats of the scan:



SkipFish generate an HTML report website like this:


Remark about scan scheduling

The scan take a while then it's recommended to schedule is execution:

  • During the night for a daily audit case.
  • During the week-end for a weekly audit case.