I was moaning about it on Twitter, and a friend of mine (Twitter) informed me about tool called Skipfish (Google code). It claims to scan sites for security issues, including SQL injection vectors and XSS possibilities. And as far as I can tell, it does so fairly well. It's informed me of vulnerabilities and security issues on this site, and it helped me out with my client's site as well.
I'd like to help people understand how to install and use Skipfish. I'm (currently) a Windows user, so there is one additional step prior to actually installing the software, which I'll call "Step Windows". Anyway, without further ado:
Step Windows - Install Cygwin
For those who are unfamiliar, Cygwin is a simulation of a linux-like environtment for Windows. Since Skipfish requires a linux-like command line, this is what we'll use. Simply download it and run setup.exe.Step 1: Libraries
There are a few libraries that I've had to install in order to get Skipfish compiled and running. I found out which libraries to install via make errors, but it turns out the libraries are listed on the Skipfish site under Known Issues. Linux users will want to use their package manager - either yum or apt - while Windows users will want to run Cygwin'ssetup.exe again. Besides the listed libraries, Windows users will want to install gcc and make, which aren't installed in cygwin by default.Step 2: Download and Compile Skipfish
Download the current Skipfish tarball at the downloads page, and unpack it. Windows users, if you don't already have software to unpack .tgz files, try 7zip. If you're on Windows, you'll have to copy the resulting directory into the Cygwin filesystem, which is located where you installed Cygwin (most likelyC:\Program Files\cygwin). Once that's done, open up your command line (Terminal, shell, or Cygwin), navigate to the Skipfish directory, and simply type make at the prompt.Once that's complete, you'll need to copy a dictionary file from
skipfish/dictionaries to /skipfish/skipfish.wl. - I've been using minimal.wl, because it speeds up the scans. Here's the command to do the copying, if you're in the Skipfish directory:cp dictionaries/minimal.wl skipfish.wl
Step 3: Run Skipfish
The most basic way to use Skipfish is as follows (from he skipfish directory):./skipfish -o output_dir http://yoursite.comPretty simple. It will even create output_dir if you haven't done so already. If you have, and there is already skipfish data in there, the run will fail, so either create a new directory for each run, or delete old data beforehand. Also, for Windows users, I'd recommend expanding the Cygwin window vertically before running Skipfish - it will make the output look cleaner.
While the program is running, it shows you quite a bit of information. How long the scan has been running, the number of HTTP requests sent (total and per second), exceptions, pending HTTP requests, and information on the numbr and severity of issues it's found. Generally, I'm looking at the HTTP requests sent and the Issues found to see how the scan is going.
The Skipfish site claims it can get around 200 requests per second on remote sites. I haven't seen that much, but it is largely dependent on server speed. If you think you're not getting the rates you should be, there are troubleshooting issues on the Skipfish site.
Step 3.5: Cookies
A lot of sites require a login, and Skipfish can handle that with a little help. Their site suggests logging in to the target site either with curl or with your favorite browser, checking the cookies, and then using their cookie syntax (below) to hand the cookie data to Skipfish. I used Opera, simply due to its simple cookie interface (Tools > Advanced > Cookies...). Once there, search for the target site's domain, check the cookie values, and use them in the following syntax:./skipfish -C "name=value" [-C "name=value"][-C ...] ...Each string after -C is a single cookie name/value pair. Use multiple if you have several such pairs.
Once you've done that, you should be all set.
Step 4: Check the Results
The scan has finished, and Skipfish has informed you that it is a great day for science. I'm not sure why it does that, but it does, and it means you're ready to look at your results. Open output_dir/index.html in your favorite browser, and you get a look at the very pretty results of your scan.It comes in three sections: The Crawl Results, The Document Type Overview, and the Issue Type Overview
The Crawl Results are essentially a site map, with details as to what sorts of issues are on which pages. That's what the numbers and icons to the right of each item mean - High Risk, Medium Risk, Low Risk, Warnings, Notes, and Unique Child Nodes. Take a look through here to check a particular section of the target site.
The Document Type Overview section just shows you what types of documents the scan accessed on your site. Not terribly useful, but it can inform you if, for instance, an image is being served as plain text.
The Issue Type Overview section is my favorite section. It organizes your security issues by severity, and all you have to do is click on them to see where they're occurring. Simple and effective.
Step 5: Act
Security scans are useless if you don't act on the information. Dig into the code and figure out how to patch the holes. Filter your input, escape your output, and test it all.So there's my overview of Skipfish. I'm no expter, and there's a lot more to it, but these steps should get you started.
No comments:
Post a Comment