Google has launched an open source scanner that allows web app developers to probe nascent applications for security vulnerabilities.
According to H Security, Skipfish runs on a Linux/Unix command line and offers a “similar [yet faster] functionality” to utilities such as Nmap or Nessus.
“Using fully automated heuristics, it detects code that is vulnerable to cross-site scripting attacks (XSS), SQL and XML injection attacks and many other attack types. The tool’s comprehensive post-processing of the individual test results is designed to help with the interpretation of the final report,” wrote H Security’s Chris Von Eitzen.
“Skipfish is a pure C implementation and according to Google, can easily process 2,000 HTTP requests per second – provided the tested server can handle such a high load. In individual tests across local networks, 7,000+ requests per second have reportedly been sent with a modest CPU load and memory footprint.”
Eitzen explained that Google managed to achieve such high performance by deploying a serial I/O model which processes responses asynchronously and offers superior scalability over traditional (synchronous) multi-threaded approaches.
“Optimized HTTP connection handling via features such as HTTP 1.1 range requests, keep-alive connections and data compression are designed to keep Skipfish’s network bandwidth requirements in check,” added Eitzen.