Skipfish is written and maintained by Googler Michal Zalewski
From the referenced Web page:
"Skipfish is an active web application security reconnaissance tool. It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks. The final report generated by the tool is meant to serve as a foundation for professional web application security assessments. ...." |
There seems to be a lot of overlap between skipfish and Google's other security tool, ratproxy. It's not clear which would be the best one to start with, given that both appear to have quite a big learning curve.
Ratproxy may require more configuration (because it involves running a proxy server on your computer so that ratproxy can intercept your interaction with your website), but it's probably less invasive (because in its default mode it "follows along" with the interaction between you and your website, rather than initiating it).
But both tools can be run in a number of different modes, with different degrees of invasiveness. I would be interested to hear from anyone who uses both of them. |