New Google App – Skipfish Web App Analyzer

Posted on by Walt Turnes

Last week, Google labs released a new free web analyzer tool called Skipfish (project details here). I haven’t had a chance to play with it yet, although I hope to soon, since I have a new web application almost ready to go live.

Skipfish appears to support a ton of features, such as “Multiplexing single-thread, fully asynchronous network I/O and data processing model that eliminates memory management, scheduling, and IPC inefficiencies present in some multi-threaded clients.” Which, although I only barely can understand it, sounds very impressive. The vulnerabilities scanned for include:

High risk flaws (potentially leading to system compromise):
Server-side SQL injection (including blind vectors, numerical parameters).
Explicit SQL-like syntax in GET or POST parameters.
Server-side shell command injection (including blind vectors).
Server-side XML / XPath injection (including blind vectors).
Format string vulnerabilities.
Integer overflow vulnerabilities.
Locations accepting HTTP PUT.

Medium risk flaws (potentially leading to data compromise):
Stored and reflected XSS vectors in document body (minimal JS XSS support present).
Stored and reflected XSS vectors via HTTP redirects.
Stored and reflected XSS vectors via HTTP header splitting.
Directory traversal (including constrained vectors).
Assorted file POIs (server-side sources, configs, etc).
Attacker-supplied script and CSS inclusion vectors (stored and reflected).
External untrusted script and CSS inclusion vectors.
Mixed content problems on script and CSS resources (optional).
Incorrect or missing MIME types on renderables.
Generic MIME types on renderables.
Incorrect or missing charsets on renderables.
Conflicting MIME / charset info on renderables.
Bad caching directives on cookie setting responses.

Low risk issues (limited impact or low specificity):
Directory listing bypass vectors.
Redirection to attacker-supplied URLs (stored and reflected).
Attacker-supplied embedded content (stored and reflected).
External untrusted embedded content.
Mixed content on non-scriptable subresources (optional).
HTTP credentials in URLs.
Expired or not-yet-valid SSL certificates.
HTML forms with no XSRF protection.
Self-signed SSL certificates.
SSL certificate host name mismatches.
Bad caching directives on less sensitive content.

Scanning my new application with this tool will, I’m sure, turn up about a hundred bugs I haven’t even thought about yet. But, that’s better than sticking my head in the sand and pretending nothing’s wrong, or worse, having to deal with any vulnerabilities after they’ve been exploited.