3/29/2010

Skipfish Web Application Security Tool

Last week, Slashdot had a link (http://code.google.com/p/skipfish/) to a Google project named skipfish, so I decided to download it. Today, I'm finally getting a chance to try it out. To stay out of trouble, I'm running a scan against my own web server.

Once it has completed its scan, I'll have an interactive site map, as web as a report to help me assess vulnerabilities of my web server. As it completed, it almost brought my system to a halt. It ended up causing hundreds of httpd processes to spawn on my system. This caused almost every bit of RAM and swap to get used up, and almost every application that I was running to be shut down. I have never seen such a high load average on my system, as it was over 80 on just a dual core!

In reading through the skipfish documentation, I came across some interesting links. First, http://code.google.com/p/browsersec/wiki/Part1, which is a document about web browser security. Second is this link to the Open Web Application Security Project (OWASP) http://www.owasp.org/index.php.

What is in an URI?
scheme://[login[:password]@](host_name|host_address)[:port][/hierarchical/path/to/resource[?search_string][#fragment_id]]

No comments:

About Me - WrightRocket

My photo

I've worked with computers for over 30 years, programming, administering, using and building them from scratch.

I'm an instructor for technical computer courses, an editor and developer of training manuals, and an Android developer.