Looking for web security breaches with Skipfish (I)

When we have to secure a system, it is very important to employ all the security tools we know, in order to protect it all the best we can. Skipfish is one of those applications which always has to be near.

It is a web security scanner, developed in C, which allows to discover lots of security holes on a web site by performing several kinds of tests:

• High risk: SQL / PHP / XML / shell script injections, etc.


• Medium risk: XSS (Cross-Site Scripting), CSS attacks, MIME type problems, etc.


• Low risk: indexed directories, certificate problems, HTTP credentials, etc.

Due to it is written in pure C, it can reach an high performance: around 500 requests per second against targets located on Internet, about 2000 on local networks and more than 7000 on local hosts. Skipfish generates a sitemap with all the discovered paths, a summary of the document types and a set of security breaches.

I am going to try skipfish (1.86b version) out on an Ubuntu Server 10.10, by crawling a default MediaWiki installation. So as to install skipfish, we must fulfill some dependences on our system and then, compile it.

javi@ubuntu-server:~$ sudo aptitude install build-essential libssl-dev libidn11-dev

javi@ubuntu-server:~$ wget http://skipfish.googlecode.com/files/skipfish-1.86b.tgz

javi@ubuntu-server:~/skipfish-1.86b$ tar xvzf skipfish-1.86b.tgz

javi@ubuntu-server:~/skipfish-1.86b$ make

By typing the -h argument, we can take a look at all the available options by skipfish.

javi@ubuntu-server:~/skipfish-1.86b$ ./skipfish -h
skipfish version 1.86b by <lcamtuf@google.com>
Usage: ./skipfish [ options ... ] -o output_dir start_url [ start_url2 ... ]

Authentication and access options:

-A user:pass   - use specified HTTP authentication credentials
-F host=IP     - pretend that 'host' resolves to 'IP'
-C name=val    - append a custom cookie to all requests
-H name=val    - append a custom HTTP header to all requests
-b (i|f|p)     - use headers consistent with MSIE / Firefox / iPhone
-N             - do not accept any new cookies

Crawl scope options:

-d max_depth   - maximum crawl tree depth (16)
-c max_child   - maximum children to index per node (512)
-x max_desc    - maximum descendants to index per branch (8192)
-r r_limit     - max total number of requests to send (100000000)
-p crawl%      - node and link crawl probability (100%)
-q hex         - repeat probabilistic scan with given seed
-I string      - only follow URLs matching 'string'
-X string      - exclude URLs matching 'string'
-K string      - do not fuzz parameters named 'string'
-D domain      - crawl cross-site links to another domain
-B domain      - trust, but do not crawl, another domain
-Z             - do not descend into 5xx locations
-O             - do not submit any forms
-P             - do not parse HTML, etc, to find new links

Reporting options:

-o dir         - write output to specified directory (required)
-M             - log warnings about mixed content / non-SSL passwords
-E             - log all HTTP/1.0 / HTTP/1.1 caching intent mismatches
-U             - log all external URLs and e-mails seen
-Q             - completely suppress duplicate nodes in reports
-u             - be quiet, disable realtime progress stats

Dictionary management options:

-W wordlist    - load an alternative wordlist (skipfish.wl)
-L             - do not auto-learn new keywords for the site
-V             - do not update wordlist based on scan results
-Y             - do not fuzz extensions in directory brute-force
-R age         - purge words hit more than 'age' scans ago
-T name=val    - add new form auto-fill rule
-G max_guess   - maximum number of keyword guesses to keep (256)

Performance settings:

-g max_conn    - max simultaneous TCP connections, global (40)
-m host_conn   - max simultaneous connections, per target IP (10)
-f max_fail    - max number of consecutive HTTP errors (100)
-t req_tmout   - total request response timeout (20 s)
-w rw_tmout    - individual network I/O timeout (10 s)
-i idle_tmout  - timeout on idle HTTP connections (10 s)
-s s_limit     - response size limit (200000 B)
-e             - do not keep binary responses for reporting

Basically we can see that the skipfish command is made up by a set of options, an output directory for saving the results, and a series of URLs to be analyzed.

We have to take into account when skipfish is working out, it just tests those found links, but we also have the possibility to probe other URLs by means of a brute-force attack, by mixing names (index, doc, etc.) and extensions (pdf, bat, etc.). For this purpose, skipfish affords four dictionaries.

javi@ubuntu-server:~/skipfish-1.86b$ ls dictionaries/*.wl                                                                                                                                                                                                                     
dictionaries/complete.wl  dictionaries/extensions-only.wl  dictionaries/medium.wl  dictionaries/minimal.wl

By default, skipfish will treat to use a dictionary named skipfish.wl and situated on the work directory. Therefore either we can copy one of these dictionaries into the work directory under this name, or use the -W option to define the wordlist path or on the contrary, not to use a dictionary.

As the application is crawling, adds new words within the dictionary.