Provided by: skipfish_2.10b-1_amd64 
NAME
skipfish - web application security scanner
SYNOPSIS
skipfish [options] -o output-directory [ start-url | @url-file [ start-url2 ... ]]
DESCRIPTION
skipfish is an active web application security reconnaissance tool. It prepares an
interactive sitemap for the targeted site by carrying out a recursive crawl and
dictionary-based probes. The resulting map is then annotated with the output from a
number of active (but hopefully non-disruptive) security checks. The final report
generated by the tool is meant to serve as a foundation for professional web application
security assessments.
OPTIONS SUMMARY
Authentication and access options:
-A user:pass - use specified HTTP authentication credentials
-F host=IP - pretend that ´host´ resolves to ´IP´
-C name=val - append a custom cookie to all requests
-H name=val - append a custom HTTP header to all requests
-b (i|f|p) - use headers consistent with MSIE / Firefox / iPhone
-N - do not accept any new cookies
Crawl scope options:
-d max_depth - maximum crawl tree depth (16)
-c max_child - maximum children to index per node (512)
-x max_desc - maximum descendants to index per branch (8192)
-r r_limit - max total number of requests to send (100000000)
-p crawl% - node and link crawl probability (100%)
-q hex - repeat probabilistic scan with given seed
-I string - only follow URLs matching ´string´
-X string - exclude URLs matching ´string´
-K string - do not fuzz parameters named ´string´
-D domain - crawl cross-site links to another domain
-B domain - trust, but do not crawl, another domain
-Z - do not descend into 5xx locations
-O - do not submit any forms
-P - do not parse HTML, etc, to find new links
Reporting options:
-o dir - write output to specified directory (required)
-M - log warnings about mixed content / non-SSL passwords
-E - log all caching intent mismatches
-U - log all external URLs and e-mails seen
-Q - completely suppress duplicate nodes in reports
-u - be quiet, disable realtime progress stats
Dictionary management options:
-W wordlist - use a specified read-write wordlist (required)
-S wordlist - load a supplemental read-only wordlist
-L - do not auto-learn new keywords for the site
-Y - do not fuzz extensions in directory brute-force
-R age - purge words hit more than ´age´ scans ago
-T name=val - add new form auto-fill rule
-G max_guess - maximum number of keyword guesses to keep (256)
Performance settings:
-l max_req - max requests per second (0..000000)
-g max_conn - max simultaneous TCP connections, global (40)
-m host_conn - max simultaneous connections, per target IP (10)
-f max_fail - max number of consecutive HTTP errors (100)
-t req_tmout - total request response timeout (20 s)
-w rw_tmout - individual network I/O timeout (10 s)
-i idle_tmout - timeout on idle HTTP connections (10 s)
-s s_limit - response size limit (200000 B)
-e - do not keep binary responses for reporting
Other settings:
-k duration - stop scanning after the given duration h:m:s
--config file - load specified configuration file
AUTHENTICATION AND ACCESS
Some sites require authentication, and skipfish supports this in different ways. First
there is basic HTTP authentication, for which you can use the -A flag. Second, and more
common, are sites that require authentication on a web application level. For these sites,
the best approach is to capture authenticated session cookies and provide them to skipfish
using the -C flag (multiple if needed). Last, you'll need to put some effort in protecting
the session from being destroyed by excluding logout links with -X and/or by rejecting new
cookies with -N.
-F/--host <ip:hostname>
Using this flag, you can set the ´Host:´ header value to define a custom mapping
between a host and an IP (bypassing the resolver). This feature is particularly
useful for not-yet-launched or legacy services that don't have the necessary DNS
entries.
-H/--header <header:value>
When it comes to customizing your HTTP requests, you can also use the -H option to
insert any additional, non-standard headers. This flag also allows the default
headers to be overwritten.
-C/--cookie <cookie:value>
This flag can be used to add a cookie to the skipfish HTTP requests; This is
particularly useful to perform authenticated scans by providing session cookies.
When doing so, keep in mind that cetain URLs (e.g. /logout) may destroy your
session; you can combat this in two ways: by using the -N option, which causes the
scanner to reject attempts to set or delete cookies; or by using the -X option to
exclude logout URLs.
-b/--user-agent <i|f|p>
This flag allows the user-agent to be specified where ´i´ stands for Internet
Explorer, ´f´ for Firefox and ´p´ for iPhone. Using this flag is recommended in
case the target site shows different behavior based on the user-agent (e.g some
sites use different templates for mobiles and desktop clients).
-N/--reject-cookies
This flag causes skipfish to ignore cookies that are being set by the site. This
helps to enforce stateless tests and also prevent that cookies set with ´-C´ are
not overwritten.
-A/--auth <username:password>
For sites requiring basic HTTP authentication, you can use this flag to specify
your credentials.
--auth-form <URL>
The login form to use with form authentication. By default skipfish will use the
form's action URL to submit the credentials. If this is missing than the login data
is send to the form URL. In case that is wrong, you can set the form handler URL
with --auth-form-target <URL> .
--auth-user <username>
The username to be used during form authentication. Skipfish will try to detect the
correct form field to use but if it fails to do so (and gives an error), then you
can specify the form field name with --auth-user-field.
--auth-pass <password>
The password to be used during form authentication. Similar to auth-user, the form
field name can (optionally) be set with --auth-pass-field.
--auth-verify-url <URL>
This URL allows skipfish to verify whether authentication was successful. This
requires a URL where anonymous and authenticated requests are answered with a
different response.
CRAWLING SCOPE
Some sites may be too big to scan in a reasonable timeframe. If the site features well-
defined tarpits - for example, 100,000 nearly identical user profiles as a part of a
social network - these specific locations can be excluded with -X or -S. In other cases,
you may need to resort to other settings: -d limits crawl depth to a specified number of
subdirectories; -c limits the number of children per directory; -x limits the total number
of descendants per crawl tree branch; and -r limits the total number of requests to send
in a scan.
-d/--max-crawl-depth <depth>
Limit the depth of subdirectories being crawled (see above).
-c/--max-crawl-child <childs>
Limit the amount of subdirectories per directory we crawl into (see above).
-x/--max-crawl-descendants <descendants>
Limit the total number of descendants per crawl tree branch (see above).
-r/--max-request-total <request>
The maximum number of requests can be limited with this flag.
-p/--crawl-probability <0-100>
By specifying a percentage between 1 and 100%, it is possible to tell the crawler
to follow fewer than 100% of all links, and try fewer than 100% of all dictionary
entries. This - naturally - limits the completeness of a scan, but unlike most
other settings, it does so in a balanced, non-deterministic manner. It is extremely
useful when you are setting up time-bound, but periodic assessments of your
infrastructure.
-q/--seed <seed>
This flag sets the initial random seed for the crawler to a specified value. This
can be used to exactly reproduce a previous scan to compare results. Randomness is
relied upon most heavily in the -p mode, but also influences a couple of other scan
management decisions.
-I/--include-string <domain/path>
With this flag, you can tell skipfish to only crawl and test URLs that match a
certain string. This can help to narrow down the scope of a scan by only
whitelisting certain sections of a web site (e.g. -I /shop).
-X/--exclude-string <domain/path>
The -X option can be used to exclude files / directories from the scan. This is
useful to avoid session termination (i.e. by excluding /logout) or just for
speeding up your scans by excluding static content directories like /icons/, /doc/,
/manuals/, and other standard, mundane locations along these lines.
-K/--skip-parameter <parameter name>
This flag allows you to specify parameter names not to fuzz. (useful for
applications that put session IDs in the URL, to minimize noise).
-D/--include-domain <domain>
Allows you to specify additional hosts or domains to be in-scope for the test. By
default, all hosts appearing in the command-line URLs are added to the list - but
you can use -D to broaden these rules. The result of this will be that the crawler
will follow links and tests links that point to these additional hosts.
-B/--trust-domain <domain>
In some cases, you do not want to actually crawl a third-party domain, but you
trust the owner of that domain enough not to worry about cross-domain content
inclusion from that location. To suppress warnings, you can use the -B option
-Z/--skip-error-pages
Do not crawl into pages / directories that give an error 5XX.
-O/--no-form-submits
Using this flag will cause forms to be ignored during the scan.
-P/--no-html-parsing
This flag will disable link extracting and effectively disables crawling. Using -P
is useful when you want to test one specific URL or when you want to feed skipfish
a list of URLs that were collected with an external crawler.
TESTING SCOPE
--checks
EXPERIMENTAL: Displays the crawler injection tests. The output shows the index
number (useful for --checks-toggle), the check name and whether the check is
enabled.
--checks-toggle <check1,check2,..>
EXPERIMENTAL: Every injection test can be enabled/disabled with using this flag. As
value, you need to provide the check numbers which can be obtained with the
--checks flag. Multiple checks can be toggled via a comma separated value (i.e.
--checks-toggle 1,2 )
--no-injection-tests
EXPERIMENTAL: Disables all injection tests for this scan and limits the scan to
crawling and, optionally, bruteforcing. As with all scans, the output directory
will contain a pivots.txt file. This file can be used to feed future scans.
REPORTING OPTIONS
-o/--output <dir>
The report wil be written to this location. The directory is one of the two
mandatory options and must not exist upon starting the scan.
-M/--log-mixed-content
Enable the logging of mixed content. This is highly recommended when scanning SSL-
only sites to detect insecure content inclusion via non-SSL protected links.
-E/--log-cache-mismatches
This will cause additonal content caching error to be reported.
-U/--log-external-urls
Log all external URLs and email addresses that were seen during the scan.
-Q/--log-unique-nodes
Enable this to completely suppress duplicate nodes in reports.
-u/--quiet
This will cause skipfish to suppress all console output during the scan.
-v/--verbose
EXPERIMENTAL: Use this flag to enable runtime reporting of, for example, problems
that are detected. Can be used multiple times to increase verbosity and should be
used in combination with -u unless you run skipfish with stderr redirected to a
file.
DICTIONARY MANAGEMENT
Make sure you've read the instructions provided in doc/dictionaries.txt to select the
right dictionary file and configure it correctly. This step has a profound impact on the
quality of scan results later on.
-S/--wordlist <file>
Load the specified (read-only) wordlist for use during the scan. This flag is
optional but use of a dictionary is highly recommended when performing a blackbox
scan as it will highlight hidden files and directories.
-W/--rw-wordlist <file>
Specify an initially empty file for any newly learned site-specific keywords (which
will come handy in future assessments). You can use -W- or -W /dev/null if you
don't want to store auto-learned keywords anywhere. Typically you will want to use
one of the packaged dictonaries (i.e. complete.wl) and possibly add a custom
dictionary.
-L/--no-keyword-learning
During the scan, skipfish will try to learn and use new keywords. This flag
disables that behavior and should be used when any form of brute-forcing is not
desired.
-Y/--no-extension-brute
This flag will disable extension guessing during directory bruteforcing.
-R <age>
Use of this flag allows old words to be purged from wordlists. It is intended to
help keeping dictionaries clean when used in recurring scans.
-T/--form-value <name=value>
Skipfish also features a form auto-completion mechanism in order to maximize scan
coverage. The values should be non-malicious, as they are not meant to implement
security checks - but rather, to get past input validation logic. You can define
additional rules, or override existing ones, with the -T option (-T
form_field_name=field_value, e.g. -T login=test123 -T password=test321 - although
note that -C and -A are a much better method of logging in).
-G <max guesses>
During the scan, a temporary buffer of newly detected keywords is maintained. The
size of this buffer can be changed with this flag and doing so influences
bruteforcing.
PERFORMANCE OPTIONS
The default performance setting should be fine for most servers but when the report
indicates there were connection problems, you might want to tweak some of the values here.
For unstable servers, the scan coverage is likely to improve when using low values for
rate and connection flags.
-l/--max-request-rate <rate>
This flag can be used to limit the amount of requests per second. This is very
useful when the target server can't keep up with the high amount of requests that
are generated by skipfish. Keeping the amount requests per second low can also help
preventing some rate-based DoS protection mechanisms from kicking in and ruining
the scan.
-g/--max-connections <number>
The max simultaneous TCP connections (global) can be set with this flag.
-m/--max-host-connections <number>
The max simultaneous TCP connections, per target IP, can be set with this flag.
-f/--max-failed-requests <number>
Controls the maximum number of consecutive HTTP errors you are willing to see
before aborting the scan. For large scans, you probably want to set a higher value
here.
-t/--request-timeout <timeout>
Set the total request timeout, to account for really slow or really fast sites.
-w/--network-timeout <timeout>
Set the network I/O timeout.
-i/--idle-timeout <timeout>
Specify the timeout for idle HTTP connections.
-s/--response-size <size>
Sets the maximum length of a response to fetch and parse (longer responses will be
truncated).
-e/--discard-binary
This prevents binary documents from being kept in memory for reporting purposes,
and frees up a lot of RAM.
--flush-to-disk
This causes request / response data to be flushed to disk instead of being kept in
memory. As a result, the memory usage for large scans will be significant lower.
EXAMPLES
Scan type: config
skipfish --config config/example.conf http://example.com
Scan type: quick
skipfish -o output/dir/ http://example.com
Scan type: extensive bruteforce
skipfish [...other options..] -S dictionaries/complete.wl http://example.com
Scan type: without bruteforcing
skipfish [...other options..] -LY http://example.com
Scan type: authenticated (basic)
skipfish [...other options..] -A username:password http://example.com
Scan type: authenticated (cookie)
skipfish [...other options..] -C jsession=myauthcookiehere -X /logout http://example.com
Scan type: flaky server
skipfish [...other options..] -l 5 -g 2 -t 30 -i 15 http://example.com
NOTES
The default values for all flags can be viewed by running ´./skipfish -h´ .
AUTHOR
skipfish was written by Michal Zalewski <lcamtuf@google.com>, with contributions from
Niels Heinen <heinenn@google.com>, Sebastian Roschke <s.roschke@googlemail.com>, and other
parties.
This manual page was written with the help of Thorsten Schifferdecker
<tsd@debian.systs.org>.
May 6, 2012 SKIPFISH(1)