Provided by: skipfish_2.10b-1_amd64 bug

NAME

       skipfish - web application security scanner

SYNOPSIS

       skipfish [options] -o output-directory [ start-url | @url-file [ start-url2 ... ]]

DESCRIPTION

       skipfish  is  an  active  web  application  security  reconnaissance tool.  It prepares an
       interactive sitemap  for  the  targeted  site  by  carrying  out  a  recursive  crawl  and
       dictionary-based  probes.   The  resulting  map  is  then annotated with the output from a
       number of active  (but  hopefully  non-disruptive)  security  checks.   The  final  report
       generated  by  the tool is meant to serve as a foundation for professional web application
       security assessments.

OPTIONS SUMMARY

           Authentication and access options:
             -A user:pass   - use specified HTTP authentication credentials
             -F host=IP     - pretend that ´host´ resolves to ´IP´
             -C name=val    - append a custom cookie to all requests
             -H name=val    - append a custom HTTP header to all requests
             -b (i|f|p)     - use headers consistent with MSIE / Firefox / iPhone
             -N             - do not accept any new cookies

           Crawl scope options:
             -d max_depth   - maximum crawl tree depth (16)
             -c max_child   - maximum children to index per node (512)
             -x max_desc    - maximum descendants to index per branch (8192)
             -r r_limit     - max total number of requests to send (100000000)
             -p crawl%      - node and link crawl probability (100%)
             -q hex         - repeat probabilistic scan with given seed
             -I string      - only follow URLs matching ´string´
             -X string      - exclude URLs matching ´string´
             -K string      - do not fuzz parameters named ´string´
             -D domain      - crawl cross-site links to another domain
             -B domain      - trust, but do not crawl, another domain
             -Z             - do not descend into 5xx locations
             -O             - do not submit any forms
             -P             - do not parse HTML, etc, to find new links

           Reporting options:
             -o dir         - write output to specified directory (required)
             -M             - log warnings about mixed content / non-SSL passwords
             -E             - log all caching intent mismatches
             -U             - log all external URLs and e-mails seen
             -Q             - completely suppress duplicate nodes in reports
             -u             - be quiet, disable realtime progress stats

           Dictionary management options:
             -W wordlist    - use a specified read-write wordlist (required)
             -S wordlist    - load a supplemental read-only wordlist
             -L             - do not auto-learn new keywords for the site
             -Y             - do not fuzz extensions in directory brute-force
             -R age         - purge words hit more than ´age´ scans ago
             -T name=val    - add new form auto-fill rule
             -G max_guess   - maximum number of keyword guesses to keep (256)

           Performance settings:
             -l max_req     - max requests per second (0..000000)
             -g max_conn    - max simultaneous TCP connections, global (40)
             -m host_conn   - max simultaneous connections, per target IP (10)
             -f max_fail    - max number of consecutive HTTP errors (100)
             -t req_tmout   - total request response timeout (20 s)
             -w rw_tmout    - individual network I/O timeout (10 s)
             -i idle_tmout  - timeout on idle HTTP connections (10 s)
             -s s_limit     - response size limit (200000 B)
             -e             - do not keep binary responses for reporting

           Other settings:
             -k duration    - stop scanning after the given duration h:m:s
             --config file  - load specified configuration file

AUTHENTICATION AND ACCESS

       Some sites require authentication, and skipfish supports this  in  different  ways.  First
       there  is  basic  HTTP authentication, for which you can use the -A flag. Second, and more
       common, are sites that require authentication on a web application level. For these sites,
       the best approach is to capture authenticated session cookies and provide them to skipfish
       using the -C flag (multiple if needed). Last, you'll need to put some effort in protecting
       the session from being destroyed by excluding logout links with -X and/or by rejecting new
       cookies with -N.

       -F/--host <ip:hostname>
              Using this flag, you can set the ´Host:´ header value to define  a  custom  mapping
              between  a  host  and  an IP (bypassing the resolver). This feature is particularly
              useful for not-yet-launched or legacy services that don't have  the  necessary  DNS
              entries.

       -H/--header <header:value>
              When  it comes to customizing your HTTP requests, you can also use the -H option to
              insert any additional, non-standard headers. This  flag  also  allows  the  default
              headers to be overwritten.

       -C/--cookie <cookie:value>
              This  flag  can  be  used  to  add  a cookie to the skipfish HTTP requests; This is
              particularly useful to perform authenticated scans by  providing  session  cookies.
              When  doing  so,  keep  in  mind  that  cetain URLs (e.g. /logout) may destroy your
              session; you can combat this in two ways: by using the -N option, which causes  the
              scanner  to  reject attempts to set or delete cookies; or by using the -X option to
              exclude logout URLs.

       -b/--user-agent <i|f|p>
              This flag allows the user-agent to be  specified  where  ´i´  stands  for  Internet
              Explorer,  ´f´  for  Firefox  and ´p´ for iPhone. Using this flag is recommended in
              case the target site shows different behavior based on  the  user-agent  (e.g  some
              sites use different templates for mobiles and desktop clients).

       -N/--reject-cookies
              This  flag  causes  skipfish to ignore cookies that are being set by the site. This
              helps to enforce stateless tests and also prevent that cookies set  with  ´-C´  are
              not overwritten.

       -A/--auth <username:password>
              For  sites  requiring  basic  HTTP authentication, you can use this flag to specify
              your credentials.

       --auth-form <URL>
              The login form to use with form authentication. By default skipfish  will  use  the
              form's action URL to submit the credentials. If this is missing than the login data
              is send to the form URL. In case that is wrong, you can set the  form  handler  URL
              with --auth-form-target <URL> .

       --auth-user <username>
              The username to be used during form authentication. Skipfish will try to detect the
              correct form field to use but if it fails to do so (and gives an error),  then  you
              can specify the form field name with --auth-user-field.

       --auth-pass <password>
              The  password to be used during form authentication. Similar to auth-user, the form
              field name can (optionally) be set with --auth-pass-field.

       --auth-verify-url <URL>
              This URL allows skipfish to verify  whether  authentication  was  successful.  This
              requires  a  URL  where  anonymous  and  authenticated requests are answered with a
              different response.

CRAWLING SCOPE

       Some sites may be too big to scan in a reasonable timeframe. If the  site  features  well-
       defined  tarpits  -  for  example,  100,000  nearly identical user profiles as a part of a
       social network - these specific locations can be excluded with -X or -S. In  other  cases,
       you  may  need to resort to other settings: -d limits crawl depth to a specified number of
       subdirectories; -c limits the number of children per directory; -x limits the total number
       of  descendants  per crawl tree branch; and -r limits the total number of requests to send
       in a scan.

       -d/--max-crawl-depth <depth>
              Limit the depth of subdirectories being crawled (see above).

       -c/--max-crawl-child <childs>
              Limit the amount of subdirectories per directory we crawl into (see above).

       -x/--max-crawl-descendants <descendants>
              Limit the total number of descendants per crawl tree branch (see above).

       -r/--max-request-total <request>
              The maximum number of requests can be limited with this flag.

       -p/--crawl-probability <0-100>
              By specifying a percentage between 1 and 100%, it is possible to tell  the  crawler
              to  follow  fewer than 100% of all links, and try fewer than 100% of all dictionary
              entries. This - naturally - limits the completeness of  a  scan,  but  unlike  most
              other settings, it does so in a balanced, non-deterministic manner. It is extremely
              useful when you are  setting  up  time-bound,  but  periodic  assessments  of  your
              infrastructure.

       -q/--seed <seed>
              This  flag  sets the initial random seed for the crawler to a specified value. This
              can be used to exactly reproduce a previous scan to compare results.  Randomness is
              relied upon most heavily in the -p mode, but also influences a couple of other scan
              management decisions.

       -I/--include-string <domain/path>
              With this flag, you can tell skipfish to only crawl and  test  URLs  that  match  a
              certain  string.  This  can  help  to  narrow  down  the  scope  of  a scan by only
              whitelisting certain sections of a web site (e.g. -I /shop).

       -X/--exclude-string <domain/path>
              The -X option can be used to exclude files / directories from  the  scan.  This  is
              useful  to  avoid  session  termination  (i.e.  by  excluding  /logout) or just for
              speeding up your scans by excluding static content directories like /icons/, /doc/,
              /manuals/, and other standard, mundane locations along these lines.

       -K/--skip-parameter <parameter name>
              This  flag  allows  you  to  specify  parameter  names  not  to  fuzz.  (useful for
              applications that put session IDs in the URL, to minimize noise).

       -D/--include-domain <domain>
              Allows you to specify additional hosts or domains to be in-scope for the  test.  By
              default,  all  hosts appearing in the command-line URLs are added to the list - but
              you can use -D to broaden these rules. The result of this will be that the  crawler
              will follow links and tests links that point to these additional hosts.

       -B/--trust-domain <domain>
              In  some  cases,  you  do  not want to actually crawl a third-party domain, but you
              trust the owner of that domain enough  not  to  worry  about  cross-domain  content
              inclusion from that location. To suppress warnings, you can use the -B option

       -Z/--skip-error-pages
              Do not crawl into pages / directories that give an error 5XX.

       -O/--no-form-submits
              Using this flag will cause forms to be ignored during the scan.

       -P/--no-html-parsing
              This  flag will disable link extracting and effectively disables crawling. Using -P
              is useful when you want to test one specific URL or when you want to feed  skipfish
              a list of URLs that were collected with an external crawler.

TESTING SCOPE

       --checks
              EXPERIMENTAL:  Displays  the  crawler  injection  tests. The output shows the index
              number (useful for --checks-toggle), the  check  name  and  whether  the  check  is
              enabled.

       --checks-toggle <check1,check2,..>
              EXPERIMENTAL: Every injection test can be enabled/disabled with using this flag. As
              value, you need to provide the  check  numbers  which  can  be  obtained  with  the
              --checks  flag.  Multiple  checks  can be toggled via a comma separated value (i.e.
              --checks-toggle 1,2 )

       --no-injection-tests
              EXPERIMENTAL: Disables all injection tests for this scan and  limits  the  scan  to
              crawling  and,  optionally,  bruteforcing.  As with all scans, the output directory
              will contain a pivots.txt file. This file can be used to feed future scans.

REPORTING OPTIONS

       -o/--output <dir>
              The report wil be written to this  location.  The  directory  is  one  of  the  two
              mandatory options and must not exist upon starting the scan.

       -M/--log-mixed-content
              Enable  the logging of mixed content. This is highly recommended when scanning SSL-
              only sites to detect insecure content inclusion via non-SSL protected links.

       -E/--log-cache-mismatches
              This will cause additonal content caching error to be reported.

       -U/--log-external-urls
              Log all external URLs and email addresses that were seen during the scan.

       -Q/--log-unique-nodes
              Enable this to completely suppress duplicate nodes in reports.

       -u/--quiet
              This will cause skipfish to suppress all console output during the scan.

       -v/--verbose
              EXPERIMENTAL: Use this flag to enable runtime reporting of, for  example,  problems
              that  are  detected. Can be used multiple times to increase verbosity and should be
              used in combination with -u unless you run skipfish with  stderr  redirected  to  a
              file.

DICTIONARY MANAGEMENT

       Make  sure  you've  read  the  instructions provided in doc/dictionaries.txt to select the
       right dictionary file and configure it correctly. This step has a profound impact  on  the
       quality of scan results later on.

       -S/--wordlist <file>
              Load  the  specified  (read-only)  wordlist  for  use during the scan. This flag is
              optional but use of a dictionary is highly recommended when performing  a  blackbox
              scan as it will highlight hidden files and directories.

       -W/--rw-wordlist <file>
              Specify an initially empty file for any newly learned site-specific keywords (which
              will come handy in future assessments). You can use -W-  or  -W  /dev/null  if  you
              don't  want to store auto-learned keywords anywhere. Typically you will want to use
              one of the packaged dictonaries  (i.e.  complete.wl)  and  possibly  add  a  custom
              dictionary.

       -L/--no-keyword-learning
              During  the  scan,  skipfish  will  try  to  learn  and use new keywords. This flag
              disables that behavior and should be used when any form  of  brute-forcing  is  not
              desired.

       -Y/--no-extension-brute
              This flag will disable extension guessing during directory bruteforcing.

       -R <age>
              Use  of  this  flag allows old words to be purged from wordlists. It is intended to
              help keeping dictionaries clean when used in recurring scans.

       -T/--form-value <name=value>
              Skipfish also features a form auto-completion mechanism in order to  maximize  scan
              coverage.  The  values  should be non-malicious, as they are not meant to implement
              security checks - but rather, to get past input validation logic.  You  can  define
              additional   rules,   or   override   existing   ones,   with  the  -T  option  (-T
              form_field_name=field_value, e.g. -T login=test123 -T password=test321  -  although
              note that -C and -A are a much better method of logging in).

       -G <max guesses>
              During  the  scan, a temporary buffer of newly detected keywords is maintained. The
              size of this buffer  can  be  changed  with  this  flag  and  doing  so  influences
              bruteforcing.

PERFORMANCE OPTIONS

       The  default  performance  setting  should  be  fine  for most servers but when the report
       indicates there were connection problems, you might want to tweak some of the values here.
       For  unstable  servers,  the  scan coverage is likely to improve when using low values for
       rate and connection flags.

       -l/--max-request-rate <rate>
              This flag can be used to limit the amount of requests  per  second.  This  is  very
              useful  when  the target server can't keep up with the high amount of requests that
              are generated by skipfish. Keeping the amount requests per second low can also help
              preventing  some  rate-based  DoS protection mechanisms from kicking in and ruining
              the scan.

       -g/--max-connections <number>
              The max simultaneous TCP connections (global) can be set with this flag.

       -m/--max-host-connections <number>
              The max simultaneous TCP connections, per target IP,  can be set with this flag.

       -f/--max-failed-requests <number>
              Controls the maximum number of consecutive HTTP  errors  you  are  willing  to  see
              before  aborting the scan. For large scans, you probably want to set a higher value
              here.

       -t/--request-timeout <timeout>
              Set the total request timeout, to account for really slow or really fast sites.

       -w/--network-timeout <timeout>
              Set the network I/O timeout.

       -i/--idle-timeout <timeout>
              Specify the timeout for idle HTTP connections.

       -s/--response-size <size>
              Sets the maximum length of a response to fetch and parse (longer responses will  be
              truncated).

       -e/--discard-binary
              This  prevents  binary  documents from being kept in memory for reporting purposes,
              and frees up a lot of RAM.

       --flush-to-disk
              This causes request / response data to be flushed to disk instead of being kept  in
              memory. As a result, the memory usage for large scans will be significant lower.

EXAMPLES

       Scan type: config
       skipfish --config config/example.conf http://example.com

       Scan type: quick
       skipfish -o output/dir/ http://example.com

       Scan type: extensive bruteforce
       skipfish [...other options..] -S dictionaries/complete.wl http://example.com

       Scan type: without bruteforcing
       skipfish [...other options..] -LY http://example.com

       Scan type: authenticated (basic)
       skipfish [...other options..] -A username:password http://example.com

       Scan type: authenticated (cookie)
       skipfish [...other options..] -C jsession=myauthcookiehere -X /logout http://example.com

       Scan type: flaky server
       skipfish [...other options..] -l 5 -g 2 -t 30 -i 15 http://example.com

NOTES

       The default values for all flags can be viewed by running ´./skipfish -h´ .

AUTHOR

       skipfish  was  written  by  Michal  Zalewski <lcamtuf@google.com>, with contributions from
       Niels Heinen <heinenn@google.com>, Sebastian Roschke <s.roschke@googlemail.com>, and other
       parties.

       This    manual   page   was   written   with   the   help   of   Thorsten   Schifferdecker
       <tsd@debian.systs.org>.

                                           May 6, 2012                                SKIPFISH(1)