Security is by far the most important aspect that any webmaster should consider for long term website success. A lot of open source and commercial tools are available to scan your website for vulnerabilities. If you are looking for an efficient, powerful, fast and free tool, then you might need to give “Skipfish” a try.
As of the time this tutorial has been written, the latest version is Skipfish-1.84b. Click “skipfish-1.84b” and then copy the SHA1 checksum to a text file, you will need this later. Click the link to proceed with the download.
It will be downloaded normally to your Ubuntu downloads folder. Cut and paste the downloaded package (skipfish-1.84b.tgz) to your Ubuntu Desktop.
If there are no problems during the compilation, you should see the output below:
cc -L/usr/local/lib/ -L/opt/local/lib skipfish.c -o skipfish -O3 -Wno-format -Wall -funsigned-char -g -ggdb -I/usr/local/include/ -I/opt/local/include/ -DVERSION="1.84b" \ http_client.c database.c crawler.c analysis.c report.c -lcrypto -lssl -lidn -lz See dictionaries/README-FIRST to pick a dictionary for the tool. Having problems with your scans? Be sure to visit: http://code.google.com/p/skipfish/wiki/KnownIssues
4.) Copy and configure Skipfish dictionaries
Skipfish dictionary allows you to let the application scan for vulnerabilities in different possible targeted destinations. According to Skipfish developer, this is critical in getting good results out of the scan.
It is highly recommended to read the “README-FIRST” file inside the dictionaries folder to determine what type of dictionary is appropriate for your implementation. As a start if your website application is small, you can use the complete.wl dictionary.
To implement this, copy complete.wl to skipfish.wl. Details:
a.) Launch terminal b.) In the command prompt, enter: cp dictionaries/complete.wl skipfish.wl