How to Install Skipfish - Security

Security is by far the most important aspect that any webmaster should consider for long term website success. A lot of open source and commercial tools are available to scan your website for vulnerabilities. If you are looking for an efficient, powerful, fast and free tool, then you might need to give “Skipfish” a try.

TABLE OF CONTENTS:

By: Codex-M

Poor Best

Rating:

/ 4

March 23, 2011

print this article

SEARCH DEV SHED

TOOLS YOU CAN USE

Downloading and Installing Skipfish

The first thing that you should do is download the latest version of Skipfish here: http://code.google.com/p/skipfish/downloads/list

As of the time this tutorial has been written, the latest version is Skipfish-1.84b. Click “skipfish-1.84b” and then copy the SHA1 checksum to a text file, you will need this later. Click the link to proceed with the download.

It will be downloaded normally to your Ubuntu downloads folder. Cut and paste the downloaded package (skipfish-1.84b.tgz) to your Ubuntu Desktop.

Launch terminal then go to your Desktop:

codex-m@codex-m-desktop:~$ cd Desktop

Then confirm the SHA1 checksum of the download package as follows (italicized):

codex-m@codex-m-desktop:~/Desktop$ sha1sum skipfish-1.84b.tgz
c5f3994029419f2915091cfe825414ad3f608432 skipfish-1.84b.tgz

Compare the resulting SHA1 checksum with the SHA1 checksum provided on the download page which you copied earlier. It should match.

To install Skipfish follow the detailed steps below:

1.) Right click on the skipfish-1.84b.tgz at the Desktop then click “Extract here”. This will extract the package to the Desktop.

2.) Then at the Linux terminal (assuming you are in the Desktop directory):

Go inside the extracted Skipfish directory:

codex-m@codex-m-desktop:~/Desktop$ cd skipfish-1.84b
codex-m@codex-m-desktop:~/Desktop/skipfish-1.84b$

3.) Compile by running the make command:

codex-m@codex-m-desktop:~/Desktop/skipfish-1.84b$ make

If there are no problems during the compilation, you should see the output below:

cc -L/usr/local/lib/ -L/opt/local/lib skipfish.c -o skipfish -O3 -Wno-format -Wall -funsigned-char -g -ggdb -I/usr/local/include/ -I/opt/local/include/ -DVERSION="1.84b" \
http_client.c database.c crawler.c analysis.c report.c -lcrypto -lssl -lidn -lz
See dictionaries/README-FIRST to pick a dictionary for the tool.
Having problems with your scans? Be sure to visit:
http://code.google.com/p/skipfish/wiki/KnownIssues

4.) Copy and configure Skipfish dictionaries

Skipfish dictionary allows you to let the application scan for vulnerabilities in different possible targeted destinations. According to Skipfish developer, this is critical in getting good results out of the scan.

It is highly recommended to read the “README-FIRST” file inside the dictionaries folder to determine what type of dictionary is appropriate for your implementation. As a start if your website application is small, you can use the complete.wl dictionary.

To implement this, copy complete.wl to skipfish.wl. Details:

a.) Launch terminal
b.) In the command prompt, enter: cp dictionaries/complete.wl skipfish.wl
codex-m@codex-m-desktop:~/Desktop/skipfish-1.84b$ cp dictionaries/complete.wl skipfish.wl

5.) Create an output folder inside Skipfish directory:

You need to create an output folder where Skipfish place the output results of the scan. Launch terminal and go inside the Skipfish directory, then create a folder named as outputresults :