Home arrow Security arrow Page 3 - Skipfish Website Vulnerability Scanner

Run a Skipfish Scan on XAMPP - Security

Security is by far the most important aspect that any webmaster should consider for long term website success. A lot of open source and commercial tools are available to scan your website for vulnerabilities. If you are looking for an efficient, powerful, fast and free tool, then you might need to give “Skipfish” a try.

TABLE OF CONTENTS:
  1. Skipfish Website Vulnerability Scanner
  2. How to Install Skipfish
  3. Run a Skipfish Scan on XAMPP
By: Codex-M
Rating: starstarstarstarstar / 4
March 23, 2011

print this article
SEARCH DEV SHED

TOOLS YOU CAN USE

advertisement

Let's start to use Skipfish to scan a specific website/server for vulnerabilities. For the purpose of illustrating an easy example, lets use the XAMPP localhost to scan for vulnerabilities (although you can scan any website URL even those that are found in the Internet).

Assuming you have started XAMPP, MySQL and the local XAMPP Apache server, you can run Skipfish using the steps below:

1.) Launch Terminal
2.) Go inside Skipfish directory in your Ubuntu Desktop:

codex-m@codex-m-desktop:~$ cd Desktop/skipfish-1.84b
codex-m@codex-m-desktop:~/Desktop/skipfish-1.84b$

3.) To scan your localhost URL: http://localhost/ and then put the output results inside the outputresults folder, the command will be: ./skipfish -o outputresults http://localhost/

In Terminal (take note of the dot before forward slash):

codex-m@codex-m-desktop:~/Desktop/skipfish-1.84b$ ./skipfish -o outputresults http://localhost/

4.) After executing this command by pressing the enter key, you will then see below:

5.) To proceed, press any key then Skipfish will start the scan with the ongoing results such as shown below:

Terminating the Scan and Viewing the Scan Results

The good thing about Skipfish is that you can terminate the scan anytime (even the scan is not yet complete) and access the partial results. To terminate the scan and view the results, follow the steps below:

1.) While the scan is ongoing (shown in the previous screenshot), press Control – C. This will terminate the scan.

2.) To view the results, you can only the view the results using Firefox web browser by default. To do this, go to outputresults directory where the scan results are dumped:

codex-m@codex-m-desktop:~/Desktop/skipfish-1.84b$ cd outputresults
codex-m@codex-m-desktop:~/Desktop/skipfish-1.84b/outputresults$

3.) Once you are inside the outputresults directory, execute the Firefox command to launch the results in the browser. The actual command is: firefox index.html

In terminal:

codex-m@codex-m-desktop:~/Desktop/skipfish-1.84b/outputresults$ firefox index.html

4.) You should then see the output results such as shown below:

5.) You should then be able to interpret the results easily. Most of the scan results are pretty self-explanatory. It is recommended to pay attention first to high risk vulnerabilities detected by the scan. You can expand those results to read more details.

What to do next? Well you need to educate yourself at understanding and correcting these vulnerabilities, for example if Skipfish is reporting some MySQL injection vulnerabilities in your website you might need to read and learn more about  SQL injection. You can use Google to read more details about that vulnerability. A few examples of preventing MySQL injection vulnerability includes implementing strict user input validation in your web application, implementing appropriate user privileges and using mysql_real_escape_string() PHP function.

Related and Important Resources of Skipfish

Below are some useful resources pertaining to the use of Skipfish and interpretation of results/vulnerabilities:

1.) Skipfish detailed documentation (includes both basic and advanced usage): http://code.google.com/p/skipfish/wiki/SkipfishDoc

2.) Common problems with Skipfish and how to fix them: http://code.google.com/p/skipfish/wiki/KnownIssues

3.) Understanding the functionality and features included in Skipfish: http://lcamtuf.blogspot.com/2010/11/understanding-and-using-skipfish.html

4.) Browser security handbook: http://code.google.com/p/browsersec/wiki/Main

5.) The Open web application security project: http://www.owasp.org/index.php/Category:OWASP_Guide_Project

6.) Web Application Security Consortium: -http://www.webappsec.org/projects/articles/

7) Application Security Principle: http://www.owasp.org/index.php/Category:Principle



 
 
>>> More Security Articles          >>> More By Codex-M
 

blog comments powered by Disqus
escort Bursa Bursa escort Antalya eskort
   

SECURITY ARTICLES

- Secure Your Business for Data Privacy Day
- Google Testing Security Fob Password Alterna...
- Security News Highlights Concerns
- Going to Extremes for Data Security
- Skipfish Website Vulnerability Scanner
- Critical Microsoft Visual Studio Security Pa...
- US Faces Tech Security Expert Deficit
- LAN Reconnaissance
- An Epilogue to Cryptography
- A Sequel to Cryptography
- An Introduction to Cryptography
- Security Overview
- Network Security Assessment
- Firewalls
- What’s behind the curtain? Part II

Developer Shed Affiliates

 


Dev Shed Tutorial Topics: