Skipfish Website Vulnerability Scanner

Security is by far the most important aspect that any webmaster should consider for long term website success. A lot of open source and commercial tools are available to scan your website for vulnerabilities. If you are looking for an efficient, powerful, fast and free tool, then you might need to give “Skipfish” a try.

Skipfish is a web application security scanner contributed, developed and maintained by the Google security engineering team headed by Michael Zalewski, a Google Inc. employee.

This tutorial is written primarily for beginners who are looking to expand their knowledge of website security, vulnerability detection and prevention using Skipfish.

System Requirements and Required Library Installation

This tutorial teaches you how to install and run Skipfish inside an Ubuntu local environment. With this, it is possible to scan both localhost and remote web server URL.

The methods and commands in this tutorial are tested using Ubuntu 10.04 LTS otherwise known as “Lucid Lynx”. Skipfish requires you to install some important libraries in advance before you can actually proceed to install Skipfish. This will ensure that you will not encounter serious installation issues. To do this, follow the steps below:

1.) Go to Administration ==> Update Manager and make sure you see the “Your System is up-to-date” message or else you need to update until all required and important updates of your system are installed.

2.) Install libidn11-dev package, go to Applications ==> Accessories ==> Terminal:

Login as root:

codex-m@codex-m-desktop:~$ sudo -s -H
root@codex-m-desktop:/home/codex-m# sudo apt-get install libidn11-dev

3.) Install libssl-dev and zlib1g-dev package:

root@codex-m-desktop:/home/codex-m# sudo apt-get install libssl-dev zlib1g-dev

4.) Go to System ==> Synaptic package manager, confirm that the following packages has been successfully installed:

a.) libidn11-dev
b.) libssl-dev
c.) zlib1g-dev

There are other packages or libraries required by Skipfish to work which should already be installed on Ubuntu by default (provided your Ubuntu version and system is up-to-date):

a.) libidn11
b.) gcc
c.) make
d.) libc6
e.) libc6-dev

In Synaptic package manager, you will know that the packages has been successfully installed if you see the green mark beside the package, see screenshot below:

{mospagebreak title=How to Install Skipfish}

Downloading and Installing Skipfish

The first thing that you should do is download the latest version of Skipfish here:

As of the time this tutorial has been written, the latest version is Skipfish-1.84b. Click “skipfish-1.84b” and then copy the SHA1 checksum to a text file, you will need this later. Click the link to proceed with the download.

It will be downloaded normally to your Ubuntu downloads folder. Cut and paste the downloaded package (skipfish-1.84b.tgz) to your Ubuntu Desktop.

Launch terminal then go to your Desktop:

codex-m@codex-m-desktop:~$ cd Desktop

Then confirm the SHA1 checksum of the download package as follows (italicized):

codex-m@codex-m-desktop:~/Desktop$ sha1sum skipfish-1.84b.tgz

c5f3994029419f2915091cfe825414ad3f608432  skipfish-1.84b.tgz

Compare the resulting SHA1 checksum with the SHA1 checksum provided on the download page which you copied earlier. It should match.

To install Skipfish follow the detailed steps below:

1.) Right click on the skipfish-1.84b.tgz at the Desktop then click “Extract here”. This will extract the package to the Desktop.

2.) Then at the Linux terminal (assuming you are in the Desktop directory):

Go inside the extracted Skipfish directory:

codex-m@codex-m-desktop:~/Desktop$ cd skipfish-1.84b

3.) Compile by running the make command:

codex-m@codex-m-desktop:~/Desktop/skipfish-1.84b$ make

If there are no problems during the compilation, you should see the output below:

cc -L/usr/local/lib/ -L/opt/local/lib skipfish.c -o skipfish -O3 -Wno-format -Wall -funsigned-char -g -ggdb -I/usr/local/include/ -I/opt/local/include/  -DVERSION="1.84b"
http_client.c database.c crawler.c analysis.c report.c -lcrypto -lssl -lidn -lz
See dictionaries/README-FIRST to pick a dictionary for the tool.
Having problems with your scans? Be sure to visit:

4.) Copy and configure Skipfish dictionaries

Skipfish dictionary allows you to let the application scan for vulnerabilities in different  possible targeted destinations. According to Skipfish developer, this is critical in getting good results out of the scan.

It is highly recommended to read the “README-FIRST” file inside the dictionaries folder to determine what type of dictionary is appropriate for your implementation. As a start if your website application is small, you can use the complete.wl dictionary.

To implement this, copy complete.wl to skipfish.wl. Details:

a.) Launch terminal
b.) In the command prompt, enter: cp dictionaries/complete.wl skipfish.wl

codex-m@codex-m-desktop:~/Desktop/skipfish-1.84b$ cp dictionaries/complete.wl skipfish.wl

5.) Create an output folder inside Skipfish directory:

You need to create an output folder where Skipfish place the output results of the scan. Launch terminal and go inside the Skipfish directory, then create a folder named as outputresults :

codex-m@codex-m-desktop:~/Desktop/skipfish-1.84b$ mkdir outputresults

After completing the configuration on Skipfish dictionary and creation of output results folder, you are now ready to use Skipfish.

{mospagebreak title=Run a Skipfish Scan on XAMPP}

Let’s start to use Skipfish to scan a specific website/server for vulnerabilities. For the purpose of illustrating an easy example, lets use the XAMPP localhost to scan for vulnerabilities (although you can scan any website URL even those that are found in the Internet).

Assuming you have started XAMPP, MySQL and the local XAMPP Apache server, you can run Skipfish using the steps below:

1.) Launch Terminal
2.) Go inside Skipfish directory in your Ubuntu Desktop:

codex-m@codex-m-desktop:~$ cd Desktop/skipfish-1.84b

3.) To scan your localhost URL: http://localhost/ and then put the output results inside the outputresults folder, the command will be: ./skipfish -o outputresults http://localhost/

In Terminal (take note of the dot before forward slash):

codex-m@codex-m-desktop:~/Desktop/skipfish-1.84b$ ./skipfish -o outputresults http://localhost/

4.) After executing this command by pressing the enter key, you will then see below:

5.) To proceed, press any key then Skipfish will start the scan with the ongoing results such as shown below:

Terminating the Scan and Viewing the Scan Results

The good thing about Skipfish is that you can terminate the scan anytime (even the scan is not yet complete) and access the partial results. To terminate the scan and view the results, follow the steps below:

1.) While the scan is ongoing (shown in the previous screenshot), press Control – C. This will terminate the scan.

2.) To view the results, you can only the view the results using Firefox web browser by default. To do this, go to outputresults directory where the scan results are dumped:

codex-m@codex-m-desktop:~/Desktop/skipfish-1.84b$ cd outputresults

3.) Once you are inside the outputresults directory, execute the Firefox command to launch the results in the browser. The actual command is: firefox index.html

In terminal:

codex-m@codex-m-desktop:~/Desktop/skipfish-1.84b/outputresults$ firefox index.html

4.) You should then see the output results such as shown below:

5.) You should then be able to interpret the results easily. Most of the scan results are pretty self-explanatory. It is recommended to pay attention first to high risk vulnerabilities detected by the scan. You can expand those results to read more details.

What to do next? Well you need to educate yourself at understanding and correcting these vulnerabilities, for example if Skipfish is reporting some MySQL injection vulnerabilities in your website you might need to read and learn more about  SQL injection. You can use Google to read more details about that vulnerability. A few examples of preventing MySQL injection vulnerability includes implementing strict user input validation in your web application, implementing appropriate user privileges and using mysql_real_escape_string() PHP function.

Related and Important Resources of Skipfish

Below are some useful resources pertaining to the use of Skipfish and interpretation of results/vulnerabilities:

1.) Skipfish detailed documentation (includes both basic and advanced usage):

2.) Common problems with Skipfish and how to fix them:

3.) Understanding the functionality and features included in Skipfish:

4.) Browser security handbook:

5.) The Open web application security project:

6.) Web Application Security Consortium: -

7) Application Security Principle:

Google+ Comments

Google+ Comments