RSS Alerts

Share

More services

Related Links

Related Stories

  • Mykonos to launch counter-hacker tool
    Web application security company Mykonos Software has launched an appliance designed to watch what hackers are doing and take counter measures to confuse and divert them.
  • EFF launches web browser entropy tool
    A new tool released by privacy advocacy group EFF is designed to help users find out how identifiable their web browsers are online.
  • Researchers turn wireless network into X-ray tool
    Researchers at the University of Utah have devised a way to visually monitor a room using cheap wireless sensors. The technique, known as ' variance-based radio tomography', effectively enables its users to see through walls, explain Jerry Wilson and Neal Patwari, authors of a paper on the subject.
  • Microsoft ships free anti-virus tool
    Microsoft officially shipped Microsoft Security Essentials, its free anti-virus product, yesterday. The product, which had been beta tested under the codename Morro, is designed as a free software offering specifically for home users.
  • Microsoft to launch exploitability analysis tool
    Microsoft will announce an open source tool on Friday designed to help programmers filter out serious security flaws in their programs before they ship. Members of the company's Trustworthy Computing team, speaking at Vancouver-based security conference CanSecWest, will unveil !exploitable, a software tool that analyses crash data from programs and prioritizes key security flaws.

Top 5 Stories

News

Google unveils website security tool

22 March 2010

Google has launched a security tool called skipfish, designed to help web developers scan their applications for vulnerabilities.

Released as an open source tool under the Apache license, skipfish from Google prepares an interactive site map for a targeted site by recursively crawling through webpages and using dictionary attacks to probe sites. It then targets the site with a variety of active security checks designed to test for vulnerabilities, including blind injection vectors.

The tool, written in C, competes with existing scanners such as Nikto and Nessus. However, Google says that it delivers some specific benefits, including fast operation. It says that it can process 2000 requests per second on a local area network, and 7000 requests against local instances. The company attributes this to a custom HTTP stack, along with smart response caching.

It tests for explicit SQL-like syntax in GET and POST parameters, server-side shell command injection and XML injection, along with vulnerabilities in format strings, and potential integer overflows. The new tool from Google will also be able to pick up other program flaws, including attacker-supplied embedded content, expired and self-signed SSL certificates, HTTP credentials in URLs and bad caching directives.

"Please do not be evil," Google said in the documentation for the skipfish talk. "Keep in mind that all types of security testing can be disruptive. Although the scanner is designed not to carry out malicious attacks, it may accidentally interfere with the operations of the site."

The tool uses heuristics to support a variety of web frameworks and sites that combines different technologies.

This article is featured in:
Application Security • Internet and Network Security • IT Forensics

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Terms & Conditions |Privacy |Website Design|Reed Exhibitions. All rights reserved. Copyright © 2012