Automated Audit using SKIPFISH

Last revision (mm/dd/yy): 07/04/2012

This type of article aims to provide to development team a easy/quick way to perform automated audit tests against their web application projects over implementation phase.

Description
This page have to objective to show a SKIFISH sample script to automate audit of a web application.

Description taken from website: Skipfish is an active web application security reconnaissance tool. It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks. The final report generated by the tool is meant to serve as a foundation for professional web application security assessments.

SKIPFISH homepage.

This script do not replace a manual audit but can be useful to perform a first validation.

Shell script
REPORT_DIR=/tmp/skipfish-report URI_TO_IGNORE=/css/,/img/,/images/,/js/,/doc/ TARGET_URL=http://mysite.com TARGET_ROOT_URL=$TARGET_URL INTERACTIVE_MODE=YES if [ -d $REPORT_DIR ]; then rm -rf $REPORT_DIR fi if [ ! -f dictionaries/custom-dictionnary.wl ]; then touch dictionaries/custom-dictionnary.wl fi if [ "$INTERACTIVE_MODE" = "YES" ]; then RUNNING_MODE="" else RUNNING_MODE="-u" fi skipfish -b i -I $TARGET_ROOT_URL -X $URI_TO_IGNORE -Z -o $REPORT_DIR -M -Q $RUNNING_MODE -S dictionaries/extensions-only.wl -W dictionaries/custom-dictionnary.wl -Y -R 5 -G 256 -l 3 -g 10 -m 10 -f 20 -t 60 -w 60 -i 60 -s 1024000 -e $TARGET_URL
 * 1) /bin/sh
 * 2) Define global variables
 * 1) Clean up report directory if exists...
 * 1) Clean up report directory if exists...
 * 1) Initialize custom dictionary if do not exists...
 * 1) Initialize custom dictionary if do not exists...
 * 1) Define running mode (interactive or quiet)
 * 1) Define running mode (interactive or quiet)
 * 1) Start scan...
 * 1) Start scan...

Global variables description:


 * REPORT_DIR: Target directory in which SkipFish will generate the scan report.
 * URI_TO_IGNORE: Comma separated URIs list that the scan must ignore.
 * TARGET_URL: Target application url.
 * TARGET_ROOT_URL: Root url of the application (used to limit scan to the application).
 * INTERACTIVE_MODE: Used to indicate to SkipFish to run in interactive or quiet mode (no realtime progress stats for quiet mode).

Options used to specify authentication and access behaviors:


 * -b: Use headers consistent with MSIE.

The "-A" option can be used to specify authentication credentials using "login:password" format.

Options used to specify crawl scope behaviors:


 * -I: Only follow URLs matching url specified in $TARGET_ROOT_URL variable.
 * -X: Exclude URLs matching URIs specified in $URI_TO_IGNORE variable.
 * -Z: Do not descend into 5xx locations.

Options used to specify reporting behaviors:


 * -o: Write output to directory specified in $REPORT_DIR variable.
 * -M: Log warnings about mixed content / non-SSL passwords.
 * -Q: Completely suppress duplicate nodes in reports.
 * -u: Be quiet, disable realtime progress stats.

Options used to specify dictionary management behaviors:

Here we configure scan to learn from the application and keep informations found for the next scan of the application. We also seed learning with a dictionary containing only extension elements that the scan must use to discover files...


 * -S: Load a supplemental read-only wordlist, is the seeding dictionary.
 * -W: Use a specified read-write wordlist, is the dictionary built using the informations gathered during the scan.
 * -Y: Do not fuzz extensions in directory brute-force.
 * -R: Purge, into the dictionary built from application scan, words hit more than 5 scans ago.
 * -G: Maximum number of keyword guesses to keep, here we keep 256 keywords.

Options used to specify performance settings:
 * -l: Max requests per second, here we limit to 3.
 * -g: Max simultaneous TCP connections, here we limit to 10.
 * -m: Max simultaneous connections, per target IP, here we limit to 10.
 * -f: Max number of consecutive HTTP errors, here we limit to 20.
 * -t: Total request response timeout, here we limit to 1 minute.
 * -w: Individual network I/O timeout, here we limit to 1 minute.
 * -i: Timeout on idle HTTP connections, here we limit to 1 minute.
 * -s: Response size limit, here we limit to 1024 Kb.
 * -e: Do not keep binary responses for reporting.

Report
SkipFish generate an HTML report website like this:



Remark about scan scheduling
The scan take a while then it's recommended to schedule is execution:
 * During the night for a daily audit case.
 * During the week-end for a weekly audit case.

[[Category:C]]