USA: +1(669)289-8683 
Sign in
Module 1: Assignment 2: Skipfish LabTotal point: 100
Last Name: _______________First Name: ______________Date:
Learning objective
In this module, you will learn more
(i)
How to install and configure the Skipfish tool in Kali Linux
(ii)
Apply the tool to scan websites
Introduction to Skipfish
Skipfish is an active web application security reconnaissance tool. It prepares an
interactive sitemap for the targeted site by carrying out a recursive crawl and dictionarybased probes. The resulting map is then annotated with the output from a number of
active security checks. The final report generated by the tool is meant to serve as
foundation for professional web application security assessments.
Key features:
•
•
•
High speed: pure C code, highly optimized HTTP handling, minimal CPU
footprint – easily achieving 2000 requests per second with responsive targets.
Ease of use: heuristics to support a variety of quirky web frameworks and mixedtechnology sites, with automatic learning capabilities, on-the-fly wordlist
creation, and form autocompletion.
Cutting-edge security logic: high quality, low false positive, differential security
checks, capable of spotting a range of subtle flaws, including blind injection
vectors.
Keep in mind that all types of security testing can be disruptive. Although the scanner is
designed not to carry out malicious attacks, it may accidentally interfere with the
operations of the site. You must accept the risk, and plan accordingly. Run the scanner
against test instances where feasible, and be prepared to deal with the consequences if
things go wrong.
Also note that the tool is meant to be used by security professionals, and is experimental
in nature. It may return false positives or miss obvious security problems – and even when
it operates perfectly, it is simply not meant to be a point-and-click application. Do not
take its output at face value.
1
Running the tool against vendor-supplied demo sites is not a good way to evaluate it, as
they usually approximate vulnerabilities very imperfectly; we made no effort to
accommodate these cases.
Lastly, the scanner is simply not designed for dealing with rogue and misbehaving HTTP
servers – and offers no guarantees of safe (or sane) behavior there.
This tutorial is written primarily for beginners who are looking to expand their
knowledge of website security, vulnerability detection and prevention using Skipfish.
Always take permission of the website owners first before scanning or probing.
Skipfish application
Launch Kali from VMWare Workstation. Enter root/toor as username and password.
Skipfish is applicable on cross platform includes Linux, BSD, MAC and windows. It is a
power full scanner that crawls targeted website and fully scanned all the pages. It is
readily available on Kali Linux. You can access it by selecting Applications–>Web
Application Analysis–> skipfish.
2
Execute Test with Skipfish:
When you open Skipfish for the first time, a Terminal window will pop up displaying the
Skipfish commands. Skipfish can use built-in or customizable dictionaries
for vulnerability assessment.Skipfish should look like this when opened:
3
There are various command options available in Skipfish. To run Skipfish against a target
website using a custom wordlist, enter skipfish, select your wordlist using the -W option
followed by the location of the wordlist, select your output directory using -o followed by
the location, and finally the target website.
Using the given directory for output (-o 202), scan the web application
URL (http://www.google.com)
If there are no compiling errors, you will be presented with a launch screen that states the
will start in 60 seconds or on pressing any key.
You can press the Spacebar to see the details on the scan or watch the default numbers
run. Scanning a target can take anywhere from 30 seconds to a few hours to complete
the process. You can end a scan early by typing Ctrl + C. For this test, if scan exceeds 15
minutes, press Ctrl + C.
4
View Vulnerabilities Test Results:
Once the scan is completed or if you end it early, Skipfish will generate a ton of
output files in the location specified when using the –o option to designate an output
folder. Click on Files, then Home and you should see the ‘202’ folder.
To see the results, click on the index.html file, which will bring up an Internet browser.
You can click through the drop-down boxes to see your results. See the example reports
section for more information
5
The index.html file should look similar to below:
The results here details where security vulnerabilities are at risks. Since this is
google.com, there are no high impact vulnerabilities to worry about. There are some
warnings and medium issues.
6
An Example usage, skipfish –o 203 http://www.kennesaw.edu (Notice ‘203’ is the
folder name. The previous was 202)
Below is an example of result.
Run the skipfish for http://ccse.kennesaw.edu and provide a screenshot of your
results. [100 point]
7
Conclusion and References:
Most of the problems reported by skipfish should self-explanatory, assuming you have a
good gasp of the fundamentals of web security. If you need a quick refresher on some of
the more complicated topics, such as MIME sniffing, you may enjoy our comprehensive
Browser Security Handbook as a starting point: http://code.google.com/p/browsersec/
If you still need assistance, there are several organizations that put a considerable effort
into documenting and explaining many of the common web security threats, and advising
the public on how to address them. I encourage you to refer to the materials published by
OWASP and Web Application Security Consortium, amongst others:
•
•
•
http://www.owasp.org/index.php/Category:Principle
http://www.owasp.org/index.php/Category:OWASP_Guide_Project
http://www.webappsec.org/projects/articles/
8
Assignment 8
Total point: 100
Part A [50 points]
Input Sanitization: In this assignment, you will complete hands-on lab to avoid common security defects
and to write a secure program with input validation. Topics include consequence of malicious injections
and effective secure input validation.
Go to: https://sites.google.com/view/projectsmsd/home/data-sanitization-for-input-validation/
Review the pre-lab section. Then, complete hands-on lab, provide screenshots for grading.
Part B: [50 points]
In this section, you will learn how to do output encoding to avoid attacks within mobile apps.
Go to: https://sites.google.com/view/projectsmsd/home/data-sanitization-for-output-encoding
Complete hands-on part of output encoding for grading, and provide your screenshots.
