Skipfish, compiling on Ubuntu
After a few hours of playing with skipfish, the Open Source web application security scanner from Google, you can color me impressed.
The first thing you want to do is download the 1.09 BETA Version. After just a couple days Google went up several beta versions and 1.09 worked awesomely for me. I was going to compile Skipfish on Mac OS X, but the requirement of libidn was so easy to meet on Ubuntu that I decided to compile skipfish on Ubuntu. The primary reason being is that I do not like to use Macports and I read about some folks having issues even after compiling libidn on their Macs.
Here are the commands (on Ubuntu Linux) to compile skipfish:
wget http://skipfish.googlecode.com/files/skipfish-1.09b.tgz
tar zxvf skipfish-1.09b.tgz
mv skipfish-1.09b skipfish
sudo apt-get install libidn11-dev
sudo apt-get install libssl-dev
cd skipfish
make
cp dictionaries/complete.wl skipfish.wl
./skipfish -o skipfish_out http://www.yourdomain.com
(this creates an skipfish_out directory -- and make sure you put a domain to scan that you actually own.)
My scan ran about 47 minutes, at the conclusion of the scan you will have an index.html file that you can view from your browser within the skipfish_out directory. This will be the results of your scan nicely formatted. This is quick and dirty, the README file is quite helpful and there is a very informative wiki as well.
