CSTC IA-2 Web Vulnerability Scanning using

Skipfish
Tirth Shah (1611108)
Shruti Dhariya (1611094)

A. Introduction

Websites experience an average of 22 attacks per day — more than 8,000 attacks a
year, according to SiteLock results. A vulnerability of a website is a weakness or
misconfiguration in a website or web application code that enables an attacker to gain some
degree of control over the site, and possibly the host server. Most vulnerabilities, such as
vulnerability scanners and botnets are exploited by automated means.When such vulnerabilities
are found, data are stealed, malicious content spread, or spam and defacement in the
vulnerable section. Vulnerability scanning is an examination of possible access points on a
device or a network to find security holes. A vulnerability analysis detects and classifies device
vulnerabilities in computers, networks, and communications equipment and predicts the efficacy
of counter-measures.

B. Problem Definition

To scan a website using the tool skipfish and determine vulnerabilities if any in it.

C. Scope

The scope of our demonstration is to make reader familiar with:

1. Installation of skipfish.
2. Different Options in Skipfish.
3. Brute Force Attack.
4. Different types of vulnerabilities that could occur in a website like XSS, Sql Injection,
File Inclusions, etc.
D. Proposed Methodology

1. Install Skipfish.
2. Set up a website to be scanned for vulnerabilities.
3. Start scanning.
4. Scan with brute force option
5. Scan without brute force option.
6. Check the vulnerabilities found in the generated files.

E. Description of software and/or tools utilized

Skipfish is an active web application security reconnaissance tool created by lcamtuf for Google.
It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and
dictionary-based probes. The resulting map is then annotated with the output from a number of
active security checks. The final report generated by the tool is meant to serve as a foundation
for professional web application security assessments.
Some features of Skipfish are:
1. High Performance.
2. Ease Of use.
3. Well designed for security checks.
F. Implementation along with screenshots
1. Install Skipfish

2. Skipfish Options

a. Authentication and access options

b. Crawl Scope Options

c. Performance settings

d. Other settings
3. Dictionaries

4.Scanning with minimal.wl as dictionary

5. Scanning without dictionary
G. Conclusion with summary
Cybersecurity is growing in its importance. It is a requirement for developers and testers to be
knowledgeable of attacks and follow certain safety measures when making a website. The
sensitive data like username and password can be retrieved from a website without the users
consent if the vulnerabilities are not tested for. Thus before deployment of any website it is of
utmost importance to test if for security holes for best possible usage by the clients.

H. Conclusion with summary

● https://ieeexplore.ieee.org/document/7340766
Makino, Y., & Klyuev, V. (2015). ​Evaluation of web vulnerability scanners. 2015 IEEE 8th
International Conference on Intelligent Data Acquisition and Advanced Computing
Systems: Technology and Applications (IDAACS).
● https://github.com/spinkham/skipfish
Web application security scanner created by lcamtuf for google - Unofficial Mirror
http://code.google.com/p/skipfish