skipfish

skipfish [ options ] -o output_directory target_url [ ... ]

-o <dir>
    Specifies the mandatory output directory for generated reports and data files. This directory must not exist or be empty.

-W <wordlist_file>
    Provides a custom wordlist file to be used for dictionary-based fuzzing. skipfish comes with several built-in wordlists.

-S <scope_file>
    Loads a file containing additional URL patterns or rules to define the crawling scope, such as paths to include or exclude.

-I <regex>
    Instructs skipfish to include only URLs that match the specified regular expression during crawling.

-X <regex>
    Instructs skipfish to exclude URLs that match the specified regular expression from crawling and testing.

-C <name=value>
    Adds a static cookie (e.g., for session management) that will be sent with all HTTP requests.

-H <name=value>
    Adds a static HTTP header that will be included in all outgoing requests.

-u <user:pass>
    Provides HTTP authentication credentials (username:password) for basic or digest authentication.

-L <num>
    Sets the maximum recursion depth for the crawler. Controls how many levels deep skipfish will follow links.

-P <num>
    Limits the maximum number of requests per second sent to the target server, to control scan aggression.

-r <timeout_ms>
    Sets the network request timeout in milliseconds. Requests taking longer than this will be aborted.

-A <string>
    Specifies a custom User-Agent string to be used for all HTTP requests.

-p <proxy_host:port>
    Routes all traffic through a specified HTTP or SOCKS proxy server.

-Y
    Prevents skipfish from descending to external domains found during crawling, keeping the scan strictly within the initial target domain.

skipfish is an active web application security reconnaissance tool developed by Michal Zalewski (lcamtuf) at Google. It is designed for high-performance, automated crawling and dictionary-based fuzzing against target web servers.

The tool recursively explores a target website, generating a comprehensive site map. It then actively probes for various security vulnerabilities, including cross-site scripting (XSS), SQL injection (SQLi), command injection, directory traversal, server-side request forgery (SSRF), and other common web application flaws. skipfish employs a sophisticated heuristic engine to identify potential issues and generates detailed, interactive HTML reports for analysis. Its emphasis on speed and efficiency makes it particularly suitable for large-scale web application scanning and for command-line driven penetration testing.

Resource Intensive: skipfish can consume significant CPU and network resources on both the scanning machine and the target server due to its aggressive scanning nature.

Legal & Ethical Use: Always ensure you have explicit permission to scan any target system. Unauthorized scanning can have legal consequences.

False Positives/Negatives: Like all automated scanners, skipfish may report false positives (non-existent vulnerabilities) or miss some actual vulnerabilities (false negatives). Manual verification of findings is often recommended.

Active Development Status: While powerful, its active development by Google largely ceased around 2012-2014. This means it might not detect the very latest vulnerability types or fully support modern web technologies as effectively as more actively maintained tools.

Firewall/IPS Detection: Its aggressive and automated scanning patterns can trigger Web Application Firewalls (WAFs) or Intrusion Prevention Systems (IPS), potentially leading to the scanner being blocked or blacklisted by the target.

skipfish generates detailed, interactive HTML-based reports that are easy to navigate. These reports typically include a comprehensive site map of the discovered application structure, a list of identified vulnerabilities, and granular details about the specific requests and responses that triggered each finding.

The tool utilizes a sophisticated dictionary-based fuzzing engine. This allows it to discover vulnerabilities by intelligently injecting various payloads into different parts of HTTP requests (parameters, headers, paths), going beyond simple checks for known vulnerability signatures to find unknown weaknesses.

skipfish was developed by Michal Zalewski (lcamtuf), a prominent security researcher, during his tenure at Google. It was initially released in 2009. The tool quickly gained popularity owing to its high performance, comprehensive scanning capabilities, and the reputation of its developer. Written in C, it was designed as a fast and efficient command-line option for automated web application vulnerability discovery. While it saw active development and updates for several years, direct maintenance by Google has largely ceased. Despite this, it remains available in many Linux distribution repositories and is still considered a valuable tool for penetration testers and security professionals, particularly for high-speed, command-line driven scanning tasks.

nmap(1), nikto(1), curl(1), wget(1), zap.sh (OWASP ZAP), burpsuite