Google releases web security scanner
Google has released an open source scanner that allows web application developers to test their applications for security holes. The application, called Skipfish, offers a similar functionality to that of tools such as Nmap or Nessus, but it's said to be much faster. Using fully automated heuristics, it detects code that is vulnerable to cross-site scripting attacks (XSS), SQL and XML injection attacks and many other attack types. The tool's comprehensive post-processing of the individual test results is designed to help with the interpretation of the final report.
Skipfish is a pure C implementation and according to Google, can easily process 2,000 HTTP requests per second – provided the tested server can handle such a high load. In individual tests across local networks, 7,000+ requests per second have reportedly been sent with a modest CPU load and memory footprint.
Google achieves this high performance via a serial I/O model which processes responses asynchronously and is said to offer much better scalability than traditional multi-threaded approaches with synchronous request processing. Optimised HTTP connection handling via features such as HTTP 1.1 range requests, keep-alive connections and data compression are designed to keep Skipfish's network bandwidth requirements in check.
Google says that it uses the scanner to test its own web applications for insecure interfaces. However, Google also points out that the security checks are far from comprehensive and do not satisfy most of the Web Application Security Consortium's (WASC) Web Application Security Scanner Evaluation Criteria criteria.