Web应用安全扫描工具 Skipfish 2.04b 发布

openkk 13年前
     <div id="p_fullcontent" class="detail">     <p><a href="/misc/goto?guid=4958330848982075081" target="_blank">skipfish</a>是Google推出的一款免费、开源、Web应用程序安全检测工具。skipfish主要特点:扫描速度快、易于使用、尖端的安全逻辑。</p>     <p>目前skipfish更新至2.04b版,新版本主要改变如下:</p>     <p> Option -V eliminated in favor of -W / -S.<br />  Option -ladded to limit the maximum requests per second (contributed by Sebastian Roschke)<br />  Option -kadded to limit the maximum duration of a scan (contributed by Sebastian Roschke)<br />  Support for #ro, -W-; related documentation changes.<br />  HTTPS -> HTTP form detection.<br />  Added more diverse traversal and file disclosure tests (including file:// scheme tests)<br />  Improved injection detection in < script > sections, where a ‘ or ” is all we need to inject js code.<br />  Added check to see if our injection strings end up server Set-Cookie, Set-Cookie2 and Content-Type reponse headers<br />  URLs that give us a Javascript response are now tested with a “callback=” parameter to find JSONP issues.<br />  Fixed “response varies” bug in 404 detection where a stable page would be marked unstable.<br />  Bugfix to es / eg handling in dictionaries.<br />  Added the “complete-fast.wl” wordlist which is an es / eg optimized version of “complete.wl” (resulting in 20-30% fewer requests).</p>     <p></p>     <p><img style="border-bottom:black 1px solid;border-left:black 1px solid;width:567px;height:361px;border-top:black 1px solid;border-right:black 1px solid;" alt="网络安全扫描工具 Skipfish" src="https://simg.open-open.com/show/8fee31dfc93272369656717f2382a6b7.png" /></p>     <p>Google工程师迈克尔‧扎勒维斯基(Michal Zalewski)称,尽管Skipfish与Nikto和Nessus等其他开源扫描工具有相似的功能,但Skipfish还具备一些独特的优点。 Skipfish通过HTTP协议处理且占用较低的CPU资源,因此它的运行速度比较快。Skipfish每秒钟可以轻松处理2000个请求。</p>     <p>Skipfish采用先进的逻辑安全,这将有助于减小产生误报的可能性。Skipfish的这项技术类似于Google于2008年发布的另外一款安全工具——ratproxy。</p>    </div>