Friday, March 26, 2010

Free app makes paid web scanners dead in the water

Free app makes paid web scanners dead in the water

By Darren Pauli,

Google's upgraded version of its automated Web application scanner, SkipFish, has received glowing reviews from local security experts.

The free tool designed by Google software engineer Michal Zalewski, and launched late last week, scans for web application vulnerabilities.

Penetration testing firm HackLabs director Chris Gatford said the tool is "blazingly fast" and accurate.

The revamped SkipFish outperformed other free and commercial offerings during HackLab tests. Gatford said some full-featured web application scanners return HTTP request at a rate of about one or two a second.

"SkipFish fired more than 400 requests per second, that's under less than ideal conditions, on a standard broadband connection and using its default settings," Gatford said, adding it did return some errors.

Security blogger and RedSpin consultant jhaddix said the application returned 600 requests per second over a 10Mb connection, but reported some problems.

The massive request rate means the tool can also be used for malicious Denial of Service (DoS) attacks. Such an attack would require less compute-power -- roughly 20 servers according to estimates -- to crash a small corporate site.

Malicious users could employ the tool to discover application vulnerablilities for exploitation, but that possibility is available through many existing tools.

Gatford said SkipFish is a "smart move" by Google as it represents an attempt to improve online safety, a suggestion echoed by IBRS security analyst James Turner.

Zalewski has been quick to introduce fixes as testers report them. He fixed six flaws discovered by Gatford within hours of their publication on Twitter.

SkipFish is targeted for people who typically do not test web applications, but security experts say some knowledge or research is requirement to locate vulnerability fixes that Zalewski has reportedly planned, but not yet incorporated into the tool.

No comments: