Skipfish and WebGoat

Background

Many websites are vulnerable to SQL injection and other attacks. Skipfish is a free vulnerability scanner from Google that finds such vulnerabilities.

What You Need

Starting BackTrack

If you are using BackTrack 4, you need to do these things at startup:

Downloading and Compiling SkipFish

In the Terminal window, execute these commands:
mkdir skipfish

wget http://skipfish.googlecode.com/files/skipfish-2.02b.tgz

tar xzf skipfish-2.02b.tgz

cd skipfish-2.02b

make

ls

You should see several files in the directory, as shown below:

Copying the Dictionary File

Skipfish uses dictionaries to hunt for vulnerable files and objects in websites. We will use the minimal dictionary to make the scan faster, but less thorough.

In the Terminal window, execute this command:

cp dictionaries/minimal.wl skipfish.wl

Scanning WebGoat

In the Terminal window, execute this command:
./skipfish -o /tmp/skip1 -A guest:guest -m 5 -LVY -X -u "http://192.168.5.93/webgoat/attack"

Replace the IP address with the real address of your WebGoat target machine.

Note: each time you run Skipfish, you must specify a new directory for output (-o). If you run it again, use /tmp/skip2, etc.

When Skipfish starts, you will see this screen:

While it is running, you will see messages like this:

When it finishes, you will see this:

Viewing the Results

Open Firefox and enter the URL of the saved file, which will be something like /tmp/skip3/index.html

At the top, a summary appears, showing counts of vulnerabilities with colored dots. The red dot indicates the most dangerouos problems:

Scroll down to see a more detailed list:

Click the red item to expand it, showing each URL tested, and the exact test that was performed:

Last modified: 7-26-11 2 pm