Google has introduced an open source, fully automated, active web application security reconnaissance tool called ‘Skipfish'.

Google described Skipfish as an active web application security reconnaissance tool that prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks. The final report generated by the tool is meant to serve as a foundation for professional web application security assessments.

Google developer Michal Zalewsk wrote in a blog posting that Skipfish will allow developers to scan web applications for possible security vulnerabilities. He said that its key features are its high speed, due to it being written in pure C, with highly optimised http handling and a minimal CPU footprint.

He also claimed that it is easy to use as it features heuristics to ‘support a variety of quirky web frameworks and mixed-technology sites, with automatic learning capabilities, on-the-fly wordlist creation, and form auto-completion'.

On the security front, Zalewsk said that Google has incorporated high quality, low false positive, differential security checks that are capable of spotting a range of subtle flaws, including blind injection vectors.

Zalewsk said: “As with Ratproxy (a passive security assessment tool launched in July 2008), we feel that Skipfish will be a valuable contribution to the information security community, making security assessments significantly more accessible and easier to execute.”

The scanner can be downloaded from here, while detailed project documentation is available here.