本文主要是介绍安全参透之旅第3章 Skipfish工具使用,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!
--Skipfish工具
是一款Web应用安全侦查工具。skipfish会利用递归爬虫和基于字典的探针生成一副交互式网站地图。最终生成的地图会在通过安全检查后输出。
--选择 -o是输出路径的参数,-S是指定数据字典的只读状态(还有其他参数使用请查看系统中的man或 “-h”帮助文档)
root@kali:~/Desktop/dictionaries# skipfish -o /root/Desktop/Skipfishoutput -S '/usr/share/skipfish/dictionaries/complete.wl' http://www.thesecurityblogger.com
--选择continue继续执行
skipfish web application scanner - version 2.10b
Welcome to skipfish. Here are some useful tips:
1) To abort the scan at any time, press Ctrl-C. A partial report will be written
to the specified location. To view a list of currently scanned URLs, you can
press space at any time during the scan.
2) Watch the number requests per second shown on the main screen. If this figure
drops below 100-200, the scan will likely take a very long time.
3) The scanner does not auto-limit the scope of the scan; on complex sites, you
may need to specify locations to exclude, or limit brute-force steps.
4) There are several new releases of the scanner every month. If you run into
trouble, check for a newer version first, let the author know next.
More info: http://code.google.com/p/skipfish/wiki/KnownIssues
NOTE: The scanner is currently configured for directory brute-force attacks,
and will make about 241435 requests per every fuzzable location. If this is
not what you wanted, stop now and consult the documentation.
Press any key to continue (or wait 60 seconds)...
skipfish version 2.10b by lcamtuf@google.com
--开始web安全侦查信息。
- www.thesecurityblogger.com -
Scan statistics:
Scan time : 0:02:24.490
HTTP requests : 476 (4.4/s), 366 kB in, 120 kB out (3.4 kB/s)
Compression : 267 kB in, 980 kB out (57.2% gain)
HTTP faults : 74 net errors, 0 proto errors, 0 retried, 0 drops
TCP handshakes : 467 total (3.5 req/conn)
TCP faults : 0 failures, 74 timeouts, 0 purged
External links : 54 skipped
Reqs pending : 1179
Database statistics:
Pivots : 369 total, 1 done (0.27%)
In progress : 367 pending, 1 init, 0 attacks, 0 dict
Missing nodes : 0 spotted
Node types : 1 serv, 235 dir, 39 file, 0 pinfo, 48 unkn, 46 par, 0 val
Issues found : 6 info, 1 warn, 1 low, 5 medium, 0 high impact
Dict size : 2412 words (197 new), 110 extensions, 256 candidates
Signatures : 77 total
--选择Ctrl+C 来结束扫描,结束输出文件放在/root/Desktop/Skipfishoutput/
[!] Scan aborted by user, bailing out!
[+] Copying static resources...
[+] Sorting and annotating crawl nodes: 369
[+] Looking for duplicate entries: 369
[+] Counting unique nodes: 369
[+] Saving pivot data for third-party tools...
[+] Writing scan description...
[+] Writing crawl tree: 369
[+] Generating summary views...
[+] Report saved to '/root/Desktop/Skipfishoutput/index.html' [0xa83556b0].
[+] This was a great day for science!
Medium risk - data compromise External content embedded on a page (higher risk) (5)
中等风险-数据妥协 (高风险) 的网页中嵌入的外部内容 (5)
Low risk or low specificity HTML form with no apparent XSRF protection (1)
低风险或低特异性与没有明显的 XSRF 保护 (1) 的 HTML 表单
Internal warning Resource fetch failed (1)
内部警告资源读取失败 (1)
Informational note Unknown form field (can't autocomplete) (1)
信息说明未知的表单字段 (不能自动完成) (1)
这篇关于安全参透之旅第3章 Skipfish工具使用的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!