.\" vi:set wm=5 .TH SKIPFISH 1 "March 23, 2010" .SH NAME skipfish \- active web application security reconnaissance tool .SH SYNOPSIS .B skipfish .RI [ options ] " -o output-directory start-url [start-url2 ...]" .br .SH DESCRIPTION .PP \fBskipfish\fP is an active web application security reconnaissance tool. It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks. The final report generated by the tool is meant to serve as a foundation for professional web application security assessments. .SH OPTIONS .SS Authentication and access options: .TP .B \-A user:pass use specified HTTP authentication credentials .TP .B \-F host:IP pretend that 'host' resolves to 'IP' .TP .B \-C name=val append a custom cookie to all requests .TP .B \-H name=val append a custom HTTP header to all requests .TP .B \-b (i|f) use headers consistent with MSIE / Firefox .TP .B \-N do not accept any new cookies .SS Crawl scope options: .TP .B \-d max_depth maximum crawl tree depth (default: 16) .TP .B \-c max_child maximum children to index per node (default: 1024) .TP .B \-r r_limit max total number of requests to send (default: 100000000) .TP .B \-p crawl% node and link crawl probability (default: 100%) .TP .B \-q hex repeat a scan with a particular random seed .TP .B \-I string only follow URLs matching 'string' .TP .B \-X string exclude URLs matching 'string' .TP .B \-S string exclude pages containing 'string' .TP .B \-D domain also crawl cross-site links to a specified domain .TP .B \-B domain trust, but do not crawl, content included from a third-party domain .TP .B \-O do not submit any forms .TP .B \-P do not parse HTML and other documents to find new links .SS Reporting options: .TP .B \-o dir write output to specified directory (required) .TP .B \-J be less noisy about MIME / charset mismatches on probably static content .TP .B \-M log warnings about mixed content .TP .B \-E log all HTTP/1.0 / HTTP/1.1 caching intent mismatches .TP .B \-U log all external URLs and e-mails seen .TP .B \-Q completely suppress duplicate nodes in reports .TP .B \-u be quiet, do not display realtime scan statistics .SS Dictionary management options: .TP .B \-W wordlist load an alternative wordlist (skipfish.wl) .TP .B \-L do not auto-learn new keywords for the site .TP .B \-V do not update wordlist based on scan results .TP .B \-Y do not fuzz extensions during most directory brute-force steps .TP .B \-R age purge words that resulted in a hit more than 'age' scans ago .TP .B \-T name=val add new form auto-fill rule .TP .B \-G max_guess maximum number of keyword guesses to keep in the jar (default: 256) .SS Performance settings: .TP .B \-g max_conn maximum simultaneous TCP connections, global (default: 50) .TP .B \-m host_conn maximum simultaneous connections, per target IP (default: 10) .TP .B \-f max_fail maximum number of consecutive HTTP errors to accept (default: 100) .TP .B \-t req_tmout total request response timeout (default: 20 s) .TP .B \-w rw_tmout individual network I/O timeout (default: 10 s) .TP .B \-i idle_tmout timeout on idle HTTP connections (default: 10 s) .TP .B \-s s_limit response size limit (default: 200000 B) .TP .B \-h, \-\-help Show summary of options. .SH AUTHOR skipfish was written by Michal Zalewski . .PP This manual page was written by Thorsten Schifferdecker , for the Debian project (and may be used by others).