Google has released Skipfish, a new free web application security testing tool, under an Apache open-source licence.
The software can be used to automatically scan apps for dozens of vulnerabilities including SQL injection and integer overflows. Google said the software is designed to be speedy, and can handle to 2,000 HTTP requests per second.
The company has previously released Ratproxy, a 'passive' web security analyser. Skipfish is a more traditional 'active' vulnerability testing tool along the lines of Nessus, from Tenable Network Security, which is also free for personal use.
As with all such tools, Skipfish could be abused by malefactors. Addressing this, Google's documentation reads: “Please do not be evil. Use skipfish only against services you own, or have a permission to test.”
“Keep in mind that all types of security testing can be disruptive. Although the scanner is designed not to carry out malicious attacks, it may accidentally interfere with the operations of the site,” the company warns.