⚠️ Overview

skipfish is an automated web application security reconnaissance tool originally developed by Google security engineer Michal Zalewski and released as open source in 2010. It is designed to perform high-speed, low-noise security scans of web applications, and its source code remains available on the official Google Code Archive (now mirrored on GitHub under the google/skipfish repository) under the Apache License 2.0. Despite its legitimate security research origins, skipfish is frequently weaponized by malicious actors for reconnaissance and vulnerability discovery in unauthorized environments.

🔧 Technical Capabilities

skipfish performs recursive web crawling and automated detection of a wide range of web vulnerabilities including SQL injection, cross-site scripting (XSS), directory traversal, command injection, and server-side request forgery (SSRF). It employs a modular architecture with custom dictionary-based payload generation and heuristic analysis to minimize false positives. The scanner supports HTTP/HTTPS, handles cookies, authentication forms, and can follow redirects. It generates detailed reports in HTML format with a tree-like structure showing discovered URLs, attack vectors, and risk ratings. Unlike many scanners, skipfish deliberately uses a single-threaded event loop to avoid overwhelming target servers, making it stealthier but still capable of sending thousands of requests per minute during active crawling phases. Its fingerprinting engine can identify server software versions, error page templates, and common CMS platforms.

📜 History & Notable Incidents

Originally announced in a 2010 blog post by Michal Zalewski on the lcamtuf blog, skipfish quickly gained popularity among penetration testers and red teams. In 2012, a security researcher published a proof-of-concept demonstrating that skipfish could be used to identify CVE-2012-1823 (PHP-CGI argument injection) during automated scans. The tool was later forked and integrated into several commercial scanning suites. Notably, in 2018, threat intelligence reports from Recorded Future documented instances where skipfish was observed in automated reconnaissance campaigns targeting government .gov domains, with User-Agent strings modified to evade basic filtering. The official repository has not received updates since 2015, leaving it vulnerable to modern detection techniques but still widely used due to its efficiency.

🔍 Detection Indicators

The default User-Agent for skipfish is Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0; skipfish/2.10b) (version may vary). Behavioral indicators include a high volume of requests to non-existent directories (404s), repeated attempts at common injection points (e.g., ?id=1'), and sequential crawling with consistent timing intervals. The scanner often leaves a skipfish comment in JavaScript files or reports unique X-Requested-With headers like XMLHttpRequest. Traffic patterns show rapid bursts of 10–20 requests followed by a pause, mimicking human browsing.

☠️ Risk & Impact

A successful scan by skipfish can map an entire web application’s attack surface, exposing hidden endpoints, parameter injection points, and server misconfigurations. Malicious operators can then exploit discovered vulnerabilities to steal credentials, exfiltrate database contents, or deface websites. The tool’s low-noise design makes it particularly dangerous for long‑term, persistent reconnaissance without immediate detection.

🛡️ Mitigation

This bot is blocked immediately on detection because its automated probing violates the Computer Fraud and Abuse Act and equivalent international laws, and any successful scan can lead to severe data breaches. Immediate action should include IP blacklisting, rate‑limiting, and Web Application Firewall (WAF) rules that inspect for skipfish’s User‑Agent and characteristic request patterns.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the bots listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.