skipfish on OpenSolaris
By user9148476 on Mar 25, 2010
There's been several articles about skipfish, a web application recon tool from Google. Ignoring the documentation that called for glibc to be present, I tried the compile anyway. Aside from environment variable adjustments and an include file or two, the primary obstacle is the use of glibc's malloc_usable_size() - its primary apparent usage is to assist in zeroing out malloc'd memory.
I'd done some testing with pulling out malloc_usable_size and the tool would run, but bail when writing out final results (see the comments). I've since went the route of modifying skipfish to use Doug Lea's malloc library, which includes an implementation of malloc_usable_size(). And that's been working great.
initial allocations). I've uploaded a patch for the necessary changes. The patch is based on v1.26b of skipfish.
The basic steps:
Ensure you have the IDN library installed $ pkg list |grep idn library/idnkit (opensolaris.org) 0.5.11-0.134 installed ----- library/libidn (opensolaris.org) 1.9-0.134 installed ----- Download and unpack skipfish Copy the patch into the unpacked skipfish directory. $ cd skipfish $ patch -p1 < skipfish.1.26b.solaris.dmalloc.patch patching file alloc-inl.h patching file dlmalloc.c patching file dlmalloc.h patching file Makefile patching file report.c $ CC="/usr/bin/gcc" CFLAGS="-I/usr/include/idn -DUSE_LOCKS" \\ LIBS="-lsocket -lnsl -lpthread" make
From there, read the skipfish wiki for details on running the tool. Also check out the known issues. The item I hit immediately was not having a terminal size of at least 100x35. Things run fine, but the output to the terminal can get munged at smaller sizes.
If you do any testing of skipfish running on OpenSolaris, let me know how it goes. May look at getting this into the SourceJuicer. And by the way, I'm not a web-security expert. While I'm happy to (try to) answer questions about why skipfish may not compile on OpenSolaris, I cannot answer questions about the results the tool returns.