Archive for April, 2010

skipfish – fast, easy and simple

Tuesday, April 27th, 2010

Skipfish is google code project. It is web application security scanner, high speed (they claim 2000 requests per second* – * – at local LAN :) ) and due the fact it is command line tool without fancy wizards, options and so on, it is relatively easy to use, and for sure it is easy to just start scanning.

Skipfish is active scanner so it first scan application, preparing the map of web site, than recursively ran different test, the last thing is report generation. Documentation is simple and has a lot of example we can start on. So let’s see that in action.

One of such command is:

$ skipfish -m 5 -LVJ -W /dev/null -o output_dir -b ie http://www.example.com/

During the scan, Skipfish is displaying statistics:

Scan statistics
---------------

       Scan time : 0:11:07.0068
   HTTP requests : 2446 sent (3.71/s), 16228.73 kB in, 659.18 kB out (25.32 kB/s)  
     Compression : 0.00 kB in, 0.00 kB out (0.00% gain)    
 HTTP exceptions : 34 net errors, 0 proto errors, 0 retried, 0 drops
 TCP connections : 2451 total (1.09 req/conn)  
  TCP exceptions : 0 failures, 1 timeouts, 0 purged
  External links : 745 skipped
    Reqs pending : 219        

Database statistics
-------------------

          Pivots : 471 total, 94 done (19.96%)    
     In progress : 323 pending, 38 init, 12 attacks, 4 dict    
   Missing nodes : 54 spotted
      Node types : 1 serv, 269 dir, 46 file, 1 pinfo, 91 unkn, 63 par, 0 val
    Issues found : 70 info, 111 warn, 49 low, 1 medium, 13 high impact
       Dict size : 0 words (0 new), 0 extensions, 0 candidates

After few hours/minutes, it depends on the site we are scanning, we will got

[+] Copying static resources...
[+] Sorting and annotating crawl nodes: 1666
[+] Looking for duplicate entries: 1666
[+] Counting unique issues: 1158
[+] Writing scan description...
[+] Counting unique issues: 1666
[+] Generating summary views...
[+] Report saved to outputDir/index.html
[+] This was a great day for science!

The report consist of “crawl results”, “document type overview” and “issue type overview”. My last scan result has some finding, but also has a lot of false positives, it seams that a lot of work still waiting for a Skipfish team, but it looks promising.

Posted in technology, testing | No Comments »

Pedro Newsletter 01-05.04.2010

Thursday, April 22nd, 2010

Posted in java | 1 Comment »

Pedro Newsletter 25-31.03.2010

Sunday, April 11th, 2010

A like that quote: “Do the difficult things while they are easy and do the great things while they are small. A journey of a thousand miles must begin with a single step.” ~Lao Tzu

Posted in java | No Comments »

Scala Wave at Google

Thursday, April 8th, 2010

Some time ago Google acquires AppJet, what is AppJet? It was company behind a backend of etherpad the first and currently only one solution which allows for real-time editing by many people, whats is interesting in this fact is that they use Scala to develop this web-application. We can look at the code at Google Code Etherpad project.

It may be very interesting and you can learn a lot from such a project and such success stories can accelerate Scala enterprise adoption. Unfortunately this project is now spare time project for authors, because now the team is working on Google Wave

Posted in java | 1 Comment »

Pedro News 18-24.03.2010

Wednesday, April 7th, 2010

Another portion of pretty delicious news :)

Posted in java | 2 Comments »

about me

My name is Sebastian Pietrowski. I've finished Warsaw University as Master degree. During my studies I started work for merlin.pl. The primary language I use is Java but I have also programmed in Python, Ruby and Scala. I worked as a technical solution architect at merlin.pl. infrastructure when we were moving from PL/SQL to J2EE. I engineering a great performance optimized solution that made the application 10 times faster than requirements and 85 times faster as original solution.

Currently, I am working as a Senior Expert at F.Hoffmann-La Roche to help define future roadmap in design and development of Enterprise software at Roche and Genentech and build adoption for new technologies. I'm continuously mentoring new developers, helping them understand how important test driven development is and empowering them to get better at their daily job. I'm involved in many activities which brings new technologies for better and faster development. You can find more details on my LinkedIn profile.

But don’t get me wrong, I am not your typical nerd. I'm a pleasant guy that you can drink a glass of wine with me and talk about a range of topics with. My leisure activities include playing basketball, soccer and listening to music. I try to be pragmatic while staying focused on application performance and tuning with success in my daily work.

My favorite quote from Yoda's and my life’s motto is: Do, or do not. There is no try.