Quoting from skipfish’s README file,  ”A number of commercial and open source tools with analogous functionality is readily available (e.g., Nikto, Nessus); stick to the one that suits you best.That said, skipfish tries to address some of the common problems associated with web security scanners”. Specifically, it tries to achieve high performance and claims to achieve  over 500 requests per second against Internet targets, over 2000 requests per second against LAN/MAN networks and over 7000 requests per second against local instances. It is designed to be highly adaptive, reliable and produce accurate results.

Skipfish has a large list of security checks, divided in categories according to their impact. High risk issues include server-side SQL injection, explicit SQL syntax in GET/POST parameters, command injection, XML/XPath injection, format string and integer overflow vulnerabilities. Medium and low risk issues include various other checks, including XSS injection, Directory traversal/bypass, attacker supplied scripts/CSS inclusion and many other.

Running Skipfish is easy and customizable, the output is generated to a html file, full report is included. A screenshot of a command line execution can be seen below and a screenshot of a sample html output here.

Skipfish is written in C language and is available for download through Google code under Apache 2.0 License here. Detailed documentation is included in README file in source tarball or in the wiki.