NOTE: This is not an officially supported Google product

 ____  _            __ _     _
|  _ \| |_   _ ___ / _(_)___| |__
| |_) | | | | / __| |_| / __| '_ \
|  __/| | |_| \__ \  _| \__ \ | | |
|_|   |_|\__,_|___/_| |_|___/_| |_|

Introduction

Plusfish is a classic web application vulnerability scanner/fuzzer and aimed at security professionals.

Design philosophy

Typical web application scanners are tuned towards low noise and low false positive rates. This is more user friendly but comes with the risk of false negatives. For example, other scanners might use a long XSS payload that can trigger a vulnerability in multiple conditions and this reduces the amount of requests needed and reduces the intrusiveness of the scan.

The more complex a payload, the higher the chance it could get blocked by the application which can result in a false positive.

Plusfish takes a complete opposite approach and uses as many payloads, encodings, injection points, etc as possible. This results in significant more traffic and you will also end up with more data to process after the scan.

Due to these characteristics; plusfish is positioned towards aiding security professionals in their assessments by providing a lot of signals rather than being a point, click and report tool.

Key features

High performance

Despite the scanner currently being single process and single threaded; you can reach 1000's requests per seconds when you tune the tool (and your server can handle it) properly.

Highly customizable

The checks it does, scan duration, request rate, client certificate, proxy usage, report type and pretty much the entire behavior of the scanner can be controlled through flags and configuration files.

Browser independent

Does not make use of a browser/browser engine and has a full control over its document fetching and rendering behavior. As such the behavior of various browsers can be emulated (or considered) during security tests.

This also is a limitation at the moment because Javascript execution isn't supported in this initial version. We do however plan on adding this.

Thorough security testing

The security checks are designed to bring confirmed and potential security issues to the attention of security engineers. While we avoid false positives, we certainly do not avoid edge case vulnerabilities that require manual review for confirmation.

Generic check language

Generic security checks can be written in a powerful and structured language. In the checks payloads, injection methods, encoding methods and response matching behaviors can all be customized.

In fact, the majority of the security checks are currently implemented in the configuration files. Adding one is just a matter of editing the file and re-running the scan.

Finding hidden files or directories

Using the extensive wordlists it is possible to let plusfish hunt for hidden files and directories. If found, they are also subject to the security tests.

Current status

The tool is not finished and currently best for testing server-side security problems.

More information

Please have a look at:

• The build document on how to compile plusfish.
• The examples document for example on running a scan
• The configuration document loginfor insight in how security
• How to contribute.

Credits

Written by Niels Heinen with the help of attwad