Yahoo open-sources Gryffin, a large scale web security scanning platform

Yahoo has open-sourced Gryffin, a scanning platform for web applications.

The developers’ goal was to create a security scanner that will be able to both discover as much of the application footprint as possible (crawl phase), and to test the various parts of it for specific vulnerabilities (scan phase).

What makes Gryffin special is the above mentioned better coverage, but also its scalability.

“Inherent scalability translates to capability of scanning, and supporting a large elastic application infrastructure. Simply put, the ability to scan 1000 applications today to 100,000 applications tomorrow by straightforward horizontal scaling,” they explained on the project’s page on GitHub.

During the crawling phase, Gryffin discovers the apps’ links and code paths. It saves time by stopping to crawl pages that have a similar HTML structure as that of a previously checked on.

The developers didn’t waste their time by creating new fuzzer modules.

“Gryffin at production scale at Yahoo uses open source and custom fuzzers. Some of these custom fuzzers might be open sourced in the future, and might or might not be part of the Gryffin repository,” they shared.

This open source (beta) version of Gryffin comes with sqlmap and arachni scanners in order to demonstrate the platform’s capabilities. These two fuzzers are aimed at finding SQLi and XSS vulnerabilities, respectively.

“While Gryffin is available as a standalone package, it’s primarily built for scale,” the developers explained. “Gryffin is built on the publisher-subscriber model. Each component is either a publisher, or a subscriber, or both. This allows Gryffin to scale horizontally by simply adding more subscriber or publisher nodes.”

For more information about the platform and the pre-requisites for using it go here.