November 13, 2018
Syhunt Hybrid adds Jenkins extension - With today's release of Syhunt version update 6.4.1, Syhunt adds extensions for Jenkins that allow web application security scans to be called from within a Jenkins Pipeline script, allowing customers to integrate the Syhunt Dynamic and Syhunt Code scanner tools into their continuous delivery pipeline, schedule scans and much more. The beta extensions add three Groovy functions called syhunt.scanURL(), scanCode() and scanGIT() that can be used to perform dynamic and source code scans (DAST and SAST) from within a pipeline execution, optionally failing a build if a certain criteria is met (like if High risk vulnerabilities are found). "This is an important step towards making Syhunt easier to integrate across government and enterprise environments as part of ongoing and continuous secure development operations", says Syhunt's Chief Visionary Officer Felipe Daragon, "A long awaited feature that we're thrilled to deliver and evolve based on customer feedback and requirements".
Syhunt Hybrid 6.4.1 is available free of charge to all registered Syhunt users.
October 17, 2018
Syhunt Hybrid adds PCI DSS 3.2.1 support and more - Today we release version 6.4 of Syhunt Hybrid and Syhunt Community, a release with focus on compliance report generation and user interface (GUI) enhancements. This version comes with a revamped launcher screen, adds new PCI DSS related checks and many new compliance report options. Read more
September 8, 2018
Syhunt Hybrid 6.3 released, adds CVSS v3 support - We're happy to announce that Syhunt version 6.3, released today, adds full support for CVSS. CVSS stands for Common Vulnerability Scoring System and is an industry open standard designed to convey vulnerability severity and help determine urgency and priority of response. To enable the best use of the CVSS system, CVSS3 and CVSS2 vectors were assigned to all kinds of vulnerabilities currently detected by Syhunt Dynamic and Syhunt Code. Read more
June 15, 2018
Syhunt Hybrid 6.2 released, adds static code analysis of Node.js web apps - It was only last month that we announced the addition of SAST (static application security testing) for Java to Syhunt, but good news, we have a new update to share today which brings SAST for Node.js based web applications. Syhunt 6.2 is able to scan the source code of Node.js web applications for security vulnerabilities with coverage for the Express and Koa frameworks. Because Syhunt was already able to dynamically test Node.js and MongoDB based web apps for vulnerabilities, this update makes Syhunt an ideal tool for both penetration testing and code review (DAST and SAST) of web apps built using the MEAN stack - MongoDB, Express.js, AngularJS & Node.js. Read more
May 26, 2018
Syhunt Huntpad 1.02 released and is now open source - On May 3 the first version of Syhunt Huntpad was released, and we have received many positive comments about it. It is with great pleasure that we now announce that, following the same footsteps as the Sandcat Browser, today's Huntpad release (version 1.02) is opensource and available on GitHub, where we expect it to keep evolving with community contributions and feedback. To make this possible, we also published the source code of core Lua libraries developed by Syhunt: Forge and Underscript, published today, and Catarinka, published in 2014 at the same time as Sandcat and continuously updated since then. From now on, any developer can help shape the project, so it will be exciting to see how it evolves.
May 17, 2018
Syhunt Hybrid 6.1 released, adds static code analysis of Java web apps - Seven months later after the last big release of Syhunt, we're back with a significant update. Today we release version 6.1 of Syhunt Community and Syhunt Hybrid. This version comes with the ability to scan the source code of Java EE and JSP web applications for security vulnerabilities, a long-awaited and much requested feature that makes Syhunt an ideal tool for both penetration testing and code review of Java apps (DAST and SAST). Read more
April 13, 2018
National Security Research Institute selects Syhunt 6 - National Security Research Institute (NSRI), a research institute in South Korea, has selected Syhunt 6 for automating web application security testing. Today the NSRI is the only government funded research institute in Korea dedicated to the research of national information security. Syhunt is very proud to be selected to provide the latest release of its application security scanning sofware to the NSRI and to other organizations in Korea through its partners in the region.
Syhunt's already known unique scanning capabilities have been dramatically enhanced and expanded to meet the needs of government agencies and other large organizations. Recent improvements include the addition of advanced fingerprinting capabilities, enhanced spidering, injection, browsing and code scan capabilities, and a large number of new and improved checks. Read more
October 10, 2017
Syhunt releases version 6 of Syhunt Hybrid suite - After a year of intense research and development, we're very proud to release version 6.0 of the Syhunt Hybrid application security testing suite. With its huge list of updates, the new version marks its most drastic evolution yet and a major overhaul of both its scan engine and user interface, adding advanced fingerprinting capabilities, enhanced spidering, injection, browsing and code scan capabilities, and a large number of new and improved checks. Read more
October 1, 2016
Syhunt releases console web vulnerability scan tools - We're happy to release the new generation of Syhunt console-based scan tools, which we simply call ScanTools. The first release of Syhunt ScanTools comes with four console applications - ScanURL, ScanCode, ScanLog and ScanConf, incorporating the functionality of Syhunt Hybrid/Dynamic, Syhunt Code, Syhunt Insight and Syhunt Harden respectively. Whether you want to scan a live web application, source code files, web server logs or configuration files for vulnerabilities, weaknesses and more, Syhunt ScanTools can help you start the task with a single line command. Syhunt ScanTools is available for download as a freeware portable package or as part of Syhunt Community. Get it now at http://www.syhunt.com/en/?n=Tools.Download
June 3, 2016
Syhunt releases Insight tool, expands web backdoor detection - We're pleased to announce the immediate availability of our newest tool Syhunt Insight together with version 5.4 of the Syhunt Community and Hybrid software suites and a new release of the Sandcat browser.
Syhunt Insight is a proactive forensics/detection tool for application-level attacks and comes to complement our hybrid web application security assessment suite, allowing organizations not only to detect web application vulnerabilities, but to investigate and prevent security breaches through additional lens. Syhunt Insight brings a lightweight but powerful web server log analysis engine at its core, and is able to automatically build the profile of attackers during log scans, determine if a breach occurred, expose IP geolocation, inventory and environment information of attackers, and, if necessary, reconstruct sessions from the beginning aiming at a specific source.
In addition to this release, the latest round of changes in components include the following relevant enhancements:
- Syhunt Dynamic 5.4, with now over 300 web backdoor checks, along with UX enhancements, faster scans and improved support for ASP.NET and JSP-based web applications.
- Sandcat Browser 5.2, with stability, UX and Lua API enhancements. Full ChangeLog
August 28, 2015
Syhunt releases Community Edition of its hybrid application security scanner - We're pleased to announce the immediate availability of Syhunt Community. This is the first release of a free, community edition of our flagship product Syhunt Hybrid, available at no-charge for the community. Syhunt Community is built on top of Syhunt’s open source pen-test oriented web browser Sandcat and can be used for scanning web applications for multiple types of vulnerabilities, including commonly exploited coding mistakes, through both dynamic and source code analysis. Some of the vulnerabilities covered include:
- Cross-Site Scripting (XSS)
- SQL Injection (for MySQL and Oracle powered web applications)
- Unvalidated Redirects
- Directory Listing
- Directory Traversal
- Information Disclosure
- Old/Backup Files (Common Backup Files & Folders)
- Path Disclosure
- Source Code Disclosure
Syhunt Community comes without any time restrictions and although not nearly as complete as the full-featured Syhunt Hybrid product (see a full comparison), it can help security auditors and developers to start improving the security of web applications and websites right away, helping evaluate the coding practices currently in place within an organization or a group. The first incarnation of Syhunt Community carries the 5.3 version number, which is the current version number of Syhunt Hybrid - it runs under any modern Windows version and can be downloaded at the link below. Feel free to try it - there is no license required, and if you wish, it is possible to upgrade to the commercial edition of Syhunt through our online store, and obtain full vulnerability detection with the most complete feature set included.
Download Syhunt Community 5.3
June 17, 2015
Syhunt Hybrid 5.3 brings dramatically improved detection accuracy - We're proud to announce another milestone in the evolution process of Syhunt Hybrid with the addition of a significant number of new vulnerability checks and improved detection of JSP-based vulnerabilities to its DAST (dynamic application security testing) component. The new checks give the product the ability to achieve 100% detection of today's WAVSEP vulnerabilities and an even higher detection of vulnerabilities in custom web applications:
- SQL Injection & XSS - Syhunt Hybrid can detect 100% of the SQL Injection and XSS vulnerabilities, but now all SQLi false positive cases in WAVSEP are correctly handled and additional SQLi checks were added.
- Local File Inclusion - Syhunt Hybrid is now able to detect 100% of the WAVSEP 1.5 LFI cases (all of the 816 cases) during fast or normal scans.
- Remote File Inclusion - With the improved RFI and LFI detection, Syhunt Dynamic reaches the same results obtained by AppScan in the last WAVSEP, which was #1 at the time. Syhunt Dynamic is now able to detect 100% of the WAVSEP 1.5 RFI test cases, becoming tied with it.
- Unvalidated Redirect - Syhunt is now able to detect 100% of the Unvalidated Redirect cases that are part of the WAVSEP 1.5 test environment.
- Hidden, Obsolete & Backup Files - Syhunt is now able to detect all of the latest WAVSEP hidden file cases (including copied files).
Other changes include:
- New hunt methods for the improved categories:
- fileinc - Checks for Remote & Local File Inclusion. Works for both code and dynamic scans.
- fileold - Checks Hidden, Obsolete & Backup Files, but not as aggressively as the structbf (Structure Brute Force) method. Applies only to dynamic scans.
- unvredir - Checks for Unvalidated Redirect vulnerabilities. Works for both code and dynamic scans.
- Improved URL parameter manipulation.
Syhunt Hybrid 5.3 is available free of charge to all registered Syhunt users.
March 26, 2015
Syhunt Hybrid 5.2 released with major improvements - We are happy to announce the immediate availability of Syhunt Hybrid 5.2. The new release is now tightly integrated with the latest Syhunt Dynamic, Syhunt Code and Sandcat Browser releases. Over the last months, the browser has been a major focus for Syhunt, which has resulted in numerous improvements such as better certificate handling, and major stability and performance enhancements. We're committed to continue improving the user experience and make modifications to take the product to the next level.
Thanks to all the organizations that have recently joined our customer community and the ones who have been with us since the beginning, who entrust us with their web application security needs and help us further enhance our tools.
May 22, 2014
Syhunt releases Sandcat Browser 5.0 — We're excited to announce a brand new version of our pen-test oriented web browser Sandcat (codenamed Catarinka browser). The new release will also be available as part of the 5.1 release of the Syhunt Hybrid suite. The new enhancements include: faster startup and responsiveness, huge refactoring and cleanup of the current code, latest Chromium component and improved compatibility with 64-bit Windows editions.
February 20, 2014
Syhunt Dynamic soars to number 1, reaches 94% crawling coverage — New WAVSEP benchmark - The WAVSEP - The Web Application Vulnerability Scanner Evaluation Project performed a massive array of tests on 63 black box web application vulnerability scanners and SAAS services. The comparison findings were published on February 5, 2014. The entire industry and security community benefits from an up-to-date comparison of today's web application security scanners like this one.
A while back — in December, we announced the release of Syhunt Dynamic 5.0 with greatly superior crawling/spidering. This year's WAVSEP data reflects the improvements that have been made in Syhunt Dynamic and shows Syhunt has the number 1 crawling coverage alongside 3 other top solutions which were able to achieve 94 percent coverage on its WIVET test.
WIVET is an open source benchmarking project that aims to statistically analyze web link extractors and adopted as an extension to the WAVSEP project. The WIVET test evaluates the scanner support for various web technologies and its ability to handle obstacles while crawling and mapping the structure of websites. According to the WAVSEP, developers, penetration testers and QA engineers need a tool with a high score in this category, especially if they prefer as much automation as possible in the web application security assessment process.
When it comes to vulnerability detection rates, Syhunt Dynamic repeated last year's performance with 100 percent detection of SQL Injection, both blind and time-based, and XSS (Cross-Site Scripting) vulnerabilities. WAVSEP used a large collection of over 1000 vulnerable test cases for 6 different attack vectors to compare the tools, which were made public simultaneously with the results.
See the full details about the WAVSEP 2014 comparison here.
February 20, 2014
Syhunt Hybrid now detects open redirect vulnerabilities - Today we are announcing that Syhunt Hybrid 5.01 is now available for download in the customer area for subscribed customers. This update expands Syhunt's extensive list of checks by bringing in the ability to locate open/unvalidated redirect vulnerabilities in web applications, an ability that is now supported by our dynamic application security testing solution, Syhunt Dynamic, our static application security testing solution, Syhunt Code, and the even more advanced Syhunt Hybrid, which combines both solutions.
Unvalidated redirects are often exploited to perform phishing attacks and used, for example, to trick users into revealing their passwords and downloading malware. The weakness, also referred to as CWE-601 by the MITRE's Common Weakness Enumeration project, is considered an OWASP violation and listed as part of their Top Ten 2013 document.
With this new addition, Syhunt now checks for over 30 classes of web application security vulnerabilities, including XSS (Cross-Site Scripting), SQL Injection, File Inclusion and Command Execution vulnerabilities. Syhunt plans to keep adding new checks and improving existing ones in future updates.
January 12, 2014
Major higher-education institution in France selects Syhunt - École Polytechnique, a higher-education and research institution in France, has selected Syhunt Hybrid for securing all its web sites and web applications. Syhunt is pleased to provide its hybrid web application security scanning solution to this customer and to other organizations in Europe and the rest of the world that are part or will be joining our customer community. Syhunt's unique scanning capabilities are allowing customers to perform deep remote assessments and code reviews of web applications like they never did before and to fix a high number of vulnerabilities they never thought existed.