What's New in Syhunt 6.5 (November 29, 2018)

Syhunt adds F5 BIG-IP ASM compatible vulnerability export, Jenkins extension, GIT support and more

Today we release version 6.5 of Syhunt Hybrid and Syhunt Community, a release with focus on integration with other systems such as Jenkins and F5 BIG-IP Application Security Manager (ASM), GIT source code control systems, as well as bringing spider improvements and framework-specific optimizations.

F5 BIG-IP ASM compatible scanner export

The F5 BIG-IP Application Security Manager (ASM) is able to import vulnerability scan results from Syhunt Dynamic scans, virtually patching vulnerable web applications - Syhunt 6.5 generates vulnerability exports compatible with the F5 BIG-IP ASM system. To generate the export, when saving a report, just select to save the file as type XML ASM.

Jenkins extensions

Syhunt 6.5 comes with extensions for Jenkins that allow web application security scans to be called from within a Jenkins Pipeline script, allowing customers to integrate the Syhunt Dynamic and Syhunt Code scanner tools into their continuous delivery pipeline, schedule scans and much more. The beta extensions add three Groovy functions called syhunt.scanURL(), scanCode() and scanGIT() that can be used to perform dynamic and source code scans (DAST and SAST) from within a pipeline execution, optionally failing a build if a certain criteria is met (like if High risk vulnerabilities are found).

GIT Protocol Support

Syhunt 6.5 adds support for GIT URLs in ScanCode CLI utility and Lua API, and support for GIT branches in both the CLI utility and the scanGIT() command for Jenkins. The examples below show how to scan a GIT repository.

-- from the command prompt
scancode git://sub.domain.com/repo.git
scancode https://github.com/user/repo.git -rb:master

-- from Jenkins pipeline script
syhunt.scanGIT([target: 'https://github.com/someuser/somerepo.git', branch: 'master', build: 'failifriskmedium'])

-- from Lua script
code:scanurl('https://github.com/someuser/somerepo.git', 'master')

Additional Improvements and Changes

Additional improvements in Syhunt 6.5 include:

  • Added Dynamic Targets screen to launcher - allows to manage a list of common target URLs. You can access it through the purple bookmark icon in the Launcher toolbar.
  • Added WII framework related optimizations.
  • Added the ability to import and export a scan session from/to a file.
  • Reviewed hunt methods Malware Content and Structure Brute Force and enabled additional checks. Improved extension checking and structure brute force checks and fixed a false positive case.
  • Improved XML exports.
  • Improved spider (improved web site caching and mapping).
  • This release comes with the latest Syhunt Sandcat browser updates and drops support for Windows Vista.

We hope you enjoy the new release!

What's New in Syhunt 6.4 (October 17, 2018)

Syhunt adds PCI DSS 3.2.1 support and more

Today we release version 6.4 of Syhunt Hybrid and Syhunt Community, a release with focus on compliance report generation and user interface (GUI) enhancements. This version comes with a revamped launcher screen (see the screenshot below), adds new PCI DSS related checks (such as checking for unencrypted credit card transaction) and many new compliance report options, such as:

  • PCI DSS compliance versions 3.2 and 3.2.1
  • All recent OWASP lists, including the latest OWASP Top 10 list
  • CWE/SANS Top 25 Most Dangerous Software Errors
  • WASC (The Web Application Security Consortium) Threat Classification

Additional improvements include:

  • Added 183 additional admin paths.
  • Added additional password file disclosure checks.
  • Added Jooma-specific optimizations.
  • Added Nginx support in Syhunt Insight.
  • Improved spidering (additional link extraction and improved relative path handling).
  • Combined link list with additional details into new Coverage report section.

Screenshot: Revamped Launcher

We hope you enjoy the new release!

What's New in Syhunt 6.3 (September 8, 2018)

Syhunt now supports CVSS v3 vulnerability scoring

We're happy to announce that Syhunt version 6.3, released today, adds full support for CVSS. CVSS stands for Common Vulnerability Scoring System and is an industry open standard designed to convey vulnerability severity and help determine urgency and priority of response.

To enable the best use of the CVSS system, CVSS3 and CVSS2 vectors were assigned to all kinds of vulnerabilities currently detected by Syhunt Dynamic and Syhunt Code. Now, when a report is generated, vulnerabilities are sorted by default based on their CVSS3 score. This means that instead of the classic four-step sorting (High, Medium, Low, Info), there are now 101 possible vulnerability ratings, going from 0.0 (None) to 10.0 (Critical), determined during runtime. In addition to this, XML exports now contain full CVSS3 and CVSS2 data, such as the Base Score, Impact Score, Exploitability Score, Temporal Score and more.

RatingCVSS Score
Low0.1 - 3.9
Medium4.0 - 6.9
High7.0 - 8.9
Critical9.0 - 10.0

Additional Improvements

  • Added a Comparison report template that displays the evolution of vulnerabilities over time by automatically comparing previous scan session data related to a specific target.
  • Added the ability to compare past scan sessions to determine new, unchanged or removed vulnerabilities, and save the comparison results as HTML (Menu -> Past Sessions -> Compare Checked button).
  • Revamped PDF report generation.


We hope you enjoy the new release!

What's New in Syhunt 6.2 (June 15, 2018)

Syhunt now supports ASP.NET, Perl, PHP, Python, Java, JS and Lua code

It was only last month that we announced the addition of SAST (static application security testing) for Java to Syhunt, but good news, we have a new update to share today which brings SAST for Node.js based web applications. Syhunt 6.2 is able to scan the source code of Node.js web applications for security vulnerabilities with coverage for the Express and Koa frameworks. Because Syhunt was already able to dynamically test Node.js and MongoDB based web apps for vulnerabilities, this update makes Syhunt an ideal tool for both penetration testing and code review (DAST and SAST) of web apps built using the MEAN stack - MongoDB, Express.js, AngularJS & Node.js.

Code Checks for Node.js (Stable)

Syhunt 6.2 adds security code checks targeting Node.js web apps, covering:

  • Cross-Site Scripting (XSS)
  • SQL Injection
  • Code Injection
  • Unvalidated Redirect
  • File Manipulation
  • Command Execution
  • HTTP Header Injection
  • Log Forging
  • Server-Side Request Forgery
  • Input filtering/validation analysis

Note: Checks above in gray color are only available in the professional editions of Syhunt.

We hope you enjoy the new release!

What's New in Syhunt 6.1 (May 17, 2018)

Seven months later after the last big release of Syhunt, we're back with a significant update. Today we release version 6.1 of Syhunt Community and Hybrid. This version comes with the ability to scan the source code of Java EE and JSP web applications for security vulnerabilities, a long-awaited and much requested feature that makes Syhunt an ideal tool for both penetration testing and code review of Java apps (DAST and SAST).

Ready to download and use

We comprehensively tested and reviewed the Syhunt 6.1 code scanner results with the help of over 1600 vulnerable Java web apps originated from the WAVSEP project, the NIST SAMATE project and Syhunt Lab's own test cases, reaching highly accurate detection rates of Cross-Site Scripting (XSS), SQL Injection, File Inclusion and many other security flaws. The full list of checks is available below.

Code Checks for Java (Stable)

Syhunt 6.1 adds 70 comprehensive security code checks targeting Java web apps, covering:

  • Cross-Site Scripting (XSS)
  • SQL Injection - including HQL
  • Unvalidated Redirect
  • File Manipulation
  • Command Execution
  • HTTP Header Injection
  • LDAP Injection
  • XML Injection (XXE)
  • XPath Injection
  • Log Forging
  • Information Disclosure
  • Input filtering/validation analysis

Note: Checks above in gray color are only available in the professional editions of Syhunt.

Code Checks for Lua (Beta)

Syhunt 6.1 brings support for an additional language: Lua, and is able to scan (though in beta form) the source code of Lua-based web applications compatible with Apache's mod_lua, CGILua and Lua Pages for vulnerabilities such as:

  • Cross-Site Scripting (XSS)
  • SQL Injection
  • Local File Inclusion
  • Command Execution
  • Code Injection
  • HTTP Header Injection

Other Improvements in Syhunt Code 6.1

  • Improved XSS detection in multiple languages (classic ASP, ASP.NET & PSP).
  • Improved input filtering analysis.
  • Improved speed (scan optimization).
  • Improved support for short write tag in multiple languages.
  • Automatic Python WSGI script detection.

We hope you enjoy the new release!

What's New in Syhunt 6.0 (October 10, 2017)

After a year of intense research and development, we're very proud to release version 6.0 of the Syhunt Hybrid application security testing suite. With its huge list of updates, the new version marks its most drastic evolution yet and a major overhaul of both its scan engine and user interface, adding advanced fingerprinting capabilities, enhanced spidering, injection, browsing and code scan capabilities, and a large number of new and improved checks.

Most of the improvements described on this page apply as well to the Community Edition of Syhunt released simultaneously today. If you prefer to read only what's new in Syhunt Community, visit here.

Revamped Hybrid User Interface

The new release adds the display of Hybrid, Dynamic and Code detailed scan statistics and progress both to the user interface and the command-line tools, and restores the site tree, implemented from scratch with the level of attention that it demanded.

Syhunt Dynamic's UI while a demo scan is in progress

New Fingerprinting Capabilities

Because of the so many vulnerability checks and mutations added to this version, we developed an advanced and automated fingerprinter tightly integrated with the crawler that automatically maps all the web site technologies and optimizes a scan - this means that Syhunt Dynamic 6 checks are now executed based on the detected web technologies and platform, saving considerable time. The newly added Technologies tab part of the Site Preferences screen allows, if you prefer, to manually set the server-side scripting language, web server, OS and database for a target web site before starting a scan.

In addition to the changes above, the Checks screen has been revamped to accommodate a large number of newly added checks - you can find a list and details about the new checks at the end of this page as well as a link to the consolidated list of checks.

Four-Step Vulnerability Rating

This release comes with a four-step vulnerability rating (High, Medium, Low, Info). We added the Info risk classification and removed the Minimal risk classification. Vulnerabilities previously marked as Minimal risk were assigned a Low or Info risk depending on each case.

New Hunt Methods

Malware Content - Added to both Syhunt Dynamic and Syhunt Code, allows to scan specifically for malware content, web backdoors, hidden debug parameters and signs of hacking.

Passive Scan - Added to Syhunt Dynamic, allows to scan specifically for Common Exposures, Source Disclosures, Web Technology Disclosures, Suspicious HTML Comments and Malicious Content within a website's surface.

Enhanced Dynamic Scanner

Several important enhancements were made to the spider which is a core part of Syhunt Dynamic:

  • Faster and improved HTTP response analysis - improved parsing of web forms, JavaScript code and comments, and added support for additional HTML5 features.
  • Added detection of known redundant app patterns.
  • Added an option for enabling/disabling the use of Referer in HTTP requests (enabled by default).
  • Improved file format and relative path handling.
  • Improved cookie and token handling.
  • Improved auto form filling, auto login and logout detection (many additional cases covered).
  • Improved page redirect handling.

Enhanced Code Scanner

  • Significantly faster scans (revised code for scan optimization)
  • Improved entry point mapping - Added detection of new entry points in PHP code, allowing additional vulnerability cases to be detected.
  • Added automatic file format detection.
  • Improved reporting of vulnerable lines

Enhanced Web Browser (Sandcat 6)

  • Request Viewer rewrite with better display of requests and important stability fixes
  • Simplified the tabbed UI - Major tab code clean up and reorganization.
  • Disabled the Chromium's XSS protection - especially useful for performing manual testing or manually confirming XSS detection cases.

New Dynamic Checks

Added detection of many additional vulnerability classes through dynamic application security testing:

  • Code Injection in multiple languages - ASP Classic, ASP.NET, Java/JSP, Lua, Perl, PHP, Python, Ruby & Server-Side JavaScript are covered, using both print-based and time-based detection techniques and taking in consideration different web server environments. CWE-94
  • Expression Language (EL) Injection in JSP web applications - CWE-917
  • XML Injection and XML External Entity (XXE) Injection - CWE-661 and CWE-827
  • Authentication Bypass vulnerabilities - CWE-287
  • Authentication Brute Force - Both form and HTTP-based, fully automated with common weak passwords
  • Debug Parameter Discovery and Injection
  • Malicious Content Detection
  • Innappropriate Content Detection - Like adult or warez content
  • Web Technology Disclosures - Reports if the version of a detected web technology is being disclosed.

Improved the detection of several vulnerability classes:

  • SQL Injection - Added additional checks for error-based and time-based SQL Injection, and improved checks for MySQL, MS SQL and PostgreSQL
  • NoSQL Injection - Added MongoDB error-based detection
  • Remote Command Execution checks - Added time-based detection and new variants
  • Directory Traversal checks - Added many new variants and filter evasion techniques
  • Cross-Site Scripting (XSS) - Added a subcategory for Client-Side Denial-of-Service
  • Web Backdoors - Added 211 new known backdoor checks
  • File Inclusion - Added many new variants and improved detection
  • Source Code Disclosure - Added new variants covering server-side Lua, PHP and ASP code, and improved accuracy
  • LDAP Injection checks - Improved detection
  • CRLF Header Injection checks - Added new variants and improved confirmation
  • Server-Side Includes Injection checks - Added new variants
  • XPath Injection checks - Added new variants and improved confirmation
  • HTML Comment checks - Introduced a more advanced parser, added support for JS comments, added several new checks and eliminated false positive cases.
  • Backup File Checks - Eliminated a common false positive case.
  • Structure Brute Force Checks - Extended many checks to cover web root, added normal and paranoid modes, checks for admin pages now performed as part of the brute force checks.
  • Vulnerable Web Apps - Revised checks for known vulnerable web apps divided into multiple categories: Apache Struts, ASP, ASP.Net, Flash, Dynamic HTML, Java, Perl, Python, Ruby, ColdFusion, SSI, IIS...
  • Multiple Disclosure checks - Revised checks for multiple disclosure flaws (divided into Path Disclosure, Password Disclosure, Database Disclosure and Information Disclosure). Fixed a case that could result in duplicated Path Disclosure reporting.
  • Common Form Weaknesses - Improved checks for multiple form input related vulnerabilities, such as Unencrypted Login, Email Form Hijacking, Hidden Price Form Field and AutoComplete Enabled in sensitive form inputs.
  • Common Exposures, Suspicious HTML Comments and Directory Listing checks - Introduced a new, extended check database and eliminated some possibilities of redundant reporting.

View All Checks

New Code Checks

Added detection of many not previously covered vulnerabilities through static application security testing:

  • XPath Injection vulnerabilities - CWE-643
  • LDAP Injection vulnerabilities in PHP code - CWE-90
  • SQL Injection involving object-oriented PHP code
  • Web Backdoors in source code
  • Debug Parameters
  • Common Form Weaknesses

Improved the detection of the following checks:

  • Arbitrary File Manipulation checks - Added new PHP variants
  • Weak Password Hashing check - Revised and fixed false positive cases

View All Checks

Other Improvements and Bug Fixes

  • Added detection of new hacking tools through web server log analysis (Syhunt Insight).
  • Scan status now reported as Undetermined if the scan aborted before starting due to any serious connectivity issues (like host not found).
  • Re-implemented WAF/IDS evasion and detection in Syhunt Dynamic.
  • Fixed: short hunt method options (like as for appscan) not working with the newly introduced CLI app ScanURL.exe. Made it print additional vulnerability details.
  • Fixed: location URL in reports including manipulated POST params

We hope you enjoy the new release!