Syhunt Hybrid: Getting Started

The information in this document applies to version 6.6.4 of Syhunt Hybrid.

Introduction

Syhunt Hybrid is a hybrid multilanguage web application security assessment suite. It allows you to scan for the most common web application flaws from a hacker's perspective. Syhunt dynamically injects data in web applications and analyze their response in order to determine if the application code is vulnerable to specific attacks (such as SQL Injection, XSS, and many other web application vulnerability flaws). Syhunt will also scan the application's source code, if requested, in search for security issues.

Which operating systems and applications are supported for scanning?
Syhunt modules are built with the flexibility to cover multiple web server platforms:

  • Any web server platform (via dynamic scan). Syhunt scans all types of web servers, such as Unix, Linux or NT.
  • Devices such as routers and firewalls that run web sites.
  • ASP.NET, Java, Node.js, Lua, Perl, PHP & Python web applications (via source code scan).
  • Web application firewalls and intrusion detection systems (via its evasion techniques).

Proactive Nature of Syhunt Hybrid

Users tend to see web application security scanners like antivirus software, reactive and requiring regular check and signature updates (if not daily, weekly updates), and this is true for traditional web scanners, but Syhunt favored a proactive approach (from 2008 on) when developing its checks and Hybrid scanner - today Syhunt favors common weaknesses (CWEs) over disclosed vulnerabilities (CVEs). Below we compare the differences between the approaches.

Traditional web application security scanners are:

  • Heavily dependent on regular updates and signatures that focus on CVEs (known, disclosed vulnerabilities in third-party web applications), instead of CWEs. They are, essentially, reactive.
  • Unable to detect undisclosed vulnerabilities in third-party web applications
  • Unable to detect most (if not all) vulnerabilities in your custom web applications
  • Unable to scan the source code of web applications for vulnerabilities and weaknesses

Favoring a proactive approach, rather than a reactive approach, made Syhunt:

  • Not dependent on regular updates. Updates focus on a list of CWEs (common weaknesses) instead of CVEs (known, disclosed vulnerabilities). Relevant reactive checks (targeting specific CVEs) are released together with minor and major updates as a complement to its proactive checks.
  • Well-suited for detecting both disclosed and undisclosed vulnerabilities in third-party web applications. Being able to accurately detect a single CWE entry means Syhunt will be able to match hundreds of CVE entries at the same time.
  • Better suited for detecting vulnerabilities in your custom web applications - these are missed by a tradicional, reactive web application scanner.
  • Able to perform Hybrid analysis - Syhunt's dynamic analysis complements its source code analysis (DAST + SAST).

How to perform a dynamic scan

While performing a standard, dynamic scan (also known as black box) the Syhunt scanner injects data in the web applications and subsequently analyzes the application response in order to determine if the application code is vulnerable to specific web application security attacks.

Main Supported Languages

ASP (Classic)
ASP.Net
Java / JSP
JavaScript
Lua
Perl
PHP
Python
Ruby

Follow along with this guide to learn how to perform a dynamic scan and generate a vulnerability report.

This software should be used only by system administrators (or other people in charge). It should not be used to scan web sites outside of your direct control. Read Terms

  1. Launch Syhunt Hybrid and click the Syhunt Dynamic icon or New Scan button in the welcome page.

  2. Enter the URL of the website you want to scan.

  3. Select a scan method. We recommend the Application Scan (Default) method, which scans for all vulnerabilities using the recommended settings - the different methods are explained in the Hunt Methods document.
  4. Check edit site preferences.
  5. Click the Start Scan button. On the next screen, go to the Technologies tab and select the technologies used by the target website. You can also use this screen to change additional preferences associated with the website. Review the settings and then click OK to start the scan.

In the end of the scan, you can click Generate a Report to save the results as a HTML report or any other prefered format.

The next time you perform a scan (unless you want to change site preferences again) you can jump from the step 3 to 5.

How to perform manual login via browser

If you need to manually login first before you can scan a website, you may prefer to start the scan from within the Sandcat Browser.

  1. Launch Syhunt Hybrid and double-click the Sandcat Browser icon or New Tab button in the welcome page.

  2. Navigate to the website you want to scan - enter the target URL using the address bar and press Enter.
  3. Go to the Login area and login using your credentials.
  4. Click the Scan This Site menu option to start the scan.

How to perform a dynamic scan via command-line

  1. Go to the directory Syhunt Hybrid is installed using the command prompt.
  2. Use the following command-line:
 Scanurl [starturl] -hm:[a huntmethod]] -gr

 Example:
 Scanurl http://www.somehost.com -hm:appscan -gr

Syhunt ScanURL tool reports are automatically generated and saved if the -gr parameter is provided. You can also open the session by launching Syhunt and using the Menu -> Past Sessions option.

Scanning IPv6 addresses

Syhunt Dynamic fully supports the scanning of IPv6 addresses. To scan an IPv6 target, remember to enclose the address in square brackets, eg:

http://[2001:4860:0:2001::68]/index.php

The Scanurl tool also supports IPv6 addresses.

Using Client Certificates

SSL support in Syhunt Dynamic relies on two Dynamic Link Library (DLL) files (SSLeay32.dll''' and libeay32.dll) developed by the OpenSSL Project. When these two DLL files are present then SSL support is available, which means that you can scan secure sites with https addresses.

The Site Preferences screen allows you to configure the client certificates. To view this screen, navigate to the website you want to scan, click the scan button -> Site Preferences and go to Certificates tab.

Advanced Features

Preventing a Vulnerability From Being Reported

You can create rules that prevent specific vulnerabilities to be reported:

  1. Click the purple bookmark icon in the Launcher toolbar and add a Target URL to the list of Dynamic targets.
  2. Right-click the URL you just added and click the Edit Site Preferences menu option.
  3. Go to the Exclusions tab and click the Vulnerabilities... button
  4. Click the plus button and add using the input dialog a new rule. Examples:
  • path=*,name=XSS would prevent any vulnerability with XSS in the title from being reported
  • path=/demo/*,name=XSS would prevent any vulnerability with a path starting with /demo/ and XSS in the title from being reported
  • path=*,"name=Web Technology Disclosure" would prevent any vulnerability with Web Technology Disclosure in the title from being reported

The following parameters can be used as part of a rule:

  • path (required) - a wildcard text (which can contain the special characters ? and *) that will be matched against the affected path
  • name - a text that will be matched against the vulnerability title
  • params - a param name that will be matched against the affected param(s). If multiple params are provided, they must be separated by comma.
  • risk - a risk that will be matched against the vulnerability risk (can be low, medium, high or info)
  • module - a module name that will be matched against the module that detected the vulnerability (can be dyn or code). If omitted, the rule will work for both Dynamic and Code vulnerabilities
  • lines - a number or numbers that will be matched against the affected source code line(s). If multiple lines are provided, they must be separated by comma.
  • cve - a CVE ID that will be matched against the vulnerability's CVE references
  • cwe - a CWE number that will be matched against the vulnerability's CWE references

Automated Form Login Training

If your web site requires authentication prior to allowing access to all or most of the website contents, Syhunt Dynamic can auto-detect most form logins and login using the credentials you entered in the Site Preferences screen, but if you have a form login with non-standard fields you have two options:

  1. Manually login as explained above in the manual login section (easier and recommended), or
  2. Teach Syhunt Dynamic to auto log into the application through a simple procedure (explained below)

Let's suppose you are having an issue with Syhunt Dynamic with the following web form login:


<input name="ClientUTBox" id="ClientUTBox" type="hidden" value="1234">
<input name="ClientUNBox" id="ClientUNBox" type="text" class="InputBox"/>User Name
<input name="ClientPWBox" id="ClientPWBox" type="password" class="InputBox" >Password

The following procedure will reprogram Syhunt to recognize the form login:

  1. Click the purple bookmark icon in the Launcher toolbar and add a Target URL to the list of Dynamic targets.
  2. Right-click the URL you just added and click the Edit Site Preferences menu option.
  3. Enter the username and password in the Form Authentication area of the Authentication tab.
  4. Click OK to save the preferences. The Site Preferences window will close.
  5. Switch back to the Launcher tab, and go to the Dynamic Preferences screen ( -> Preferences -> Dynamic Preferences).
  6. Go to the Emulation tab, click the Custom Values button and add the following values:

ClientUTBox=1234
ClientUNBox=@syhunt_web_form_username
ClientPWBox=@syhunt_web_form_password

Values above after the equal sign starting with an @ are internal variables, they ensure that the web form login information you entered in the Site Preferences screen is used in the two form inputs you provided.

Syhunt Dynamic is now ready to detect this form login during a scan.

Preventing Accidental Logout

Syhunt Dynamic can auto-detect most logout pages, but if the logout page does not match standard names and common patterns, you will need to add the logout page URL to your Site Preferences. This will prevent Syhunt Dynamic from accidentally logging out during a scan:

  1. Click the purple bookmark icon in the Launcher toolbar and right click to Edit Site Preferences of the target.
  2. Go to the the Exclusions tab
  3. Click the Logout URLs button and add the custom logout URL, example:

/getmeout.php

  1. Click OK to confirm the preferences. The input dialog will close.
  2. Hit OK to save the preferences.

Basic FAQs

How many time Syhunt Dynamic will take to run all the tests?
Duration depends on the number of pages and applications your website contains and the scan method you selected. The web application checks (after the crawling stage) is usually the part of the scan that can take more time and depends on the size of the target site.

Can I load a previous scan session and re-run reports again?
Yes, select the Past Sessions option from the Menu. The Session Manager screen will open. Click Generate Report for the session you want and you will see the session results and the options to export data and generate reports.

Is there a list of tests that are conducted using the updated version of Syhunt?
You can get an idea of the tests by clicking the Menu -> Help, and then select Vulnerability List.

Do any of the tests crash the tested host?
As far as crashing the host - there are denial of service checks which may crash the tested host - you can turn those off when scanning though.

Does Syhunt Dynamic have any problems with personal firewalls?
Yes, you'll just have to let the firewall know that Syhunt is authorized to make connections to the Internet. However, some software firewalls do not handle high loads very well. It is not recommended to run both a personal firewall and Syhunt on the same machine.

If you're running a PC firewall on the scanning system that does outbound filtering, try disabling it - we've occassionally seen firewalls automatically block a program's socket calls without first prompting the user as to whether or not it should be allowed to make connections.

Is there any way to scan ports 23 (telnet) and 21 (ftp)?
No, Syhunt Dynamic is not a general purpose security scanner, it is specialized for evaluating web applications.

How to perform a code scan

Syhunt's whitebox scan (source code scan) can uncover multiple classes of application vulnerabilities and also identify key areas of the code that need review. Its static source code analysis functionality can detect cross-site scripting, file inclusion, SQL injection, command execution and validation problems. Initially only PHP was supported. As of today, multiple web programming languages are supported.

Supported Languages

ASP Classic (VBScript & JavaScript)
ASP.Net (C# & VB.Net)
Java (JEE / JSP)
JavaScript (Client and Server-Side, Node.js, Angular, AngularJS, Express.js & Koa.js)
Lua (mod_lua, CGILua & Lua Pages)
Perl
PHP
Python (CGI, Django, mod_python & WSGI)
TypeScript (Angular)

Follow along with this guide to learn how to perform a source code scan and generate a vulnerability report.

  1. Launch Syhunt Hybrid and click the Syhunt Code icon or New Scan button in the welcome page.

  2. Select a code directory to scan and press the OK button to start the scan.

In the end of the scan, you can click Generate a Report to save the results as a HTML report or any other prefered format.

How to perform a code scan via command-line

  1. Go to the directory Syhunt is installed using the command prompt.
  2. Example command-line:
 Scancode C:\WWW\Docs\ -gr

Syhunt ScanCode tool reports are automatically generated and saved if the -gr parameter is provided. You can also open the session by launching Syhunt and using the Menu -> Past Sessions option.

How to perform a hybrid scan

Syhunt's unique gray box/hybrid scanning capability allows it to scan the application's source code first, acquire important information about them, and then try to dynamically confirm flaws (XSS, File Inclusion, SQL Injection, Command Execution, etc) by using this information.

Follow along with this guide to learn how to perform a hybrid scan and generate a vulnerability report.

  1. Launch Syhunt Hybrid and click the Syhunt Dynamic icon or New Scan button in the welcome page.

  2. Enter the URL of the website you want to scan.

  3. Select a scan method. We recommend the Application Scan (Default) method, which scans for all vulnerabilities using the recommended settings - the different scan methods are explained in the Hunt Methods document.
  4. Check edit site preferences.
  5. Click the Start Scan button.
  6. Assign a source code folder to the site. The source code directory must contain a copy of the web site source files. When assigning a source code directory, you must point exactly to the root of the web site (where the index files are located).
  7. Hit OK to start the scan.

In the end of the scan, you can click Generate a Report to save the results as a HTML report or any other prefered format.

The next time you perform a scan you, there is no need to check Edit site preferences (unless you want to modify the settings and assign a different source code folder).

How to perform a hybrid scan via command-line

  1. Go to the directory Syhunt Hybrid is installed using the command prompt.
  2. Use the following command-line:
 Scanurl [starturl] -hm:[a huntmethod]] -srcdir:"[SourceDir]" -gr

 Example:
 Scanurl localhost -hm:appscan -srcdir:"C:\WWW\Docs\" -gr

Note: if you already entered the source code directory for the target host using the Syhunt Hybrid GUI in a past scan it is not necessary to assign it again using the -srcdir parameter.

Syhunt ScanURL tool reports are automatically generated and saved if the -gr parameter is provided. You can also open the session by launching Syhunt and using the Menu -> Past Sessions option.

Differences between Hunt Methods

Hunt MethodCLI nameTypeBrute F.InjectionDoSTime-Con.
Application Scanappscan
(AKA normal)
YYYN
Structure Brute ForcestructbfY (Deep)NNY (Very)
Old & Backup FilesfileoldYNNY
Fault InjectionfaultinjNYYN
Top 5 (OWASP PHP)top5NP (TOP5)NN
Cross-Site ScriptingxssNP (XSS)NN
SQL InjectionsqlinjNP (SQL)NN
File InclusionfileincNP (FI)NN
Unvalidated RedirectsunvredirNP (UR)NN
Malware ContentmalscanP (Malware)P (Malware)NN
PassivepassiveNNNN
Spider OnlyspiderNNNN
Complete ScancompleteYYYY (Very)
Complete Scan, No DoScompnodosYYNY (Very)
Complete Scan, ParanoidcomppnoidY (Deep)YYY (Very)

Letters: Yes/No/Partial (Y/N/P)

Type of Testing

  • - Hybrid (Gray Box), Dynamic & Code
  • - Dynamic Only (Black Box)
  • - Code Only (White Box)

Time-Consuming

A Yes means that extra checks and attack mutations will be performed and the number of checks will be influenced by the number of directories found during the spidering stage.

Description

The Application Scan method is the default scan method in Syhunt. If you want to use a different scan method, you will be able to select one of the following options:

Application Scan

Identifies flaws in custom web applications. This scan method crawls the web site and performs attacks against the web site structure and the web applications. This includes looking for fault injection vulnerabilities such as XSS, SQL Injection, File Inclusion, and more.

Structure Brute Force

A structure brute force will check for:

  • Common Vulnerable Scripts
  • Common File Checks
  • Custom File Checks (User File Checks)
  • Database Disclosure
  • Web-Based Backdoors

The number of checks is influenced by the number of directories found during the spidering stage.

OWASP PHP Top 5

Scans specifically for the OWASP Top Five List of PHP Vulnerabilities. Remote Command Execution, XSS, SQL Injection and File Inclusion flaws

Fault Injection

Scans specifically for fault injection vulnerabilities. If this scan method is selected, all other checks that does not require injection are disabled and Syhunt will then specifically check for SQL injection, XSS, file inclusion, and similar flaws.

Cross-Site Scripting (XSS)

Scans specifically for XSS vulnerabilities.

SQL Injection

Scans specifically for SQL & NoSQL Injection vulnerabilities.

Complete Scan

Scans for all kinds of web application vulnerabilities using all kinds of mutantions and pen-tester methods. A Complete Scan can sometimes be very time-consuming when performed against a web server that has a large quantity of web folders and entry points.

Complete Scan (No DoS)

Same as before, but with denial-of-service tests disabled.

Complete Scan (Paranoid)

Scans for all kinds of web application vulnerabilities using deep structure brute force, all kinds of mutantions and pen-tester methods. This scan method can be very time-consuming, specially when executed against large web sites. This method also executes triple checking structure brute force, which applies to case-sensitive servers - Syhunt will try all file name possibilities (all uppercase, all lowercase, all leading capitals, etc).

How To Schedule a Scan

Adding and configuring a scheduled scan is an easy task:

  1. Click the Scheduled Scans icon in the launcher toolbar. The Scheduled Scans screen will open.
  2. Click the Add Scheduled Scan icon in the Scheduled Scans screen toolbar.
  3. Enter a reference name for the new scheduled scan (like MyScan) and hit OK. A preferences dialog window will open.
  4. In the Scan tab, enter the scan target details and select the desired scan method and options.

  5. In the Report tab, enter the desired report generation options.
  6. In the Schedule tab, enter the desired event plan.

  7. Click the OK button when you're done.

Sending Reports Via Email

Firstly, you have to add an Email tracker:

  1. Click the Issue Trackers icon in the launcher toolbar. The Issue Trackers screen will open.
  2. Click the Add Tracker icon in the Issue Trackers screen toolbar and choose the Add tracker: Email menu option.
  3. Enter a reference name for the new tracker (like Mail) and hit OK. A preferences dialog window will open.
  4. Enter Sender/Recipient email addresses.
  5. Enter the SMTP Authentication host and credentials and click the OK button.
  6. Click the Scheduled Scans icon in the launcher toolbar. The Scheduled Scans screen will open.
  7. Right-click the scheduled scan and click the Edit Schedule Preferences option. A preferences dialog window will open.
  8. Go to the Email tab and check the Automatically email report after generation option.

  9. Select the account preferences.
  10. Click the OK button when you're done.

Reviewing results from scheduled scans

At any time you can see the results of past and current scans and generate a report. Just launch the Syhunt Hybrid application and click the Past Sessions icon in the launcher toolbar.

Working with Third-Party Launchers and Schedulers

See this document on how to start Syhunt from within third-party task schedulers, Jenkins and other launchers

System Requirements

Syhunt Hybrid, Dynamic and Code

  1. 2GB of available RAM (4GB recommended)
  2. 1GB of free disk space*
  3. Internet connection (optional for dynamic scans and some features)
  4. Windows 7, 8 or 10
  5. Internet Explorer 11 or higher

* This does not include the space required to save scan session data, which varies depending on the target website or code base size.

If you use a personal firewall, you'll just have to let the firewall know that Syhunt Dynamic is authorized to make connections to the Internet. However, some software firewalls do not handle high loads very well. It is not recommended to run both a personal firewall and Syhunt on the same machine.


For additional product documentation, visit syhunt.com/docs