Most of the improvements described on this page apply as well to the Community Edition of Syhunt. If you prefer to read only what's new in Syhunt Community, visit here.

What's New in Syhunt 6.7 (September 17, 2019)

Syhunt adds support for Android and iOS apps and greatly extended checks for Java

We're excited to announce the immediate availability of Syhunt version 6.7. This release is a milestone in Syhunt's development history. It brings support for mobile (Android & iOS) applications, greatly extends its Java check base and adds the much-awaited scan scheduling feature. As part of this major update, we've added checks and support for the Swift and Objective-C programming languages, which are the primary languages used for iOS app development, and increased the number of source code checks for Java, the primary language used for Android app development, from 70 to 310 checks. The newly added features and checks, together with Syhunt's ability to scan JavaScript-based applications, including Angular and Node.js, make Syhunt suited for both mobile and web application security assessment. The new release also introduces a Mobile Compliance report template which focuses on the OWASP Mobile Top 10 risks list, as well as the CWE/SANS Top 25 Most Dangerous Software Errors and the PCI DSS v3,2.1 standard.

With this update, users of the Community edition of Syhunt will be happy to know that they can now perform a near-complete source code scan, as all code checks are now included with Syhunt Community, though the details of High-rated and specific Medium-rated vulnerabilities are only available in the professional editions of Syhunt.

The mobile support is available in limited preview in Syhunt Community and fully available to new and existing customers through a separately licensed product extension known as Syhunt Mobile. The newly added Java checks for web applications are available to existing customers at no additional cost.

New Code Checks for Java

Syhunt 6.7 adds security code checks targeting Java-based web and mobile apps, covering:

  • Code Injection (CWE-94)
  • Insecure Communication
  • Insecure Cryptographic Algorithms (CWE-327)
  • Regular Expression Injection (CWE-400)
  • SQL Injection (Spring Framework)
  • Uncontrolled Format String (CWE-134)
  • Various bad practices

Improved and extended checks for Java include: Broken Authentication, Broken Cryptography, Security Misconfiguration, Cross-Site Scripting (XSS), Command Execution, Code Injection, File Inclusion and Manipulation, SQL Injection, LDAP Injection, XML Injection, Information Leakage, Log Forging and Denial-of-Service.

Code Checks for Swift & Objective-C

Syhunt 6.7 adds security code checks targeting the primary iOS development languages, covering:

  • Broken Authentication
  • Command Execution
  • Insecure Communication
  • Insecure Data Storage
  • Insecure Hashing Algorithm
  • Insecure Cryptographic Algorithms
  • Uncontrolled Format String
  • Hardcoded Sensitive Information
  • Buffer Overflow
  • Various bad practices

Other Code Improvements

  • Improved vulnerability detection accuracy and vulnerable line detection precision.
  • Improved insecure randomness checks (additional checks).
  • Improved multi-language source code parsing.
  • Additional entry point coverage and input filtering/validation analysis.

Dynamic and Other Improvements

  • Improved automated web form login (alternative schemes).
  • Improved spidering of heavily dynamically generated web stores.
  • Minor optimizations for Wordpress-based websites.
  • Added a built-in Scan Scheduler. For detailed information, see: Scheduling Scans
  • Allow to ignore specific vulnerabilities in Site Preferences and Code Scanner Preferences screen.
  • Improved session status and icons in session manager.
  • Fixed: a few bugs and false positives (as detailed in the CHANGELOG)

We hope you enjoy the new release!

What's New in Syhunt 6.6 (June 3, 2019)

Syhunt adds SAST support for Angular, AngularJS, web services, and more

We're happy to announce that Syhunt version 6.6, released today, adds SAST support for web services, and extends support for the MEAN stack by adding support for Angular (v2 and higher) and AngularJS-based web applications, TypeScript, and a large number of additional checks covering Node.js, Express.js, jQuery, client-side JavaScript, and Java. Syhunt 6.6 also adds SAST support for Azure Repos and Electron-based apps, manual login option when performing DAST, and optimizations that speed up scans in both DAST and SAST. The extended coverage means that Syhunt is now able to scan not only the source code of web applications, but the source code of web services and JS-based desktop applications.

Code Checks for Angular & AngularJS

Syhunt 6.6 adds security code checks targeting Angular web apps, covering:

  • Cross-Site Scripting (XSS) - covering JavaScript and TypeScript
  • Cross-Site Request Forgery (XSRF)
  • Broken Authentication
  • Local Storage Usage
  • Sensitive Data Stored in Local Storage
  • Sensitive Information Client-Side
  • Outdated Vulnerable Scripts

Code Checks for Client-Side JavaScript

  • DOM-Based XSS (DOM-Based Cross-Site Scripting)
  • Local Storage Usage
  • Sensitive Data Stored in Local Storage
  • Outdated Vulnerable Scripts, including jQuery Core, jQuery Migrate, jQuery UI, fullPage, Bootstrap and momentjs - this includes the analysis of external, online JavaScript files.
  • Code Injection
  • Unvalidated Redirect
  • XML Injection
  • Client-Side Request Forgery
  • Information Disclosure (various)
  • Security Misconfiguration (various)

Code Checks for Node.js

  • Cross-Site Scripting (XSS)
  • Denial of Service (DoS) (new)
  • File Inclusion (new)
  • XPath Injection (new)
  • XML Injection (new)
  • Server-Side Request Forgery (SSRF) (new)
  • Information Disclosure (new)
  • Security Misconfiguration (new)
  • SQL Injection (improved)
  • Code Injection (improved)
  • Unvalidated Redirect (improved)
  • File Manipulation (improved)
  • Command Execution (improved)
  • HTTP Header Injection (improved)
  • Log Forging
  • Input filtering/validation analysis (improved)

Additional Code Checks

Syhunt 6.6 also adds checks for:

  • Broken Cryptography (new) - usage of Insecure Hashing Algorithms, Insecure Cryptographic Algorithms, Weak Protocols and Insecure Randomness.
  • Insecure Salting (new) - covering all languages
  • Hardcoded Sensitive Information (new), and logging of sensitive information
  • Weak Password Hashing (rewritten and improved)
  • Backdoor (improved)
  • SQL Injection, XML Injection and Information Leak (improved for Java)

Manual Login Support

Syhun 6.6 adds the ability to start a scan against a website after manually logging in - when you start a Dynamic scan from within the Sandcat Browser the tab session data is used as part of the scan. Use of the feature is explained in the manual login section of the Syhunt Dynamic QuickStart document.

Extended GIT Support

  • Added the ability to scan GIT repositories via user interface, and to create and manage a list of favorite target repositories.
  • Added support for Azure Repos using GIT.

Dynamic and Other Improvements

  • Improved HTTP/HTTPS protocol and SSL support (fixed: connection reset by peer error when trying to scan some websites).
  • Added an option to auto follow off-domain redirect in Start URL (enabled by default in GUI and CLI)
  • Ask about off-domain URL redirect when defining a dynamic target.
  • Added additional Joomla-specific optimizations.
  • Improved handling of popups in Sandcat Browser.
  • Fixed: inability to properly pin app to the Windows taskbar.
  • Fixed: many other bugs and false positives (as detailed in the CHANGELOG)

Note: Checks above in gray color are only available in the professional editions of Syhunt.

We hope you enjoy the new release!

What's New in Syhunt 6.5 (December 26, 2018)

Syhunt adds F5 BIG-IP ASM compatible vulnerability export, Jenkins extension, JIRA and GitHub integration, GIT support and more

Today we release version 6.5 of Syhunt Hybrid and Syhunt Community, a release with focus on integration with other systems such as Jenkins and F5 BIG-IP Application Security Manager (ASM), JIRA and GitHub issues, GIT source code control systems, as well as bringing UI improvements, spider improvements and framework-specific optimizations.

JIRA and GitHub Issues integration

Syhunt 6.5 is the first release to support JIRA and GitHub issues. Configuring an issue tracker is an easy task and vulnerabilities can be submitted to a specific project with the click of a button.

F5 BIG-IP ASM compatible scanner export

The F5 BIG-IP Application Security Manager (ASM) is able to import vulnerability scan results from Syhunt Dynamic scans, virtually patching vulnerable web applications - Syhunt 6.5 generates vulnerability exports compatible with the F5 BIG-IP ASM system. To generate the export, when saving a report, just select to save the file as type XML ASM.

Jenkins extensions

Syhunt 6.5 comes with extensions for Jenkins that allow web application security scans to be called from within a Jenkins Pipeline script, allowing customers to integrate the Syhunt Dynamic and Syhunt Code scanner tools into their continuous delivery pipeline, schedule scans and much more. The beta extensions add three Groovy functions called syhunt.scanURL(), scanCode() and scanGIT() that can be used to perform dynamic and source code scans (DAST and SAST) from within a pipeline execution, optionally failing a build if a certain criteria is met (like if High risk vulnerabilities are found).

GIT Protocol Support

Syhunt 6.5 adds support for GIT URLs in ScanCode CLI utility and Lua API, and support for GIT branches in both the CLI utility and the scanGIT() command for Jenkins. The examples below show how to scan a GIT repository.

-- from the command prompt
scancode git://
scancode -rb:master

-- from Jenkins pipeline script
syhunt.scanGIT([target: '', branch: 'master', build: 'failifriskmedium'])

-- from Lua script
code:scanurl('', 'master')

Revamped Vulnerability Details screen

Syhunt 6.5 adds a revamped vulnerability details dialog with editing capabilities.

Additional Improvements and Changes

Additional improvements in Syhunt 6.5 include:

  • Added Dynamic Targets screen to launcher - allows to manage a list of common target URLs. You can access it through the purple bookmark icon in the Launcher toolbar or the New Scan dialog.
  • Added Rails framework, WII framework and WordPress related optimizations.
  • Added the ability to import and export a scan session from/to a file.
  • Reviewed hunt methods Malware Content and Structure Brute Force and enabled additional checks. Improved extension checking and structure brute force checks and fixed a false positive case.
  • Faster Authentication Bypass checks.
  • Improved fingerprinting and added detected languages and OS type to reports.
  • Improved XML exports.
  • Improved spider (improved web site caching and mapping).
  • This release comes with the latest Syhunt Sandcat browser updates and drops support for Windows Vista.

We hope you enjoy the new release!

What's New in Syhunt 6.4 (October 17, 2018)

Syhunt adds PCI DSS 3.2.1 support and more

Today we release version 6.4 of Syhunt Hybrid and Syhunt Community, a release with focus on compliance report generation and user interface (GUI) enhancements. This version comes with a revamped launcher screen (see the screenshot below), adds new PCI DSS related checks (such as checking for unencrypted credit card transaction) and many new compliance report options, such as:

  • PCI DSS compliance versions 3.2 and 3.2.1
  • All recent OWASP lists, including the latest OWASP Top 10 list
  • CWE/SANS Top 25 Most Dangerous Software Errors
  • WASC (The Web Application Security Consortium) Threat Classification

Additional improvements include:

  • Added 183 additional admin paths.
  • Added additional password file disclosure checks.
  • Added Jooma-specific optimizations.
  • Added Nginx support in Syhunt Insight.
  • Improved spidering (additional link extraction and improved relative path handling).
  • Combined link list with additional details into new Coverage report section.

Screenshot: Revamped Launcher

We hope you enjoy the new release!