Syhunt Hybrid Preferences
The information in this document applies to version 7.0.12 of Syhunt Hybrid.
Below is a list of important preferences in Syhunt Hybrid that you can configure using its command-line interface. Syhunt preferences can be either global (affecting all scans and targets) or site-specific (applying to a particular web application URL).
Note: changes to settings will not impact ongoing scans immediately; they will apply to new scans initiated after the changes are made. Settings configured using the scancore command are permanent, affecting all future scans and targets.
Setting different value types through CLI
When configuring values using the scancore -prefset or scancore -tracker:set commands, you can specify various value types using the following combined parameters:
| boolean | Use -v:true or -v:false |
| string | Use -v:value, -v:"my value", or -vsecret (for passwords) |
| integer | Use -v:1000 |
| stringlist | Use -fromfile:mylistfile.lst to specify values from a file, -v:[string1],[string2],[etc] to directly list multiple strings, or -v:value or -v:"my value" to specify a single line |
This allows for flexibility in setting different types of values according to your configuration needs.
When attempting to set a preference value with the wrong type, an error will occur. For instance:
scancore -prefset:hybrid.report.company.logo.urldark -v:true Error: Invalid type (provided boolean, must be string) scancore -tg:http://127.0.0.1 -prefset:enabled -v:1 Error: Invalid type (provided integer, must be boolean)
These error messages are designed to maintain the integrity of preferences. They prevent inadvertent changes by alerting users when they attempt to set a preference with a value of the wrong type. This ensures that preferences are correctly configured according to their expected data type, helping to avoid unexpected behavior or errors during operation.
When providing a string list through the parameter -v in the format -v:[value1],[value2],[value3], each value separated by a comma within square brackets indicates a new line. For example: -v:[value1],[value2],[value3] Will be stored as:
value1 value2 value3
When setting a string that includes spaces, such as "my value", you must enclose the string within double quotes (") (e.g -v:"my value" or -v:"[my value1],[my value2]"). Single quotes (') should not be used for this purpose. This ensures that the entire string, including spaces, is correctly interpreted as a single value and stored accordingly.
When using -vsecret to set a sensitive value, such as a password, the command will prompt you twice to enter the value for confirmation. Additionally, it masks the input as you type, ensuring that the sensitive information remains secure. This double confirmation process helps prevent accidental misentry and ensures the accuracy of the sensitive information provided.
When using -fromfile:mylistfile.lst, under Windows environments, the file mylistfile.lst can be located within the same directory as the command execution or specified with a full path. However, in Linux environments, the full path of the file must be provided, such as -fromfile:/path/to/mylistfile.lst. This ensures proper file location and access.
Here are examples demonstrating how to set preferences either globally or for specific targets via the command-line interface using the -prefset parameter. Additionally, you can utilize the -prefprint parameter to display and review the current value of any preference.
-- Example 1 - Setting a logo to be displayed in newly generated reports
scancore -prefset:hybrid.report.company.logo.urldark -v:https://www.mydomain.com/mylogo.png
-- Example 2 - Printing the current report logo URL
scancore -prefprint:hybrid.report.company.logo.urldark
-- Example 3 - Setting Basic authentication for a specific site
scancore -tg:http://127.0.0.1 -prefset:dynamic.servauth.type -v:Basic
scancore -tg:http://127.0.0.1 -prefset:dynamic.servauth.username -v:myuser
scancore -tg:http://127.0.0.1 -prefset:dynamic.servauth.password -vsecret
-- Example 4 - Enabling or disabling preferences for a specific site
scancore -tg:http://127.0.0.1 -prefset:enabled -v:true
scancore -tg:http://127.0.0.1 -prefset:enabled -v:false
-- Example 5 - Setting a value from a list file
scancore -tg:http://127.0.0.1 -prefset:dynamic.lists.cookies -fromfile:mycookies.lst
Site Preferences
Site-specific preferences must be set using the scancore -prefset command, by providing the -v parameter combined with the -tg parameter (examples) and can only be applied to the indicated target website. These settings, however, have a broader scope, affecting all DAST scans initiated through various methods such as the scanurl command, the web UI, REST API, Lua API, Powershell extension, or the classical UI. Despite being specified for a particular target, their impact extends to all DAST processes across the platform.
When setting a site-specific preference, such as with the commands scancore -tg:http://127.0.0.1 -prefset:enabled -v:true and scancore -tg:http://127.0.0.1/demo/ -prefset:enabled -v:true, it's important to note that these settings are stored separately because they apply to different paths within the same target. Even though the base URL is the same (http://127.0.0.1), preferences configured for different paths, such as / and /demo/, are maintained separately to ensure distinct configurations for each path.
When initiating a scan against a target using the scanurl [url] command, the distinct configurations set for different paths within the same target are respected based on the provided URL. For instance, if you've configured preferences for both http://127.0.0.1 and http://127.0.0.1/demo/ separately, these configurations will be applied accordingly when scanning each respective URL. This ensures that the scan settings are tailored to the specific path being scanned, maintaining the integrity of your preferences across different sections of the target.
When using HTTPS or specifying different server ports through [protocol]:[host:port], it's important to note that these variations also result in distinct configurations. For example, settings configured for https://example.com and http://example.com:8080 would be treated separately. Similarly, preferences set for https://example.com and http://example.com would be considered distinct due to the protocol difference. This ensures that configurations are appropriately applied to each unique combination of protocol, host, and port, allowing for tailored settings based on the specific characteristics of the target URL.
In situations where a user needs to maintain distinct profiles for the same URL and path, a simple workaround involves adding a parameter to the end of the URL, such as ?syhunt_ref=1, ?syhunt_ref=2, and so on. This parameter serves as a differentiation marker and is ignored by the scanned application, as it holds no functional meaning. By appending these unique parameters, users can effectively manage multiple configurations for the same URL and path, facilitating the customization of preferences as needed.
| enabled | boolean | true (default): Enables site preferences for the target URL. This is a master key. false: Disables all site preferences, and only use default settings. |
| name | string | Descriptive name of the target website (e.g. My company website). This name will be displayed in the user interface of Syhunt and has no impact on scans. |
| critlevel | string | Criticality Level. Valid values include: undefined (Not Defined), none (Non-Critical), low, medium, high, critical. This information will be displayed in the user interface of Syhunt and has no impact on scans. The default value is undefined. |
| dynamic.augmented.detectoob | boolean | true (default): Enables the execution of OAST with Syhunt Signal (Recommended). This allows Syhunt to detect out-of-band vulnerabilities. false: Disables all OAST testing. |
| dynamic.augmented.scanclisource | boolean | true (default): Enables the execution of SAST against client-side JavaScript with Syhunt Code false: Disables all SAST testing over DAST. |
| dynamic.advanced.performdos | boolean | true (default): Enables the execution of DoS (Denial of Service) tests against the target web application. DoS attacks aim to disrupt the normal functioning of a web application by exploiting vulnerabilities or overwhelming its resources, thereby rendering it unavailable to legitimate users. false: Disables all DoS testing. |
| dynamic.advanced.performauthforce | boolean | true (default): Perform authentication brute force. If enabled, Syhunt will automatically try commonly used username and passwords against all areas of the web application that ask for credentials. false: Disables authentication brute forcing. |
| dynamic.advanced.forcewebrootstruct | boolean | true (default): Always target web root during structure brute forcing. false: Disables targeting of web root during structure brute forcing. This means that if the target URL is https://example.com/demo/ brute forcing will target https://example.com/demo/* but not https://example.com/* |
| dynamic.advanced.incrementalscan | string | Incremental Scan. Accepted string values: auto (default) or disabled. Disabling incremental scanning will result in slower future scans because the scanner won't utilize data from previous scans to expedite subsequent ones. |
Web Technologies
Syhunt Dynamic offers users the ability to select various web technologies relevant to a web application, enabling it to conduct tests specifically tailored to those technologies, which can accelerate testing. By default, the tool automatically detects these technologies, which is why most options related to web technologies are set to 'auto' mode. This ensures that the tool dynamically adapts to the technologies present in the application without requiring manual intervention, streamlining the testing process.
| dynamic.webtech.slang | string | The key server-side scripting language of the targeted web application. Learning in advance the programming language allows Syhunt to optimize the scan and perform only checks that are relevant to the language used by the target application. The default value is: auto. |
| Accepted String Value | Meaning | |
| auto | Syhunt will automatically determine the language used by the target using its fingerprint capabilities. | |
| lang.asp | The target application uses classic ASP. | |
| lang.aspx | The target application uses ASP.NET. | |
| lang.java | The target application uses Java or JSP (Java Server Pages). | |
| lang.kotlin | The target application uses Kotlin. | |
| lang.ssjs | The target application uses server-side JavaScript, such as NodeJS or similar. | |
| lang.lua | The target application uses Lua or LuaJIT. | |
| lang.perl | The target application uses Perl. | |
| lang.php | The target application uses PHP. | |
| lang.python | The target application uses Python. | |
| lang.ruby | The target application uses Ruby or RoR. |
| dynamic.webtech.server | string | The web server software of the targeted web application. Learning in advance the server software allows Syhunt to optimize the scan and perform only checks that are relevant to the server used by the target application. The default value is: auto. |
| Accepted String Value | Meaning | |
| auto | Syhunt will automatically determine the server software used by the target using its fingerprint capabilities. | |
| server.apache | The target application uses Apache. | |
| server.tomcat | The target application uses Apache Tomcat. | |
| server.iis | The target application uses Microsoft IIS. | |
| server.nginx | The target application uses Nginx or OpenResty. |
| dynamic.webtech.os | string | The operational system of the targeted web application. Learning in advance the OS allows Syhunt to optimize the scan and perform only checks that are relevant to the OS used by the target application. The default value is: auto. |
| Accepted String Value | Meaning | |
| auto | Syhunt will automatically determine the OS of the target using its fingerprint capabilities. | |
| os.bsd | The target application runs on top of BSD. | |
| os.linux | The target application runs on top of a Linux distribution. | |
| os.solaris | The target application runs on top of Solaris. | |
| os.unix | The target application runs on top of Unix. | |
| os.windows | The target application runs on top of Windows. |
| dynamic.webtech.datsql | string | The key SQL or NoSQL database used by the targeted web application. Learning in advance the database allows Syhunt to optimize the scan and perform only checks that are relevant to the database used by the target application. The default value is: auto. |
| Accepted String Value | Meaning | |
| auto | Syhunt will automatically determine the database of the target using its fingerprint capabilities. | |
| db.sql.access | The target application uses Microsoft Access database. | |
| db.sql.db2 | The target application uses DB2. | |
| db.sql.informix | The target application uses Informix. | |
| db.nosql.mongodb | The target application uses MongoDB. | |
| db.sql.mysql | The target application uses MariaDB or MySQL. | |
| db.sql.oracle | The target application uses Oracle database. | |
| db.sql.postgresql | The target application uses PortgreSQL. | |
| db.sql.sqlserver | The target application uses Microsoft SQL Server. | |
| db.sql.sqlite | The target application uses SQLite database. |
| dynamic.webtech.haswaf | string | The status of WAF presence in the targeted web application. The default value is: auto. |
| Accepted String Value | Meaning | |
| auto | Syhunt will automatically determine WAF presence. | |
| inactive | No WAF is present. | |
| active | WAF is present. | |
| ipbypass | WAF is present with IP bypass rule. |
| dynamic.webtech.waf | string | The manufacturer of the active WAF. The default value is: auto. |
| Accepted String Value | Meaning | |
| auto | Syhunt will attempt to automatically determine the WAF manufacturer. | |
| waf.akamai | Akamai | |
| waf.aws | AWS | |
| waf.barracuda | Barracuda | |
| waf.cloudflare | CloudFlare | |
| waf.f5 | F5 | |
| waf.fortinet | Fortinet | |
| waf.imperva | Imperva | |
| waf.msazureappgat | Microsoft Azure Application Gateway | |
| waf.modsecurity | ModSecurity | |
| waf.nginx | Nginx | |
| waf.ogasec | OGASEC | |
| waf.radware | Radware | |
| waf.sucuri | Sucuri | |
| waf.unknown | Other |
Web Technologies Guessing
Syhunt Dynamic also employs a method of inference to guess which web technologies and versions of components the web server is using. This inference-based approach analyzes various aspects of the web application and its responses to make educated guesses about the underlying technologies and their versions. This automated guessing process helps the tool to gather information about the application's technology stack without explicit user input, enhancing its ability to perform comprehensive testing
| dynamic.webtech.guess.enabled | boolean | true (default): Attempt to sense web server software versions using Syhunt HunterSense, even if banner and signatures are hidden (Recommended). This is a master key. false: Disables guessing of web server software. |
| dynamic.webtech.guess.apache | boolean | true (default): Sense Apache version false: Disables guessing of Apache version. |
| dynamic.webtech.guess.nginx | boolean | true (default): Sense Nginx version false: Disables guessing of Nginx version. |
| dynamic.webtech.guess.php | boolean | true (default): Sense PHP version false: Disables guessing of PHP version. |
| dynamic.webtech.guess.phusion | boolean | true (default): Sense Phusion Passenger version false: Disables guessing of Phusion Passenger version |
| dynamic.webtech.guess.modssl | boolean | true (default): Sense ModSSL version false: Disables guessing of ModSSL version |
| dynamic.webtech.guess.openssl | boolean | true (default): Sense OpenSSL version false: Disables guessing of OpenSSL version |
Crawling Reach
The options described below are designed to restrict the crawling scope of Syhunt Dynamic's spider, thereby controlling the extent to which it explores web resources. By default, the scanner operates without any crawling limitations, allowing it to explore a website extensively. However, it employs intelligent rules, often referred to as 'optimizations' by Syhunt, to speed up the crawling and mapping process. These optimizations enhance the efficiency of the scanner by intelligently guiding its exploration of the website's structure and content.
| dynamic.crawling.limitdepth | boolean | true: Use depth limit. This is a master key. false (default): Disables depth limit. |
| dynamic.crawling.maxdepth | integer | Maximum depth (requires use depth limit enabled). The default value is 0, which means no limit. |
| dynamic.crawling.limittobase | boolean | true: Limit crawling to start URL path and specific allowed URLs. This is a master key. false (default): Disables crawling limitation to start URL path and specific allowed paths. If you enable this option, and for example, you are targeting https://example.com/demo/ and the application links to https://example.com/test/, /test/ will be ignored. Because web application paths are often interwine, this would restrict too much the scan, and because of that, this option is disabled by default. |
| dynamic.lists.ignore.allowedpaths | stringlist | Paths allowed to crawl (e.g /store/login.php). The default value is an empty string list. |
Additional editable lists - these don't require any master key enabled:
| dynamic.lists.starturls | stringlist | Additional Start URLs (e.g /url1.php,/url2.php). By default, Syhunt Dynamic will use the path that is part of the target URL you provide as the starting point for scanning. However, this key allows you to include additional start paths for scanning. For instance, if your target is https://example.com/demo/ and you also want to include /demov2/ and /demov3/ for scanning, even if they are not directly linked within /demo/, adding these paths to this list ensures they will also be scanned. The default value is an empty string list. |
| dynamic.lists.ignore.urls | stringlist | Paths to ignore (e.g /about1.php,/about2.php). The default value is an empty string list. |
| dynamic.lists.ignore.logoutpaths | stringlist | Logout paths to ignore (e.g /logout.php). The default value is an empty string list. Syhunt Dynamic already comes pre-configured to detect the most common logout paths. |
| dynamic.lists.ignore.form.names | stringlist | Forms to ignore by name (e.g. search1,search2). The default value is an empty string list. |
Authentication
Authentication options provide the flexibility to enable web form authentication, server authentication methods like Basic, Bearer, and others, or a combination of both.
| dynamic.formauth.type | string | Form Authentication Type. Accepted string values are: None, Standard, AI, Selenium. The default value is Standard, which means form authentication is enabled. Form authentication remains enabled as long as both the form username and password fields are not empty. Note: The form authentication methods utilizing AI and Selenium are exclusively available in the Windows version of Syhunt. |
| dynamic.formauth.username | string | Form username. The default value is an empty string. |
| dynamic.formauth.password | string | Form password. The default value is an empty string. |
| dynamic.formauth.script.selenium.encrypted | stringlist | Selenium Python script for authentication. The default value is an empty string. This script will only be used if form authentication type is set to Selenium |
| dynamic.servauth.type | string | Server Authentication Type. Accepted string values are: None, Basic, Bearer, Digest, NTLM. The default value is None, which means server authentication is disabled. If you use Bearer authentication, leave formauth.username empty and enter the token in the formauth.password key. |
| dynamic.servauth.username | string | Server Username. The default value is an empty string. |
| dynamic.servauth.password | string | Server Password. The default value is an empty string. |
| dynamic.lists.cookies | stringlist | Cookies (e.g. ck1=value;ck=value). The default value is an empty string |
Vulnerability Ignore List
| dynamic.lists.ignore.vulnsbyrules | stringlist | Vulnerabilities to ignore (by id or rule) (e.g. vuln:v1:dast-my.js-xss-748). The default value is an empty string |
Dynamic Preferences
Global settings for Syhunt Dynamic are configurations that apply universally to all DAST scans initiated through various methods such as the scanurl command, the web UI, REST API, Lua API, Powershell extension, or the classical UI. These settings provide a consistent framework for controlling the behavior of scans across different initiation methods.
| dynamic.checks.dos | boolean | true (default): Perform DoS (Denial of Service) tests. false: Disables DoS tests. |
Browser Emulation Options
| dynamic.emulation.redirect.autofollowinstarturl | boolean | true (default): Auto handle off-domain redirect in Start URL. false: Disables off-domain redirect rendering. |
| dynamic.emulation.mode | string | Browser Emulation Mode. Valid options: Chrome, Edge, Firefox, MSIE, Opera, Safari. The default value is Chrome. |
| dynamic.emulation.javascript.execution | boolean | true (default): Enables JavaScript emulation. false: Fully disables JavaScript execution and emulation. |
| dynamic.emulation.javascript.simuser | boolean | true (default): Simulate user interaction (key press, mouse click, etc). false: Fully disables user interaction simulation. |
| dynamic.emulation.doxhrcalls | boolean | true (default): Perform XHR calls. false: Fully disables support for XHR calls. |
| dynamic.emulation.javascript.analyzejs | boolean | true (default): Analyze JavaScript code. false: Disables the analysis of JS code. |
| dynamic.emulation.javascript.analyzexhr | boolean | true (default): Analyze XHR calls. false: Disables the analysis of XHR calls. |
| dynamic.emulation.cookies.accept | boolean | true (default): Accept cookies. false: Fully disables cookie support. |
| dynamic.emulation.cookies.maxsize | integer | Maximum cookie size (kb). The default value is 4, which translates to 4kb. |
| dynamic.emulation.cookies.maxnumber | integer | Maximum number of cookies per site. The default value is 50. |
| dynamic.emulation.autofill.forms | boolean | true (default): Automatically fill web forms (name, address, phone, email, etc). false: Disables the auto-fill of forms. |
| dynamic.emulation.autofill.loginforms | boolean | true (default): Auto fill login web forms. false: Disables the auto-fill of login forms. |
| dynamic.emulation.redirect.autofollow | boolean | true (default): Automatically follow redirects. false: Disables auto follow redirects. |
| dynamic.emulation.intelparser | boolean | true (default): Use intelligent HTML parsing (Handles malformed HTML). false: Disables intelligent HTML parsing. |
| dynamic.emulation.usenavbehavior | boolean | true (default): Use browser behavior. false: Disables browser behavior. |
| dynamic.emulation.referer.send | boolean | true (default): Send Referer. false: Disables sending of referer. |
| dynamic.emulation.useragent | string | User Agent. The default value is a Chrome browser user agent. |
| dynamic.emulation.forceuseragent | boolean | true (default): Force the provided user agent in all situations. false: Disables forcing the provided user agent in all situations. |
Crawling Reach & Time Limit
This section explains how to apply global settings that affect all scans related to the crawling reach of the spider and the time limit for each scan. These settings allow you to establish consistent parameters that govern the scope of the spider's exploration and the duration of each scanning operation across all scans.
| dynamic.crawling.max.linkspersite | integer | Maximum number of links per server. The default value is 10000. |
| dynamic.crawling.max.linksnumber | integer | Maximum links per page. The default value is 250. |
| dynamic.crawling.max.urlsize | integer | Maximum URL length (bytes). The default value is 16384. |
| dynamic.crawling.max.filesize | integer | Maximum response size (kb). The default value is 1024. |
| dynamic.crawling.analyze.robots | boolean | true (default): Analyze robots.txt (if available) false: Disables analysis of robots.txt file. |
| dynamic.options.logout.prevent | boolean | true (default): Enabling this option prevents Syhunt Dynamic from inadvertently visiting the logout page of the web application during crawling or testing. This helps avoid unintentional session termination. false: Disables logout prevention mechanisms. |
| dynamic.options.logout.detect | boolean | true (default): Relogin after premature session termination when needed. false: Disables relogin. |
| syhunt.dynamic.options.timelimit.enabled | boolean | false (default): Do not use any time limit. true: Enable time limit. This is a master key |
| syhunt.dynamic.options.timelimit.value | integer | The scan time limit parameter determines the maximum duration for a scan. The default value is an empty string, indicating no limit. Accepted time limits include formats like: 1d for one day, 3h for three hours, 2h30m for two hours and thirty minutes, or 50m for fifty minutes. Once this maximum duration is reached, the scan automatically cancels itself |
Delay
The delay option allows you to set a delay in milliseconds between requests. However, it's advisable not to set this when conducting DAST as it typically involves millions of requests. Setting a delay could significantly prolong the scanning process, so it's generally better to let the scanner operate without artificial delays.
| dynamic.options.delay.enabled | boolean | false (default): Do not use delay between requests true: Enables delay between requests. This is a master key. |
| dynamic.options.delay.value | integer | Delay (ms). The default value is 3000 |
| dynamic.options.delay.userandom | boolean | false (default): Do not use random delay. true: Enables random delay between requests |
Evasion
| dynamic.evasion.detection.honeypot | boolean | true (default): Detect if the target application is a honeypot. false: Disables detection of honeypot. |
| dynamic.evasion.detection.waf | boolean | true (default): Attempts to detect if the application is behind WAF (web application firewall) false: Disables detection of WAF. |
| dynamic.evasion.reqdistrand | boolean | true: Distribute requests randomly during crawling (experimental) false (default): Disables random distribution of requests. |
| dynamic.evasion.evadeflt | boolean | true (default): Use filter evasion false: Disables filter evasion. This is a master key. |
| dynamic.checks.sub.xssev | boolean | true (default): Evasion Technique: Common XSS filter evasion techniques. false: Disables Common XSS filter evasion tehcniques. |
| dynamic.checks.sub.utf8dev | boolean | true (default): Evasion Technique: UTF-8 Decode. false: Disables UTF-8 Decode evasion technique. |
Protocol
In the Protocol section, the default settings related to the HTTP/HTTPS protocol are the most recommended for better performance. These default settings are optimized for handling web traffic efficiently and are generally the preferred choice for conducting scans with optimal performance.
| dynamic.protocol.version | string | Protocol Version. Accepts: HTTP/1.1 and HTTP/1.0. The default value is HTTP/1.1. This is also the recommended value. |
| dynamic.protocol.ssl.type | string | SSL Type. Accepts: all, SSLv2, SSLv3, TLSv1, TLSv1_1, TLSv1_2, TLSv1_3, SSHv2. The default value is all. This is also the recommended value, since it works with all supported SSL types instead of restricting to a specific SSL type. |
| dynamic.protocol.keepalive | boolean | true (default): Enable Keep-Alive support (recommended). false: Disables Keep-Alive support. This negatively impacts the scan speed since Keep-Alive speeds up connections. |
| dynamic.protocol.usegzip | boolean | true (default): Enable GZIP compression support (recommended). false: Disables GZIP compression support. This negatively impacts the scan speed since GZIP compression speeds up connections. |
| dynamic.protocol.mknocache | boolean | true (default): Make no-cache requests. false: Disables no-cache requests. |
| dynamic.protocol.timeout.value | integer | Timeout (ms). The default value is 10000. |
| dynamic.protocol.retries | integer | Number of retries after timeout. The default value is 2. |
| syhunt.dynamic.options.augmented.jndiserver | string | JNDIExploit Server (Host without port) for Log4Shell exploitation. The default value is an empty string. |
| dynamic.lists.protocol.customhdr | stringlist | Custom Request Headers (eg: X-Custom:AValue). The default value is an empty string |
Vulnerability Ignore List
Ignore IDs are shown in reports at the end of each DAST vulnerability entry and are the recommended and easiest way to ignore vulnerabilities in Syhunt. Alternatively, you can create and add Ignore Rules that can apply to wider scenarios.
| dynamic.lists.ignore.vulnsbyrules | stringlist | Vulnerabilities to ignore (by rule or id). The default value is an empty string list. |
Code Preferences
Global settings for Syhunt Code are configurations that apply universally to all SAST scans initiated through various methods such as the scancode command, SAST in DAST, the web UI, REST API, Lua API, Powershell extension, or the classical UI. These settings provide a consistent framework for controlling the behavior of scans across different initiation methods.
| code.checks.inflt | boolean | true (default): Analyze input filtering in application source code. This is crucial for eliminating false positives, as it ensures proper handling of user input, reducing the likelihood of incorrect detections. false: Disables analyzis of input filtering. |
| code.options.target.tfsver | string | TFS Version Compatibility. Accepts: latest, 2017, 2015, 2013, 2012, 2010. The default value is latest, which means 2018 or higher. |
Vulnerability Ignore List
At the end of each SAST vulnerability entry, Ignore IDs are displayed in reports and are the recommended and simplest method for ignoring vulnerabilities in Syhunt. Alternatively, you can create and add Ignore Rules, which can apply to broader scenarios. It's important to note that for SAST, instead of using the 'code.lists.ignore.vulnsbyrules' key, the best practice for ignoring vulnerabilities is by utilizing the .vulnignore file within the scanned repository. This ensures efficient management and handling of ignored vulnerabilities.
| code.lists.ignore.vulnsbyrules | stringlist | Vulnerabilities to ignore (by rule or id). The default value is an empty string list. |
Time Limitation
| syhunt.code.options.timelimit.enabled | boolean | false (default): Do not use any time limit. true: Enable time limit. This is a master key |
| syhunt.code.options.timelimit.value | integer | The scan time limit parameter determines the maximum duration for a scan. The default value is an empty string, indicating no limit. Accepted time limits include formats like: 1d for one day, 3h for three hours, 2h30m for two hours and thirty minutes, or 50m for fifty minutes. Once this maximum duration is reached, the scan automatically cancels itself |
Forensic Preferences
Global settings for Syhunt Forensic are configurations that apply universally to all FAST scans initiated through various methods such as the scanlog command or the classical UI.
| insight.lists.ignorelist.paths | stringlist | Path Ignore List (e.g. /robots.txt,robots2.txt). The default value is an empty string list. |
| insight.lists.ignorelist.srcips | stringlist | IP Ignore List (e.g. 1.1.1.1,2.2.2.2). The default value is an empty string list. |
| insight.options.logformat | string | Log Format. Accepts: auto, common, apache, iis, ncsa, nginx. The default value is auto, which indicates it must auto detect the log format. |
| insight.options.profileatk | boolean | true (default): Build attacker profile. false: Disables attacker profiling. |
| insight.options.resolveip | boolean | true: Resolve attacker IP addresses (slower). false (default): Disables IP resolving (faster). |
Additional Hybrid Preferences
Global settings for Syhunt Hybrid are configurations that apply universally to all scans initiated through various methods such as the scancode command, scanurl command, the web UI, REST API, Lua API, Powershell extension, or the classical UI. These settings provide a consistent framework for controlling the behavior of scans across different initiation methods.
| hybrid.report.defaultlanguage | string | Report Language ID. See the list of available report languages. The default value is EN, for English language reports. |
| hybrid.report.company.logo.urldark | string | Organization Logo URL for dark background (e.g: http://www.mycompany.com/logo.png). The default value is an empty string. |
| hybrid.lists.riskfine | stringlist | Risk Redefinition. Each line must use the format [unique check ID=severity] (e.g. C-1603660271-7241=low). The default value is an empty string list. |
| syhunt.hybrid.advanced.ai.openai.apikey.encrypted | string | OpenAI Key for enabling Syhunt's AI-powered capabilities. The default value is an empty string. |
| syhunt.hybrid.advanced.ai.options.exrepsolut | boolean | true (default): Share excerpts of vulnerable code to get patch examples. Requires empty .aipatchconsent file at the root of each target repository. false: Disables share excerpts of vulnerable code to get patch examples, even if patch consent files are available. |
Tracker Preferences
To set Tracker preferences, you must use the scancore -tracker:set command, providing the -v parameter along with the -to parameter (examples), and it can only be applied to the specified tracker.
Here are examples demonstrating how to create a tracker and set tracker preferences via the command-line interface.
-- Example 1 - Adding a new GitHub tracker
scancore -tracker:add
-- Specify the type GitHub and the name of the tracker, and press enter
-- Configure the GitHub tracker
scancore -tracker:set to:mytrackername -key:project.name -v:owner/repo
scancore -tracker:set to:mytrackername -key:auth.token.encrypted -vsecret
-- Example 2 - Adding a new email tracker
scancore -tracker:add
-- Specify the type Email and the name of the tracker, and press enter
scancore -tracker:set to:myemailtracker -key:message.from -v:robot@yourdomain.com
scancore -tracker:set to:myemailtracker -key:message.tolist -v:security@yourdomain.com,team@yourdomain.com
scancore -tracker:set to:myemailtracker -key:auth.targethost -v:smtp.yourdomain.com
scancore -tracker:set to:myemailtracker -key:smtp.targetport -v:587
scancore -tracker:set to:myemailtracker -key:auth.username -v:myusername
scancore -tracker:set to:myemailtracker -key:auth.password -vsecret
-- Example 3 - Testing a tracker
scancore -tracker:send -tid:TEST -to:mytrackername -note:"My comment"
-- Example 4 - Sending a vulnerability from report to the tracker
-- 1596281007-7-4771 is a vulnerability track ID taken from the report. Each vulnerability has its own track ID
scancore -tracker:send -tid:1596281007-7-4771 -to:mytrackername -note:"My comment"
-- Example 5 - Listing available trackers
scancore -tracker:list
-- Example 6 - Deleting a tracker
scancore -tracker:del to:mytrackername
The keys available below may vary depending on the type of tracker. For instance, an email tracker considers the smtp.targetport key, but a GitHub tracker would simply ignore this setting. Below we indicate which keys are usually required for each specific tracker type.
| project.name | string | Project Name (e.g owner/repo). The default value is an empty string. |
| auth.username | string | Username. The default value is an empty string. |
| auth.password | string | Password. The default value is an empty string. |
| auth.token.encrypted | string | Authentication Token. This can be used to set a PAT (Personal Access Token) for a service. The default value is an empty string. |
| auth.targethost | string | Hostname. The default value is an empty string. |
| api.url | string | API/Server URL. The default value is an empty string. |
| custom.fields | stringlist | Custom Fields. The default value is an empty string list. |
| custom.labels | stringlist | Custom Labels. The default value is an empty string list. |
| scan.minseverity | string | Minimal Severity. Accepted values are: Info, Low, Medium or High. The default value is Info. |
| notifyonfailonly | boolean | true: Notify only when a fail condition is met. false (default): Always notify (not tied to any pre-configured pass/fail conditions). |
| smtp.targetport | integer | SMTP Port. The default value is 587. |
| message.from | string | Message - From. The default value is an empty string. |
| message.tolist | string | Message - To List (single email or comma-separated list of emails). The default value is an empty string. |
| message.subject | string | Message - Subject. The default value is an empty string. |
- Use auth.targethost to set SMTP host, auth.username and auth.password to specify credentials.
GitLab
- Use project.name to specify the owner/repository name and api.url to provide the GitLab server URL.
- Use auth.token.encrypted to enter your PAT (Personal Access Token).
- Use custom.labels to enter custom labels (e.g: Vulnerability).
GitHub
- Use project.name to specify the owner/repository name.
- Use auth.token.encrypted to enter your PAT (Personal Access Token).
- Use custom.labels to enter custom labels (e.g: Vulnerability).
Jira
| jira.defitname | string | Jira Default Issue Type. The default value is Task. |
- Use project.name to specify the Jira project name and api.url to provide the Jira server URL.
- Use auth.username and auth.password to specify credentials.
- Use custom.labels to enter custom labels (e.g: Vulnerability).
- Use custom.fields to reference custom fields by name rather than ID. If the custom field is a SelectList, declare the field as:
customfield_10100.value=ACustomValue.
DefectDojo
| scan.testtitle | string | Context: Test Title. The default value is an empty string. |
| scan.engagementname | string | Context: Engagement Name. The default value is an empty string. |
| scan.producttypename | string | Context: Product Type Name. The default value is an empty string. |
| scan.productname | string | Context: Product Name. The default value is an empty string. |
| scan.active | boolean | true (default): Active. false: Not active. |
| scan.verified | boolean | true (default): Verified. false: Not verified. |
| scan.skipduplicates | boolean | true: Skip Duplicates. false (default): Do not skip duplicates. |
| scan.closeoldfindings | boolean | true: Close Old Findings. false (default): Do not close old findings. |
| scan.pushtojira | boolean | true: Push To Jira. false (default): Do not push to Jira. |
- Use api.url to provide the DefectDojo server URL.
- Use scan.minseverity to provide Minimal Severity.
- Use custom.labels to provide custom tags (eg: scan).
- Use auth.token.encrypted to provide the authentication token.
Faraday
- Use api.url to provide the Faraday server URL.
- Use project.name to provide the workspace name. If project.name is not defined, my_workspace will be used as its default value.
- Use auth.username and auth.password to specify credentials.
For additional product documentation, visit syhunt.com/docs