Syhunt Hybrid 7.1.9 adds API security testing tool

Syhunt is proud to announce the release of its new Syhunt API security scanner, a major addition to its application security portfolio, available starting with version 7.1.9 of Syhunt Hybrid. Building on its strong reputation in web and mobile app security, Syhunt now extends its protection to APIs - offering dynamic security testing for modern API formats.

The new scanner is capable of detecting over 581 API-specific vulnerabilities across more than 30 categories, including both standard and out-of-band attack types, with high accuracy and minimal false positives. It supports a wide range of API specification formats, including API Blueprint, OpenAPI and Swagger, and integrates seamlessly with CI/CD pipelines, issue tracking tools, and WAF platforms. Available for on-premises deployment, the API scanner is offered at no additional cost to existing Syhunt Hybrid Infinity and Syhunt Dynamic Infinity customers, marking a significant milestone in Syhunt’s evolution toward securing the full spectrum of modern application surfaces.

Key capabilities include:

• Dynamic API Security Testing across more than 581 API-specific vulnerabilities in 30+ categories, spanning inferential, in-band, and out‑of‑band attack types.
• Support for all major API specification formats, including OpenAPI (v2/v3), Swagger (v1/v2/v3), GraphQL (with REST annotations), API Blueprint, RAML, WADL, Google Discovery and I/O Docs.
• Automated API crawling and mapping, enabling comprehensive endpoint discovery, action and request identification —all delivered quickly and with zero manual effort.
• Optimized for APIs developed in ASP.NET Core (C#), Java (Spring Boot / Jakarta EE), Node.js, PHP, Python, and Ruby, on a wide range of web servers and platforms (Windows, Unix, etc.).
• Coverage of OWASP Top 10 API Security Risks, OWASP Top 10 Web App Risks, SQL Injection (across 17+ database types), File Inclusion, Command Execution, and more.
• False-positive–free OAST (Out-of-Band API Security Testing)

With this release, Syhunt reinforces its commitment to giving organizations proactive, deep, and automated protection for their entire API landscape - extending beyond traditional web and mobile app guardrails to the critical API layer.

Defining AAST: API Application Security Testing

To clearly distinguish our API security testing capabilities from traditional web-focused DAST, Syhunt is adopting the acronym AAST (API Application Security Testing). Much like MAST (Mobile Application Security Testing) has become a widely recognized term to differentiate mobile-focused DAST/SAST from their web counterparts, AAST helps position API testing as a distinct, essential subset within the broader AST (Application Security Testing) category. This distinction not only aligns with how security testing has evolved across different platforms but also clarifies our product’s role in securing APIs specifically. Furthermore, the market’s adoption of AASM (API Attack Surface Management) as a related acronym reinforces the need for terminology like AAST, making it easier for both technical and marketing audiences to understand and categorize API-focused security tools. With AAST, Syhunt embraces this evolution, providing clarity and alignment with industry trends.

Coming Next: An Ongoing Inventory of APIs

In an upcoming update, Syhunt plans to expand its API coverage into full-spectrum API Attack Surface Management (AASM) by combining dynamic analysis (DAST), log-based discovery (FAST), and source-level analysis (SAST). The upcoming Syhunt API Plus product will automate the discovery and continuous security testing of all APIs - whether documented, internal, shadow, zombie, orphan, or third-party endpoints.

Improvements in 7.1.9

• Added the option and ability to scan APIs for vulnerabilities. Currently available through the web UI and CLI (ScanURL command).
• Added OWASP Top 10 API 2023 and 2019 lists to compliance report.
• Added support for .syhunt-pathignore file in root of code repositories. The file must contain wildcard strings (one per line), allowing paths to be excluded from the SAST analysis.
• Added detection of API specifications through DAST & SAST analysis.
• Revised hunt method for CWE Top 25 Most Dangerous Software Weaknesses to match the most recent version of the document.
• Improved error handling: generate fatal error when invalid hunt method is provided through CLI.
• Improved parsing of JSON/XML responses.
• Improved XML export generation.
• Spider Only method renamed to Map Only.
• Accept .syhunt-vulnignore file instead of .vulnignore. Support for .vulnignore has been kept just for compatibility with existing repositories.
• Revised Header Manipulation checks.
• Fixed: non-translated text in list editor dialog title (ZGP-LVBGX-958).
• Fixed: Wrong display of Asian characters after action popup confirmation and execution.

That's all, for now. Happy bug hunting!