The bug hunter's notepad

Syhunt Huntpad is an open source notepad application with features that are particularly useful to penetration testers and bug hunters - a collection of common injection string generators, hash generators, encoders and decoders, HTML and text manipulation functions, and so on, coupled with syntax highlighting and ability to execute scripts in over 10 programming languages.


Huntpad borrows many features from Syhunt Sandcat's QuickInject sidebar. Like its cousin, it is focused on File Inclusion, XSS and SQL Injection and comes with the following options:

  • Out-of-the-box ability to execute scripts in 12 different programming languages (new in Huntpad 2.0):
    • Run code in C# (.NET), Java, JavaScript, Lua, Perl, PHP, Python, Ruby, Pascal, VBScript and TypeScript
    • Run JavaScript code using an engine of your choice: JavaScriptCore, SpiderMonkey, V8 (Node.js), V8 (Pure), JScript and QuickJS
    • Run JavaScript supersets like TypeScript, JS++ and TIScript
    • Run Lua code using a Lua version of your choice: JIT, 5.1, 5.2, 5.3 and 5.4
  • Secure Random Password Generator (new in Huntpad 2.0)
  • Secure Random functions - Hex, Base64, Number (new in Huntpad 2.0)
  • Secure UUID generator (new in Huntpad 2.0)
  • JSON String Escape (new in Huntpad 2.0)
  • Syntax Highlighting - supporting HTML, JavaScript, CSS, XML, PHP, Ruby, SQL, Pascal, Perl, Python, VBScript and more.
  • SQL Injection functions
    • Filter Evasion - Database-Specific String Escape (CHAR & CHR). Conversion of strings to quoted strings, conversion of spaces to comment tags or new lines
    • Filter Evasion (MySQL-Specific) - String Concatenation, Percent Obfuscation & Integer Representation (eg: '26' becomes 'ceil(pi()*pi())*(!!!pi()+true)+ceil(@@version)', a technique presented by Johannes Dahse).
    • UNION Statement Maker
    • Quick insertion of common injections covering DB2, Informix, Ingres, MySQL, MSSQL, Oracle & PostgreSQL
  • File Inclusion functions
    • Quick Shell Upload code generator
    • PHP String Escape (chr)
  • Cross-Site Scripting (XSS) functions
    • Filter Evasion - JavaScript String Escape (String.fromCharCode), CSS Escape
    • Various handy alert statements for testing for XSS vulnerabilities.
  • Hash functions
    • Hash Generators - MD5, SHA-1, SHA-2 (224, 256, 384 & 512), GOST, HAVAL (various), MD2, MD4, RIPEMD (128, 160, 256 & 320), Salsa10, Salsa20, Snefru (128 & 256), Tiger (various) & WHIRLPOOL
  • Encoders/Decoders
    • URL Encoder/Decoder
    • Hex Encoder/Decoder - Converts a string or integer to hexadecimal or vice-versa (multiple output formats supported).
    • Base64 Encoder/Decoder
    • CharCode Converter - Converts a string to charcodes (eg: 'abc' becomes '97,98,99') or vice-versa.
    • IP Obfuscator - Converts an IP to dword, hex or octal.
    • JavaScript Encoders - Such as JJEncode by Yosuke HASEGAWA
  • HTML functions
    • HTML Escape/Unescape
    • HTML Entity Encoder/Decoder - Decimal and hexadecimal HTML entity encoders & decoders
    • JavaScript and CSS beautifiers
    • JavaScript String Escape
  • Text Manipulation functions - Uppercase, Lowercase, Swap Case, Title Case, Reverse, Shuffle, Strip Slashes, Strip Spaces, Add Slashes, Char Separator
  • Time-Based Blind Injection code - Covering MySQL, MSSQL, Oracle, PostgreSQL, Server-Side JavaScript & MongoDB
  • CRC Calculators - CRC16, CRC32, CRC32b, and more.
  • Classical Ciphers - ROT13 & ROT[N]
  • Checksum Calculators - Adler-32 & Fletcher
  • Buffer Overflow String Creator
  • Random String & Number Generation functions
  • URL Splitter
  • Useful Strings - Math, character sets and more.

It has been really rewarding to see this application... many possibilities offered by this notepad turned into a small Swiss army knife for Ethical Hacking.

Pablo González Pérez, Security Researcher, ElevenPaths

HuntPad is similar to CyberChef from GCHQ, but less emphasis on text formats of structured data & PublicKey+symmetric cryptography-not dis`ing cause a non-web approach is needed for websec testing.

Derek Callaway, IOActive, Cybersecurity Consultant