1.5 MILLION GOVT EMAILS: We analyzed and alerted about the largest password dump in history Learn more

Syhunt Hybrid Preferences

The information in this document applies to version 6.9.6.4 of Syhunt Hybrid.

The following is a list of key available preferences in Syhunt Hybrid that can be set through its command-line interface. Syhunt preferences are either global (apply to all scans and targets) or site-specific (apply to a specific web site).

Site Preferences

Site preferences must be set using the scancore -prefset command, by providing the -v parameter combined with the -tg parameter (examples) and can only be applied to the indicated target website.

Preference IDPreference descriptionDefault (bold) and other accepted values
nameDescriptive name of the target websiteempty, Example: "My company website"
enabledEnable Site Preferencestrue
dynamic.augmented.detectoobPerform OAST with Syhunt Signal (Recommended)true
dynamic.augmented.scanclisourcePerform SAST in client-side JavaScript with Syhunt Codetrue
dynamic.webtech.slangServer-Side Scripting Languageauto, lang.asp, lang.aspx, lang.java, lang.ssjs, lang.lua, lang.perl, lang.php, lang.python, lang.ruby
dynamic.webtech.serverWeb Serverauto, server.apache, server.tomcat, server.iis, server.nginx
dynamic.webtech.osServer OSauto, os.bsd, os.linux, os.solaris, os.unix, os.windows
dynamic.webtech.datsqlDatabaseauto, db.sql.access, db.sql.db2, db.sql.informix, db.nosql.mongodb, db.sql.mysql, db.sql.oracle, db.sql.postgresql, db.sql.sqlserver, db.sql.sqlite
dynamic.webtech.guess.enabledAttempt to sense web server software versions (Recommended)true
dynamic.webtech.guess.apacheSense Apache versiontrue
dynamic.webtech.guess.nginxSense Nginx versiontrue
dynamic.webtech.guess.phpSense PHP versiontrue
dynamic.webtech.guess.phusionSense Phusion Passenger versiontrue
dynamic.webtech.guess.modsslSense ModSSL versiontrue
dynamic.webtech.guess.opensslSense OpenSSL versiontrue
dynamic.advanced.forcewebrootstructAlways target web root during structure brute forcingtrue
dynamic.crawling.limitdepthUse depth limitfalse
dynamic.crawling.maxdepthMaximum depth (requires use depth limit enabled)0
dynamic.crawling.limittobaseLimit crawling to start URL path and specific allowed URLsfalse
dynamic.lists.starturlsAdditional Start URLsempty. Example: /url1.php,/url2.php
dynamic.lists.ignore.urlsPaths to ignoreempty. Example: /about1.php,/about2.php
dynamic.lists.ignore.logoutpathsLogout paths to ignoreempty. Example: /logout.php
dynamic.lists.ignore.form.namesForms to ignore (by name)empty. Example: search1,search2
dynamic.lists.ignore.vulnsbyrulesVulnerabilities to ignoreempty. Example: path=*/form.php,params=file
dynamic.formauth.enabledEnable form authenticationfalse
dynamic.formauth.usernameForm usernameempty
dynamic.formauth.passwordForm passwordempty
dynamic.servauth.typeServer Authentication TypeNone, Basic, NTLM
dynamic.servauth.usernameServer Usernameempty
dynamic.servauth.passwordServer Passwordempty
dynamic.advanced.incrementalscanIncremental Scanauto, disabled
dynamic.lists.cookiesCookiesempty. Example: ck1=value;ck=value

Dynamic Preferences

Global settings for Syhunt Dynamic.

Preference IDPreference descriptionDefault (bold) and other accepted values
dynamic.checks.dosPerform DoS (Denial of Service) teststrue
dynamic.emulation.redirect.autofollowinstarturlAuto handle off-domain redirect in Start URLtrue
dynamic.emulation.modeBrowser Emulation ModeChrome, Edge, Firefox, MSIE, Opera, Safari
dynamic.emulation.javascript.executionEnable JavaScript emulationtrue
dynamic.emulation.javascript.simuserSimulate user interaction (key press, mouse click, etc)true
dynamic.emulation.doxhrcallsPerform XHR callstrue
dynamic.emulation.cookies.acceptAccept cookiestrue
dynamic.emulation.cookies.maxsizeMaximum cookie size (kb)4
dynamic.emulation.cookies.maxnumberMaximum number of cookies per site50
dynamic.emulation.autofill.formsAutomatically fill forms (name, address, phone, email, etc)true
dynamic.emulation.autofill.loginformsAuto fill login web formstrue
dynamic.options.logout.preventPrevent logouttrue
dynamic.options.logout.detectRelogin when neededtrue
dynamic.emulation.redirect.autofollowAutomatically follow redirectstrue
dynamic.emulation.intelparserUse intelligent HTML parsing (Handles malformed HTML)true
dynamic.emulation.usenavbehaviorUse browser behaviortrue
dynamic.emulation.referer.sendSend Referertrue
dynamic.emulation.useragentUser Agenta Chrome user agent
dynamic.emulation.forceuseragentForce this user agent in all situationstrue
dynamic.crawling.max.linkspersiteMaximum number of links per server10000
dynamic.crawling.max.linksnumberMaximum links per page250
dynamic.crawling.max.urlsizeMaximum URL length (bytes)16384
dynamic.crawling.max.filesizeMaximum response size (kb)1024
dynamic.emulation.javascript.analyzejsAnalyze JavaScript codetrue
dynamic.emulation.javascript.analyzexhrAnalyze XHR callstrue
dynamic.crawling.analyze.robotsAnalyze robots.txt (if available)true
dynamic.evasion.evadefltUse filter evasiontrue
dynamic.checks.sub.xssevEvasion Technique: Common XSS filter evasion techniquestrue
dynamic.checks.sub.utf8devEvasion Technique: UTF-8 Decodetrue
dynamic.evasion.detection.honeypotDetect honeypottrue
dynamic.evasion.detection.wafDetect application firewall (if installed)true
dynamic.evasion.reqdistrandDistribute requests randomly during crawlingfalse
dynamic.options.delay.enabledUse delay between requestsfalse
dynamic.options.delay.valueDelay (ms)3000
dynamic.options.delay.userandomRandom delayfalse
dynamic.protocol.versionProtocol VersionHTTP/1.1, HTTP/1.0
dynamic.protocol.ssl.typeSSL Typeall, SSLv2, SSLv3, TLSv1, TLSv1_1, TLSv1_2, TLSv1_3, SSHv2
dynamic.protocol.keepaliveEnable Keep-Alivetrue
dynamic.protocol.usegzipEnable GZIP compression supporttrue
dynamic.protocol.mknocacheMake no-cache requestsfalse
dynamic.lists.protocol.customhdrCustom Request Headersempty, Example: X-Custom:AValue,X-Custom2:AValue
dynamic.lists.ignore.vulnsbyrulesVulnerabilities to ignoreempty. Example: path=*/form.php,params=file
dynamic.protocol.timeout.valueTimeout (ms)10000
dynamic.protocol.retriesNumber of retries after timeout2

Code Preferences

Global settings for Syhunt Code.

Preference IDPreference descriptionDefault (bold) and other accepted values
code.checks.infltAnalyze input filteringtrue
code.options.target.tfsverTFS Version Compatibilitylatest, 2017 .. 2010
code.lists.ignore.vulnsbyrulesVulnerabilities to ignoreempty. Example: path=*/form.php,params=file

Insight Preferences

Global settings for Syhunt Insight.

Preference IDPreference descriptionDefault (bold) and other accepted values
insight.lists.ignorelist.pathsPath Ignore Listempty, Example: /robots.txt,robots2.txt
insight.lists.ignorelist.srcipsIP Ignore Listempty, Example: 1.1.1.1,2.2.2.2
insight.options.logformatLog Formatauto, common, apache, iis, ncsa, nginx
insight.options.profileatkBuild attacker profiletrue
insight.options.resolveipResolve attacker IP addresses (Slow)false

Additional Hybrid Preferences

Additional global settings for Syhunt Hybrid.

Preference IDPreference descriptionDefault (bold) and other accepted values
hybrid.report.company.logo.urlOrganization Logo URLempty. Example: http://www.mycompany.com/logo.png
hybrid.lists.riskfineRisk Redefinitionempty. Example: C-1603660271-7241=low

Tracker Preferences

Tracker preferences must be set using the scancore -tracker:set command, by providing the -v parameter combined with the -to parameter and can only be applied to the indicated tracker.

Preference IDPreference descriptionDefault (bold) and other accepted values
project.nameProject Nameempty. Example: owner/repo
auth.usernameUsernameempty
auth.passwordPasswordempty
auth.token.encryptedAuthentication Tokenempty.
auth.targethostHostnameempty
smtp.targetportSMTP Port587
message.fromMessage - Fromempty
message.tolistMessage - To Listempty
api.urlAPI URLempty
jira.defitnameJira Default Issue TypeTask
custom.fieldsCustom Fieldsempty
custom.labelsCustom Labelsempty

For additional product documentation, visit syhunt.com/docs