The information in this document applies to version 6.9.14 of Syhunt Hybrid.
Table of Contents
Syhunt Hybrid is a hybrid multilanguage web application security assessment suite. It allows you to scan for the most common web application flaws from a hacker's perspective. Syhunt dynamically injects data in web applications and analyze their response in order to determine if the application code is vulnerable to specific attacks (such as SQL Injection, XSS, and many other web application vulnerability flaws). Syhunt will also scan the application's source code, if requested, in search for security issues.
Which operating systems and applications are supported for scanning?
Syhunt modules are built with the flexibility to cover multiple web server platforms:
Users tend to see web application security scanners like antivirus software, reactive and requiring regular check and signature updates (if not daily, weekly updates), and this is true for traditional web scanners, but Syhunt favored a proactive approach (from 2008 on) when developing its checks and Hybrid scanner - today Syhunt favors common weaknesses (CWEs) over disclosed vulnerabilities (CVEs). Below we compare the differences between the approaches.
Traditional web application security scanners are:
Favoring a proactive approach, rather than a reactive approach, made Syhunt:
While performing a standard, dynamic scan (also known as black box) the Syhunt scanner injects data in the web applications and subsequently analyzes the application response in order to determine if the application code is vulnerable to specific web application security attacks.
ASP (Classic) |
ASP.Net |
Java / JSP |
JavaScript |
Lua |
Perl |
PHP |
Python |
Ruby |
Follow along with this guide to learn how to perform a dynamic scan and generate a vulnerability report.
In the end of the scan, you can click Generate a Report to save the results as a HTML report or any other prefered format.
The next time you perform a scan (unless you want to change site preferences again) you can jump from the step 3 to 5.
If you need to manually login first before you can scan a website, you may prefer to start the scan from within the Sandcat Browser.
Alternatively, you can manually login using an external browser like Google Chrome or Mozilla Firefox:
If you have Syhunt version 6.9.26 or superior, Syhunt will indicate in the session details area of the report if the session started manually was maintained from the beginning till the end of the scan with a Authenticated Session Maintained: Yes.
scanurl [starturl] -hm:[a huntmethod]] Example: scanurl http://www.somehost.com -hm:appscan
Syhunt scanurl tool reports are automatically generated and saved unless the -nr parameter is provided. You can also open the session by launching Syhunt and using the Menu -> Past Sessions option.
The following parameters can be provided when calling the scanurl tool, all of which are optional:
Parameter | Description | Default Value |
sn:[name] | A session name that must be unique. If omitted, an unique ID will be generated and assigned | auto generated ID |
hm:[name] | the Hunt Method to be used during the scan. If omitted, the default method will be used | appscan |
emu:[mode] | Browser Emulation Mode. Available modes include: chrome, edge, firefox, msie, safari | chrome |
srcdir:[local dir] | Sets a Target Code Folder for a Hybrid Scan (eg. "C:\www\docs\" or "/home/user/www/") | |
tk:[trackername] | Sends vulnerabilities to a tracker after scanning. Can be combined with the -pfcond parameter | |
tk2:[trackername] | Same as above | |
tk3:[trackername] | Same as above | |
nr | Disables the report generation after scanning | |
or | Opens report after generation | |
rout:[filename] | Sets the report output filename and report format | Report_[session name].html |
rtpl:[name] | Sets the report template | Standard |
xout:[filename] | Sets the export output filename and report format | Export_[session name].xml |
xout2:[filename] | Sets a second export output filename and report format | Export_[session name].xml |
pfcond:[condition] | Sets a pass/fail condition to be reported | |
nv | Turn off verbose. Error and basic info still gets printed | |
inc:[mode] | Sets the incremental scan mode | targetpref |
inctag:[name] | Optionally stores the incremental scan data within a tag | |
mnl:[n] | Sets the maximum number of links per server | 10000 |
mnr:[n] | Sets the maximum number of retries | 2 |
tmo:[ms] | Sets the request timeout time | 8000 |
tml:[time] | Sets the maximum scan time limit (eg: 1d, 3h, 2h30m, 50m) | No limit |
ver:[v] | Sets the HTTP Version | 1.1 |
nofris | Disables auto follow off-domain redirect in Start URL | |
nodos | Disables Denial-of-Service tests | |
nojs | Disables JavaScript emulation and execution | |
atype:[type] | Sets the auth type; Basic, Form and Manual | |
auser:[username] | Sets a username for authentication | |
apass:[password] | Sets a password for authentication | |
about | Displays information on the current version of Syhunt | |
help (or /?) | Displays the list of available parameters |
Syhunt Dynamic fully supports the scanning of IPv6 addresses. To scan an IPv6 target, remember to enclose the address in square brackets, eg:
http://[2001:4860:0:2001::68]/index.php
You can prevent specific vulnerabilities to be reported through ignore IDs or rules:
Ignore IDs are shown in reports at the end of each vulnerability entry and are the recommended and easiest way to ignore vulnerabilities in Syhunt. Alternatively, you can create and add Ignore Rules that can apply to wider scenarios.
How many time Syhunt Dynamic will take to run all the tests?
Duration depends on the number of pages and applications your website contains and the scan method you selected. The web application checks (after the crawling stage) is usually the part of the scan that can take more time and depends on the size of the target site.
Can I load a previous scan session and re-run reports again?
Yes, select the Past Sessions option from the Menu. The Session Manager screen will open. Click Generate Report for the session you want and you will see the session results and the options to export data and generate reports.
Is there a list of tests that are conducted using the updated version of Syhunt?
You can get an idea of the tests by clicking the Menu -> Help, and then select Vulnerability List.
Do any of the tests crash the tested host?
As far as crashing the host - there are denial of service checks which may crash the tested host - you can turn those off when scanning though.
Does Syhunt Dynamic have any problems with personal firewalls?
Yes, you'll just have to let the firewall know that Syhunt is authorized to make connections to the Internet. However, some software firewalls do not handle high loads very well. It is not recommended to run both a personal firewall and Syhunt on the same machine.
If you're running a PC firewall on the scanning system that does outbound filtering, try disabling it - we've occassionally seen firewalls automatically block a program's socket calls without first prompting the user as to whether or not it should be allowed to make connections.
Is there any way to scan ports 23 (telnet) and 21 (ftp)?
No, Syhunt Dynamic is not a general purpose security scanner, it is specialized for evaluating web applications.
Syhunt's whitebox scan (source code scan) can uncover multiple classes of application vulnerabilities and also identify key areas of the code that need review. Its static source code analysis functionality can detect over 40 vulnerability types, including the 2019 CWE Top 25 Most Dangerous Software Errors and the OWASP mobile top 10 security risks. Initially only PHP was supported. As of today, multiple web and mobile programming languages are supported.
ASP Classic (VBScript & JavaScript) |
ASP.Net (C# & VB.Net) |
Java (JEE / JSP) |
JavaScript (Client and Server-Side, Node.js, Angular, AngularJS, Express.js & Koa.js) |
Kotlin (Ktor) |
Lua (ngx_lua, mod_lua, CGILua & Lua Pages) |
Object Pascal (Delphi XE and older, Lazarus & DWS) |
Perl |
PHP |
Python (CGI, Django, mod_python & WSGI) |
Ruby (Rails & ERB) |
TypeScript (Client and Server-Side, Node.js & Angular) |
Java (Android) |
Kotlin (Android) |
Swift (iOS) |
Objective-C, C & C++ (iOS) |
Object Pascal (Delphi XE) |
JavaScript (including Node.js, Angular, AngularJS, Express.js & Koa.js) |
Follow along with this guide to learn how to perform a source code scan and generate a vulnerability report.
In the end of the scan, you can click Generate a Report to save the results as a HTML report or any other prefered format.
scancode [target] -hm:[a huntmethod]]
// Examples:
scancode git://sub.domain.com/repo.git
scancode https://github.com/user/repo.git -rb:master
scancode /source/www/
TFS repositories and local Windows path:
// Local path
scancode c:\source\www\
scancode c:\source\www\file.php
scancode c:\mobile\myapp.apk
scancode "c:\source code\www\"
// TFS repositories
scancode https://dev.azure.com/user/project
scancode https://myserver/tfs/project
scancode collection:https://dev.azure.com/user$/project
Syhunt scancode tool reports are automatically generated and saved unless -nr parameter is provided. You can also open the session by launching Syhunt and using the Menu -> Past Sessions option.
The following parameters can be provided when calling the scancode tool, all of which are optional:
Parameter | Description | Default Value |
sn:[name] | A session name that must be unique. If omitted, an unique ID will be generated and assigned | auto generated ID |
hm:[name] | the Hunt Method to be used during the scan. If omitted, the default method will be used | appscan |
rb:[branch] | Sets a GIT repository branch | |
tfsv:[version] | Sets a TFS version | default |
tk:[trackername] | Sends vulnerabilities to a tracker after scanning. Can be combined with the -pfcond parameter | |
tk2:[trackername] | Same as above | |
tk3:[trackername] | Same as above | |
nr | Disables the report generation after scanning | |
or | Opens report after generation | |
rout:[filename] | Sets the report output filename and report format | Report_[session name].html |
rtpl:[name] | Sets the report template | Standard |
xout:[filename] | Sets the export output filename and report format | Export_[session name].xml |
xout2:[filename] | Sets a second export output filename and report format | Export_[session name].xml |
pfcond:[condition] | Sets a pass/fail condition to be reported | |
nv | Turn off verbose. Error and basic info still gets printed | |
inc:[mode] | Sets the incremental scan mode | targetpref |
inctag:[name] | Optionally stores the incremental scan data within a tag | |
excp:[pathlist] | Excludes paths from the analysis (eg: -excp:/path/*,/path2/* | |
refurl:[url] | Sets an URL associated with the current source code for reference purposes only | |
noifa | Disables input filtering analysis | |
tml:[time] | Sets the maximum scan time limit (eg: 1d, 3h, 2h30m, 50m) | No limit |
about | Displays information on the current version of Syhunt | |
help (or /?) | Displays the list of available parameters |
Syhunt's unique gray box/hybrid scanning capability allows it to scan the application's source code first, acquire important information about them, and then try to dynamically confirm flaws (XSS, File Inclusion, SQL Injection, Command Execution, etc) by using this information.
Follow along with this guide to learn how to perform a hybrid scan and generate a vulnerability report.
In the end of the scan, you can click Generate a Report to save the results as a HTML report or any other prefered format.
The next time you perform a scan you, there is no need to check Edit site preferences (unless you want to modify the settings and assign a different source code folder).
Scanurl [starturl] -hm:[a huntmethod]] -srcdir:"[SourceDir]" -gr Example: Scanurl localhost -hm:appscan -srcdir:"C:\WWW\Docs\" -gr
Note: if you already entered the source code directory for the target host using the Syhunt Hybrid GUI in a past scan it is not necessary to assign it again using the -srcdir parameter.
Syhunt ScanURL tool reports are automatically generated and saved if the -gr parameter is provided. You can also open the session by launching Syhunt and using the Menu -> Past Sessions option.
Hunt Method | CLI name | Type | Brute F. | Injection | DoS | Time-Con. |
Application Scan (Default) | appscan | Y | Y | Y | N | |
Application Scan (Server-Side Focused) | appscanss | Y | Y | Y | N | |
Structure Brute Force | structbf | Y (Deep) | N | N | Y (Very) | |
Old & Backup Files | fileold | Y | N | N | Y | |
Fault Injection | faultinj | N | Y | Y | N | |
Top 10 (OWASP) | top10 | N | P (TOP10) | Y | N | |
Top 10 Mobile (OWASP) | top10mob | N | P (TOP10MOB) | N | N | |
Top 25 (CWE) | top25cwe | N | P (TOP25) | Y | N | |
Top 5 (OWASP PHP) | top5php | N | P (TOP5) | N | N | |
Cross-Site Scripting | xss | N | P (XSS) | N | N | |
SQL Injection | sqlinj | N | P (SQL) | N | N | |
File Inclusion | fileinc | N | P (FI) | N | N | |
Unvalidated Redirects | unvredir | N | P (UR) | N | N | |
Malware Content | malscan | P (Malware) | P (Malware) | N | N | |
Passive | passive | N | N | N | N | |
Spider Only | spider | N | N | N | N | |
Complete Scan | complete | Y | Y | Y | Y (Very) | |
Complete Scan, No DoS | compnodos | Y | Y | N | Y (Very) | |
Complete Scan, Paranoid | comppnoid | Y (Deep) | Y | Y | Y (Very) |
Letters: Yes/No/Partial (Y/N/P)
A Yes means that extra checks and attack mutations will be performed and the number of checks will be influenced by the number of directories found during the spidering stage.
The Application Scan method is the default scan method in Syhunt. If you want to use a different scan method, you will be able to select one of the following options:
Identifies flaws in custom web applications, web server software and third-party components. This scan method crawls the web site and performs attacks against the web site structure and the web applications. This includes looking for fault injection vulnerabilities such as XSS, SQL Injection, File Inclusion, and more.
A structure brute force will check for:
The number of checks is influenced by the number of directories found during the spidering stage.
Executes extension checking around the mapped web site structure.
Scans specifically for the OWASP Top 10 2017 vulnerabilities:
Scans specifically for the 2019 CWE Top 25 Most Dangerous Software Errors.
See the full list at: https://cwe.mitre.org/top25/archive/2019/2019_cwe_top25.html
Scans specifically for the OWASP Top Five List of PHP Vulnerabilities:
Scans specifically for fault injection vulnerabilities. If this scan method is selected, all other checks that does not require injection are disabled and Syhunt will then specifically check for SQL injection, XSS, file inclusion, and similar flaws.
Scans specifically for XSS vulnerabilities, including DOM XSS.
Scans specifically for SQL & NoSQL Injection vulnerabilities.
Scans specifically for File Inclusion and Directory Traversal vulnerabilities.
Scans specifically for Unvalidated Redirect vulnerabilities.
Scans specifically for malware content, such as:
Maps the web site structure and reports vulnerabilities discovered without launching any kind of attacks, such as:
Maps the web site structure without testing or reporting any kind of vulnerability or weakness.
Scans for all kinds of web application vulnerabilities using all kinds of mutantions and pen-tester methods, including Header Manipulation attacks. A Complete Scan can sometimes be very time-consuming when performed against a web server that has a large quantity of web folders and entry points.
Same as before, but with denial-of-service tests disabled.
Scans for all kinds of web application vulnerabilities using deep structure brute force, all kinds of mutantions and pen-tester methods, including Header Manipulation attacks. This scan method can be very time-consuming, specially when executed against large web sites. This method also executes triple checking structure brute force, which applies to case-sensitive servers - Syhunt will try all file name possibilities (all uppercase, all lowercase, all leading capitals, etc).
Adding and configuring a scheduled scan is an easy task:
Firstly, you have to add an Email tracker:
At any time you can see the results of past and current scans and generate a report. Just launch the Syhunt Hybrid application and click the Past Sessions icon in the launcher toolbar.
See this document on how to start Syhunt from within third-party task schedulers, Jenkins and other launchers
Before saving a report, you can change the language and add a logo that will be included with any generated reports from now on:
Now when you generate a report, it will contain your organization logo instead of Syhunt's logo.
If you do not agree with the risk level of a vulnerability that has been reported and want to change the risk level for any future scans, you can define a new one through this procedure:
Syhunt Hybrid (including its Community Edition) can be installed on 64-bit versions of Windows or Linux, but it is able to analyze applications designed for any target platform, including Android, Apple iOS and macOS, BSD, Linux, Windows, Solaris and Unix, independently of the platform it is executed from.
* This does not include the space required to save scan session data, which varies depending on the website or source code being analyzed and the scan frequency.
** Unofficially supported OS: means that while the product has been successfully tested and the installation process has been documented, Syhunt does not provide technical support or assistance for issues related to the product's performance on that particular OS. If you choose to use the product with an OS that is not officially supported, you may encounter compatibility issues, errors, or bugs. Therefore, it is always recommended to use a supported OS to ensure optimal performance and compatibility with the product.
Officially Supported:
Ubuntu Server/Desktop 18.10 and later
CentOS 7.7 and later (Minimal or Everything)
Unofficially (Successfully Tested):
Kali Linux 2019 and later
Parrot OS 4.1, 4.7 and later
Debian 9.11 and later
Linux Mint 19.2 and later
OpenSUSE Leap 15.1 and later
Fedora 32
MX Linux 19.1 and later
KDE Neon 2020.03 and later
Deepin 15.9
Manjaro 19
Arch Linux 2019 and later
Unsupported:
Elementary OS 5.1 (Successfully Tested), 5.0 (Unsupported)
CentOS 6.1 (Successfully Tested)
Solus 4.1 (Unstable)
For additional product documentation, visit syhunt.com/docs