2024 | 2023 | 2022 | 2021 | 2020 | Archive

November 19, 2010

Sandcat and the OWASP Top 10 2010 - The Open Web Application Security Project (OWASP) released the 2010 version of their Top 10 Critical Web App Security Risks document - congratulations to the OWASP project for raising awareness of the importance of application security risks. SQL injection is the number one problem facing web applications today, followed by cross-site scripting, the updated OWASP document highlights. It is hugely important to find and fix SQL injection flaws before they lead to system compromise (Sandcat Pro 4.1, released this month, adds enhanced SQL Injection detection). Since its founding, Syhunt has been expanding Sandcat's database periodically to add new checks. As a result Sandcat scans thoroughly for the vulnerability classes listed in the document. Organizations are invited to use our Sandcat tool as part of their web application security testing process, rapidly detecting and effectively avoiding these security risks.

November 8, 2010

Sandcat Pro 4.1 release adds enhanced SQL Injection detection - Today we released Sandcat Pro 4.1. The new version includes significant updates to the tool. Similarly to last month's Sandcat for PHP update, which focused on the detection of SQL Injection vulnerabilities via static source code analysis, this time we put a major effort into enhancing remote SQL Injection detection and expanding the already extensive Sandcat's check database. We are pleased to tell you about the new improvements here:

What's New in Sandcat Pro (4.1)

  • Added several new remote SQL Injection checks (covering Access, DB2, Firebird/InterBase, Informix, MySQL, Oracle, PostgreSQL, SQL Server, SQLite, Sybase & Others).
  • Added 94 new vulnerability checks (Database updates for October 2010).
  • Added 471 new checks for Admin Pages.
  • Added new web backdoor checks.
  • Improved auto form filling and parameter manipulation.
  • Improved logout prevention.
  • Improved extension checking.
  • Improved syntax highlighting.

Not a Pro user? Upgrade to Sandcat Pro today and start hunting your vulnerabilities before a cybercriminal or someone else do.

October 25, 2010

Syhunt releases Sandcat for PHP 2.1 - Sandcat 4.03, released today, features new, enhanced versions of the Sandcat code scanners. Sandcat for PHP's database has been significantly expanded in this release to cover File Manipulation, HTTP Response Splitting (HRS) and SQL Injection involving several types of SQL servers. The recently introduced code scanners for ASP & JSP also evolved to include checks for additional vulnerability classes such as File Inclusion, Command Execution, SQL Injection and others (listed below). Version 4.03 also includes some minor user experience improvements.

What's New in Sandcat for PHP (2.1)

  • Added new Command Execution Checks.
  • Added several new SQL Injection checks (covering DB2, dbx, Firebird/InterBase, FrontBase, Informix, Ingres, MaxDB, mSQL, MySQL, Oracle, Ovrimos, PostgreSQL, SQL Server, SQLite, Swish & Sybase).
  • Added the first HTTP Response Splitting Checks.
  • Added the first Arbitrary File Manipulation Checks.
  • Added support for <script language="php">.
  • Added support for the echo shorthand.
  • Improved XSS Checks.
  • Improved File Inclusion Checks.
  • Improved support for PHP5.
  • Fixed some false negative cases.

What's New in Sandcat for ASP.NET (0.2 Beta)

  • Added new XSS Checks.
  • Added the first File Inclusion Checks
  • Added the first Command Execution Checks.
  • Added the first HTTP Response Splitting Checks.
  • Added SQL Injection Checks.
  • Added several Arbitrary File Manipulation Checks.
  • Added support for <script runat="server">.

What's New in Sandcat for Classic ASP (0.2 Beta)

  • Added the first File Inclusion Checks.
  • Added the first Command Execution Checks.
  • Added the first HTTP Response Splitting Checks.

What's New in Sandcat for JSP (0.2 Beta)

  • Added new XSS Checks.
  • Added the first Command Execution Checks.

Other Improvements

  • Improved display of vulnerable code.
  • SandcatCS now displays a resume of results at the end of the execution.

October 7, 2010

Sandcat Pro adds ASP, ASP.NET & JSP code scanning capabilities - In addition to the support for scanning PHP code, which we have been expanding since 2008, Sandcat Pro Hybrid now features the ability to scan the code of web applications written in ASP Classic, ASP.NET and JSP (JavaServer Pages) for specific vulnerabilities. The first beta begins with a set of checks for XSS vulnerabilities, which we expect to expand like we did with Sandcat for PHP to cover several classes of web application flaws. The new product capabilities will be available free of charge starting next Wednesday to all Sandcat Pro Hybrid users.

September 9, 2010

Syhunt releases Web Version of Sandcat Pro Hybrid - Syhunt is happy to announce the release of the first beta preview of the web version of Sandcat. Sandcat for the Web. Built on top of mature web technologies and software and powered by one of the fastest scripting languages -- Lua, Sandcat for the Web enables you to scan entire web sites and source code packages from anywhere you are and see if they contain a wide array of web application vulnerabilities. Sandcat for the Web is also cross-browser compatible (it can be accessed from any operating system through any major web browser) and engineered on top of HTML5 so Flash is not required for using it.

Syhunt plans to maintain both the desktop version and the web version of Sandcat. "We're currently maintaining many interfaces for Sandcat Pro Hybrid, the classic desktop UI, a modern UI with support for multi-threaded scanning, a console version and now the web interface. Four interfaces, three of which have a multi-process architecture." says Felipe Aragon, CEO of Syhunt. "Today's Sandcat scan engine can emulate the latest functionality present in web-browsers while also optionally analyzing the source code of web applications, thoroughly testing them for vulnerabilities. We made it possible for users to submit a compressed source package (such as .tar.gz or .tar.bz2) using the web interface and have it scanned by Sandcat. It's really practical and unique in the web application security assessment realm"

The beta version of Sandcat for the Web is now available for Sandcat Pro Hybrid users. We hope you enjoy Sandcat for the Web as much as we do!

July 20, 2010

Syhunt releases Gelo -- a tool that can be used for creating web security audit tools/exploits - We are excited to announce the release of Gelo. Gelo is a tool that can be used for easily and quickly creating web security audit tools using the Lua language. Gelo/Lua will allow us to expand the functionality of our Sandcat security scanner more aggressively and others to create Gelo-powered security utilities that are independent of Sandcat.

July 6, 2010

Syhunt researched 29 thousand web vulnerabilities since 2002 - This week, we reached a total of 29 thousand web vulnerabilities researched (See: List of Known Vulnerability Checks in Sandcat ). The way things are going, we expect to reach 50K before 2014. Most of the researched vulnerabilities are related to PHP applications and insecure CGIs. It is for this reason that Sandcat today comes with 10K (10006) PHP security checks and thousands of other checks. We are also committed to keeping Sandcat for PHP up-to-date with the most advanced source code analysis technology. Stay tuned as we plan to unveil new versions of our tools and additional web application security tools throughout the year.

April 14, 2010

Sandcat 4.0 adds ultra fast scans and expanded browser emulation feature set - After months of intense work, Syhunt is proud to introduce Sandcat 4.0. The new version brings enhanced JavaScript support, ultra fast scans, UI performance and usability improvements, additional stability, a console version and more.

What's New in Sandcat 4.0

  • Fast and ultra fast scans - Sandcat 4 provides significantly faster scans (500+ requests /sec when running a common web server scan).
  • Faster JavaScript execution.
  • Browser emulation expanded to five modes: Chrome, Firefox, IE, Opera and Safari. When changing the emulation mode you are changing more than the user agent. We are researching differences between the browsers and replicating them.
  • Greatly improved support for large web sites
  • CatSense, a new feature that scans and displays in a new way relevant information about each page.
  • Improved overall stability when running in both multithreaded and non-multithreaded mode and when scanning JavaScript-enabled sites.
  • Lower CPU usage when scanning hosts.
  • SandcatCS, a console version of Sandcat 4.0. Allows to control the new features and scan methods

We hope you enjoy this new release! Many thanks to the people who beta tested the new version and the organizations who support our work.

March 8, 2010

U.S. Department of Defense chooses Syhunt for Web Application Security - Syhunt is pleased to announce that the U.S. Department of Defense (DoD) has chosen Sandcat to automate web application security testing. Felipe Aragon, CEO of Syhunt, says: "We are very proud to be selected by the DoD to provide the WAS solution they require. Sandcat is specifically designed to proactively defend networks against the massive, wide range of sophisticated cyberattacks taking place at the Web application level, a need that the DoD and all government entities and companies today share. We look forward to working with the DoD."

Earlier, Syhunt announced it's Sandcat web application security scanner had been selected by the U.S. National Oceanic and Atmospheric Administration (NOAA). Sandcat offers both remote security testing and source code analysis for web applications in one integrated tool -- an approach known as hybrid testing.

February 8, 2010

Sandcat Pro now performs gray box testing - This week we released Sandcat for PHP 2.0 and Sandcat 3.9.4. With this release you can finally use both products together. The integration means that the core UI functionality of Sandcat (extensions support, session reload, advanced report generation, etc.) is now available for Sandcat4PHP. It also means that now you can perform automated gray box testing. This refers to the ability to scan the application's source code first, acquire important information about them, and then try to remotely confirm flaws (XSS, File Inclusion, SQL Injection, Command Execution, etc) by using this information. We are very happy to be the first web application security provider to offer this kind of next-generation functionality. When performing a web application security assessment, now you can choose between the three different approaches, black box (remote scan), white box (source code scan) or gray box (the combination of both approaches), all of them able to uncover a wide variety of web application security vulnerabilities.

January 1, 2010

Happy 2010!
Dear Customers and Friends,
We wish you all a wonderful 2010! Happy New Year! Thank you all for all your support.

We expect to release a major upgrade of Sandcat (version 4.0) in the next couple of weeks. We still have intense work ahead before the new version is rolled out. Besides the introduction of some new ideas, the roadmap we presented to some of you during the last months remains intact. We will update you as soon as more info is available.