2024 | 2023 | 2022 | 2021 | 2020 | Archive

December 18, 2011

Sandcat Pro 4.2.8 adds NoSQL Injection detection - Sandcat Pro 4.2.8 — released today — adds techniques for detecting vulnerabilities in web applications using NoSQL database engines and web systems supporting server-side JavaScript execution. This includes NoSQL injection, blind NoSQL injection & Denial-of-Service vulnerabilities.

At the same time, we are releasing enhanced versions of the Sandcat Code scanner with source code checks for these specific vulnerability classes, and publishing an article (Time-Based NoSQL Injection, available here) that highlights additional risks involving server-side JavaScript execution not restricted to NoSQL database engines.

The advent of Big Data and Cloud Computing is driving adoption of NoSQL in the enterprise. Because of this, NoSQL-related vulnerabilities are expected to become much more widespread [1].

December 2, 2011

Syhunt enhances its code scanners, adds support for Perl & Python - Today we're releasing version 4.2.7 of Sandcat Pro Hybrid. This new version comes with a new, significantly enhanced version of our ASP/ASP.NET code scanner, which provides greater accuracy in detecting source code flaws, and also brings major new and much-requested features such as the support for Python and Perl source code scanning.

The long-awaited first release of Sandcat for Python supports Python CGI, WSGI, Mod_python, PSP and Django web applications. Both Sandcat for Perl and Sandcat for Python come with an initial set of XSS, SQL Injection, Arbitrary File Manipulation & Command Execution checks, which we plan to expand further in future releases.

Below you can find an up-to-date list of the languages currently supported by Sandcat Pro Hybrid.

  • White-Box (Source Code Scan) - ASP, ASP.NET, HTML, JavaScript, Perl, PHP & Python/PSP.
  • Black-Box (Remote Scan) - HTML5, JavaScript/AJAX, Flash, Silverlight, any server-side scripting platform & any web server platform.

For more details about supported technologies, see: Technologies & Languages

October 7, 2011

Syhunt releases Sandcat for PHP 2.4, adds several new checks - The Sandcat 4.2.6 update, released today, comes with a new, enhanced version of the Sandcat PHP source code security scanner. The new code scanner version adds 87 new checks, which specifically improve the detection of Arbitrary File Manipulation and Command Execution vulnerabilities, and expanded input filtering analysis.

With this update, Sandcat for PHP now includes a total of 217 checks. The checks cover several web application security vulnerability classes (fhe full list is available here), most of which are part of the OWASP Top Ten [2] and PHP Top 5 lists [3].

This new update is now available free of charge to all Sandcat Pro users.

Become a Sandcat Pro user and hunt your security bugs using our state-of-the-art web application security assessment software.

August 3, 2011

Top position in benchmark confirms Syhunt Sandcat as a leading web application security scanner - The open source project WAVSEP just released the results of their latest benchmark (WAVSEP 2011, available here), revealing some very interesting findings about both commercial, free and open source automated web application security scanners. The WAVSEP 2011 comparison is even more comprehensive than the last one. This time a total of 60 tools were included.

First, it confirms that Sandcat 4 has the best remote XSS vulnerability detection rate in the market - #1 when the Free Edition of Sandcat is compared with other free and open source tools & #2 when Sandcat Pro is compared to other commercial tools such as IBM AppScan, HP WebInspect and others. Sandcat Pro, AppScan and ParosPro top the WAVSEP benchmark charts with 100 percent or near-100 percent XSS detection rates.
As of today, XSS is number 2 in the PHP Top 5 vulnerabilities [4].

Second, it also confirms that Sandcat is one of the most feature-rich remote web application security scanners available to date and one of the few that also include static source code analysis capabilities (Comparison of Advanced Features ).


Like last year, the WAVSEP project environment, containing hundreds of scenarios/vulnerable web pages used to produce the tests, was made available open source to the information security community through the Google Code website at http://code.google.com/p/sectooladdict-benchmarks/.

The Sandcat product will continue to evolve to meet the growing needs of pen-testers. Last week we released Sandcat 4.2.5. This new version evolved to detect additional blind SQL injection variants. A new, improved version of our source code security scanner is also on its way. The new updates will be available free of charge to all Sandcat Pro users.

June 22, 2011

Sandcat 4.2.3 adds enhanced SQL Injection detection - Sandcat 4.2.3 — released today — adds new techniques for detecting blind SQL Injection vulnerabilities. This update is the latest in a series of enhancements that have made Sandcat even more effective at detecting SQL Injection vulnerabilities.

"We are monitoring the current wave of cyber attacks very closely and this time we added to Sandcat a number of obscure but very effective techniques that hackers are using to quickly spot blind SQL Injection vulnerabilities on web applications", says Felipe Aragon, CEO of Syhunt. "We plan to continue adding new techniques as they surface".

Sandcat is able to detect SQL Injection vulnerabilities both remotely and locally, via automated source code analysis. Its SQL Injection checks have been tailored to cover MySQL, Oracle, PostgreSQL, Microsoft Access, Microsoft SQL Server, SQLite, Firebird, Sybase and many other databases.

Become a Sandcat Pro user today and quickly locate your web application security vulnerabilities.

May 17, 2011

Sandcat Pro 4.2 adds browser bot crawling technology & Flash support - With the 4.2 release of Sandcat Pro, we added a browser bot crawling technology and Flash support, boosting its web application security scanning capabilities even more.

Developed by Syhunt and powered by Chromium, the Sandcat Browser Bot provides complementary analysis and additional capabilities during the automated or manual crawling/spidering of your Web application. Among the new enhancements is Flash support - with this new feature, Sandcat can now analyze Flash applications looking for both links to follow and parameters to manipulate.

In the next couple of days, we will be publishing a series of tutorials on how to use the new features (if you are a registered Sandcat Pro user, you will receive them by email). Not registered? You can become a registered Sandcat Pro user here.

May 12, 2011

Sandcat now twice as fast to scan source code for vulnerabilities - Sandcat 4.2.1, released today, includes several optimizations. The new version is twice as fast as previous versions to scan the source code of web applications for vulnerabilities and has a faster crawling speed.

The new version also adds support for the next generation of cascading style sheets: CSS3. As the web evolved, Sandcat evolved with it, adding support for modern web and browser technologies such as process isolation (multi-process architecture), PHP, HTML5, JavaScript execution, AJAX (XHR), CSS 2.1 and now it is also CSS3 compatible.

"We are very much engaged in putting Sandcat on par with the latest browsers when it comes to web technologies support. In order to identify web application security vulnerabilities, Sandcat must 'understand' these technologies and sometimes fully emulate them" says Felipe Aragon, CEO of Syhunt. "We plan to continue adding support for new technologies as they emerge, as well as to continue optimizing our assessment technologies."

The full list of web technologies supported by Sandcat is available here.

April 11, 2011

Syhunt unveils new enhancements to Sandcat 4 - We are proud to announce that Sandcat 4.2 is finally out and it contains a powerful set of enhancements. The user interface we unveil today comes with a built-in pen-test oriented web browser, new configuration screens, a more flexible extension system, among other enhancements that make Sandcat both more user friendly to all users and comprehensive when it comes to helping security professionals perform manual tests. Please find all major improvements below.

What's New in Sandcat Pro (4.2)

  • Built-in web browser - Sandcat's browser comes with a set of features that is particularly useful for pen-testers and code reviewers, such as CatSense™ (which offers instant page analysis information), gray box analysis, request editing/replay capabilities, manual crawling, spider cache integration, and uses Google's Chromium, the same engine that powers the Chrome browser, to display web pages.
  • Sandcat Browser - a pen-test oriented multi-tabbed web browser with extensions support (screenshot).
  • New UI extensions system - We expanded the use of the Lua language in Sandcat 4.2. Sandcat's new user interface extensions are mainly HTML and Lua-based, making it very easy to build user extensions.
  • New SQL Injection checks and other checks - The 4.2 database includes a set of Blind SQL Injection checks covering several types of databases. Since the 4.0 release last year we added to Sandcat 2488 new checks for vulnerabilities affecting known web applications, and several checks for SQL Injection (Error-Based & Blind), XSS, File Manipulation, File Inclusion, HTTP Response Splitting (HRS) and Command Execution vulnerabilities aimed at custom web applications.
  • Design and usability enhancements - Sandcat 4.2 includes new, redesigned configuration screens, reorganized toolbars, and a new and more intuitive way to start scans.

Note: Sandcat Pro 4.2 is only available to registered users.

Not registered? You can become a registered Sandcat Pro user here.

January 17, 2011

WAVSEP scanner comparison shows Sandcat 4 scores better than any other tools at detecting XSS flaws - Today we announce that Sandcat scored a near 100 percent XSS detection rate in the independent web application scanner XSS detection accuracy tests produced by Shay Chen, an application security consultant, as part of the Web Application Vulnerability Scanner Evaluation Project (WAVSEP). Sandcat detected 100% (33 of 33) of the GET-based XSS vulnerabilities and 96% (32 of 33) of the POST-based vulnerabilities. Other black-box scanners covered in the tests scored below 63% (missed almost 40% of the vulnerabilities), and many, including popular open source tools, scored near or below 30% (full details can be found here ).

Shay Chen's comparison is the most comprehensive ever made (a total of 43 tools were included). According to the security expert, previous comparisons in the field were unable to cover free and open source scanners, leaving them "in an uncharted territory". "Which tool is the best? Is there one that surpasses the others? Can there be only one? I decided to find out...", Chen said in his comparison.


The high Reflected XSS detection rate that Sandcat produces comes with a black-box false positive filtering that, according to the results, still can evolve. "Sandcat's XSS detection ratio was the best I've seen, and even tough it had a number of false positives, it still detected instances that no other tool did.", Chen said. Sandcat's unique white-box (source code) scanning capabilities, which can provide complementary details about vulnerabilities detected in web applications, was not covered in the tests.

Sandcat now tops the WAVSEP Active Scan Features Comparison and the Complementary Scan Features Comparison alongside W3AF, listed as one of the most feature-rich scanners. Sandcat also excelled at identifying an additional large set of 80 error-based SQL Injection vulnerabilities (detected 100% of the vulnerabilities, both GET-based and POST-based). Recently we added enhanced SQL Injection detection to Sandcat 4.1 covering several types of databases.

The WAVSEP project environment, containing hundreds of scenarios/vulnerable web pages used to produce the tests, was made available open source to the information security community through the Google Code website at http://code.google.com/p/wavsep/.

These results, allied with the positive feedback we've been receiving from customers, tells us Sandcat has come a long way and it keeps on getting better and better after every release. Throughout this year, Sandcat will continue to evolve and expand to defend against new rising web application security threats. The new updates will be available free of charge to all Sandcat Pro users.

Become a Sandcat Pro user today and start hunting your vulnerabilities.

Note: The 4.0 RC1 (preview release) stability issues that Shay Chen went through during his tests were also reported by customers and fixed in July by the 4.0 final product release.

January 6, 2011

Sandcat 4.1 Update 2 adds checks for the PHP floating point DoS and other 220 flaws; 4900 flaws researched last year - We are back with a new update to Sandcat. Sandcat Pro adds checks for the PHP floating point DoS vulnerability discovered by Rick Regan and reported on January 3, 2011, and other 220 vulnerabilities disclosed last December.

As it has been pointed out, a simple GET or POST request containing the 2.2250738585072011e-308 numeric value (or equivalent forms) to a vulnerable web site can kill the target web server. A fix for the vulnerability has been already released (details can be found here) and there's an entry for it at Bugtraq (which can be accessed here). We've added a detection check for this vulnerability to Sandcat's Denial of Service Checks category.

As we begin 2011, thanks to everyone who supports and enjoys our security tools. Last year Sandcat has evolved to encompass a large number of web application security needs. We also have been able to research over 4900 web vulnerabilities, which we turned into vulnerability checks. As this is written, new updates are on the way that are going to take the Sandcat tools to new levels this year. They will be available free of charge to all Sandcat Pro users.

Ensure your web application vulnerabilities are discovered. Become a Sandcat Pro user today.