What's New in Syhunt 6.9.3

November 3, 2020

Syhunt Hybrid and Community 6.9.3 extends its TypeScript analysis, accelerates SAST and more

In August we announced 3x faster incremental scans. Now we are proud to introduce version 6.9.3 of Syhunt, which extends static analysis of TypeScript code, adds 5x faster source code scans and faster analysis of JavaScript code, includes Huntpad 2.0, as well as introduces a large number of enhancements that translate to improved DAST and SAST accuracy and performance. Version 6.9.3's focus is once again JavaScript and the MEAN stack - last year Syhunt added a large number of vulnerability checks tailored for MongoDB, Express.js, Angular (v2 and higher), AngularJS, Node.js, Koa.js and jQuery and initial code support for TypeScript. Now we took it to the next level.

Whether your TypeScript code transpiles to client-side browser or server-side JavaScript, Syhunt 6.9.3 is now equipped to perform its security analysis through its SAST capabilities and uncover vulnerabilities, weaknesses and quality issues before the code is compiled to JavaScript.

New Code Checks & Improvements

  • Around 5x faster code scans, and optimizations to accelerate scans of JavaScript code.
  • Greatly extended and improved TypeScript checks and analysis.
  • Greatly improved SAST of Ruby, ASP (classic) and JavaScript web apps (additional accuracy and checks). Improved auto-detection of JavaScript type.
  • Improved input validation analysis in a variety of languages, including ASP and JavaScript web apps.
  • Added Affected Variable(s) to vulnerability properties dialog and report, and improved variable usage analysis.
  • Added list of unsupported files to coverage section in report.

Huntpad 2.0 - The Bug Hunter's Notepad

Two years after the first release of Syhunt Huntpad, we're excited to release Huntpad 2.0 x64 with various new additions and improvements, including a secure random password generator and the out-of-the-box ability to execute scripts in 12 different programming languages, including various JavaScript engines and TypeScript. Why so many languages? Every code reviewer, bug hunter and penetration tester knows that it is very useful to have a way of quickly testing small pieces of code and scripts before trying on a real target environment.

Other Improvements and Changes

  • Improved Syhunt Dynamic spidering - Improved JS analysis, improved JS string handling and improved form handling of forms with multiple submission methods. Improved JS parser loading under Linux.
  • Faster Dynamic scans - Faster unvalidated redirect and OAST checks and faster CWE Top 25 and OWASP Top 10 scans.
  • Added the Application Scan (Server-Side Focused) hunt method, which allows to scan for server-side vulnerabilities only.
  • Added unique check ID for checks in Dynamic and Code check base.
  • Added ISO/IEC 27001 compliance report.
  • Added detection of new Node.js-based web backdoors and fixed a false positive case of JS shell.
  • Improved Issue Tracker integration - Allow comma-separated emails in To field when configuring an email-based issue tracker. Fixed: scheduled scan report not being emailed under two specific circumstances.
  • Improved incremental cache history loading.
  • Fixed: session and report display of hunt method name of a scan started by Syhunt Code.
  • Fixed: IP not being properly recognized in web log during web log scan in Syhunt Insight.
  • Good bye to 32-bit era - From now on, only the 64-bit version of Syhunt will be available.

We hope you enjoy the new release!