From What's New in Syhunt 6.9.17, the Hybrid Vulnerability Scanner

News:

Syhunt Hybrid 6.9.17 adds dashboard integration and false-positive free checks

We are happy to announce the release of Syhunt Hybrid 6.9.17. which adds the ability to automatically connect to security dashboards like OWASP DefectDojo and Faraday to submit DAST and SAST scan results. The security dashboard allows teams to keep track of vulnerability alerts generated by Syhunt and manage their attack surface from a single, central place while automating and accelerating key steps of their application vulnerability management. The new dashboard integration can be enabled in seconds and with just a few clicks and input or if you prefer, through the CLI, with a few commands, as explained in the documentation below.

In addition to the new integration features, Syhunt 6.9.17 comes with time-based injection checks that now have a 0% false positive rate - time-based checks usually generate a high number of false positive in other tools, so this represents a milestone and breakthrough that complements the already highly accurate Syhunt engine. The false-positive free enhancement applies to a large number of checks in Syhunt Dynamic, including: Code Injection, Expression Language Injection, NoSQL Injection, Remote Command Execution and SQL Injection checks.

• Integrating Syhunt with DefectDojo (available)
• Integrating Syhunt with Faraday (coming next)

Improvements in Version 6.9.17

• Added integration with two appsec dashboards: DefectDojo & Faraday. Syhunt is now able to automatically submit vulnerabilities to the above mentioned dashboards.
• The CLI parameters -etrk and -si have been deprecated and will be removed in the future. Please use the new -tk, -tk2 or -tk3 parameters instead. For example, -etrk:trackername -esbj:"My Subject" should be replaced with: -tk:"trackername?subject=My Subject"
• Removed the parameters -er and -esbj from the CLI. The email subject must now be passed using the -tk parameter as explained above.
• Added short alias for pass/fail conditions: low, medium and high.
• Improved time-based injection checks, now with 0% false positive rate for Code Injection, Expression Language Injection, NoSQL Injection, Remote Command Execution and SQL Injection.
• Added an option to view a list of breached subdomains and their status in Syhunt Breach.
• Additional spider optimizations.
• Allow to select trackers to be notified from the scheduled scan preferences dialog.
• Allow to enable fail condition with a single click from the scheduled scan preferences dialog.
• Simplified report and export generation.
• Improved scheduled scan preferences dialog.
• Improved results for C and Java code scan of larger codebases using default scan method.
• Improved setup application.
• Improved accuracy and simplified SSL/TLS check in Dynamic.
• Additional entry point detection for JS-based applications in Dynamic.
• Faster injection checks during application scan.
• Updated OpenSSL binaries.
• Fixed: long delay happening sometimes when applying an update.
• Fixed: long delay when loading Past Sessions screen or generating a report after scanning a very large source code base with Syhunt Code.
• Fixed: XSS false positive cases (affecting check #207 and #228) in Dynamic.
• Fixed a hardcoded password false positive.

Happy bug and breach hunting!