What's New in Syhunt Community
Version 22.214.171.124 (October 11, 2021)
- Added the OWASP Top 10 2021 compliance checks.
- Added the CWE/SANS Top 25 2021 compliance checks.
- Added checks for deprecated TLS protocol versions and insecure SSL versions.
- Added new Wordpress-related spidering optimizations.
- Abort dynamic scan if start URL is static asset.
- Updated SSL code (this fixes some issues with binary transmissions).
- Fixed: removed the need of admin permission request from UI (added temporarily after a recent update).
Version 126.96.36.199 (August 12, 2021)
- Improved crawling rules.
- Improved insecure salting check to prevent false positive cases (SAST).
- Added a few extra entry points to complete scan paranoid hunt method (SAST).
- Fixed: Server-Side Request Forgery and HTTP Response Splitting false positives in Java (SAST).
- Fixed: a few Hardcoded Password and Unprotected Resource false positive cases (SAST).
- Fixed: Arbitrary File Manipulation and Write false positive cases in Java (SAST).
Version 188.8.131.52 (June 24, 2021)
- Allow updating preferences through command-line interface. More
- Added compatibility with Doku wiki in Syhunt Dynamic.
- Added the -runcmd parameter to the scancore CLI tool with many available commands.
- Added the check category Use of Dangerous Obsolete Methods to Syhunt Code and moved Bad Practice checks related to use of deprecated or potentially dangerous methods and functions to it.
- Improved crawling rules.
- Improved issue tracker updating through CLI. More
- Improved and documented the Syhunt Lua API. More
- Updated security header checks in Syhunt Dynamic.
- Fixed: GIT URL in Azure DevOps Server not being accepted.
- Fixed: missing fatal error for SSL_ERROR_RX_RECORD_TOO_LONG in Dynamic.
- Fixed: a few false positive cases in Hardcoded Password and Unprotected Resources categories in Syhunt Code.
Version 184.108.40.206 (May 26, 2021)
- Added the ability to code scan Azure DevOps and TFS project URLs. More
- Added -excp CLI parameter in scancode, which allows to specify a list of paths to be excluded from the analysis.
- Warn when target repository URL is empty or invalid.
Version 220.127.116.11 (May 17, 2021)
- Improved enforcing of depth limit during crawling.
- Allow depth limit zero, which makes the spider not to crawl pages beyond the first page.
- Fixed: depth limit option in Site Preferences dialog not reflecting the last state.
- Fixed: error when code scanning malformed UTF8 files.
Version 18.104.22.168 (May 10, 2021)
- Added TLS 1.3 support in Syhunt Dynamic and Code scans.
- Improved cookie management in Syhunt Dynamic.
- Improved vulnerability editing dialog opening.
- Fixed: internal links in table of contents not working in PDF report.
- Fixed: missing date/time in report for India region.
- Fixed: some temporary files not being removed from disk after scheduled code scan execution against GIT URLs.
Version 22.214.171.124 (February 8, 2021)
- Improved outdated software checks accuracy.
- Updated OpenSSL vulnerabilities.
- Fixed: control panel web backdoor false positive.
Version 126.96.36.199 (January 18, 2021)
This release fixes minor bugs and false positive cases in Syhunt Dynamic:
- Enabled Path Disclosure and Directory Listing checks as part of the Passive Analysis scan method.
- Reports now display link for multiple affected locations within a specific vulnerability entry (when available).
- Improved start URL path handling during structure brute force checks - this speeds up checks and fixes some false positive cases.
- Removed some redundant admin page alerts.
- Fixed: vulnerability progress bars in results tab now properly linked to the total of vulnerabilities per severity.
- Fixed: rare signature response loop during Remote Command Execution checks.
- Fixed: a false positive in Source Code Disclosure (ASP) check.
- Fixed: a false positive involving OpenSSL Library 1.0.2k-fips.
- Fixed: auto follow redirect option not being assigned when disabled in the Dynamic scan dialog.
- Fixed: HunterSense rule issue for detecting PHP 5.4.16.
Version 188.8.131.52 (January 11, 2021)
- Improved outdated script and version checks.
- Improved handling of corrupted compressed streams.
- Improved JS string analysis in Syhunt Dynamic.
- Added handling of certificate files during spidering in Syhunt Dynamic.
- Fixed: command execution false positive involving Unix's id command in Syhunt Dynamic.
- Fixed: offline assets in a website creating delay during Dynamic scans.
- Fixed: scrolling issue in some big report lists affecting Sandcat and Syhunt UI.
- Fixed: SQL injection false positive case when scanning C# source code (fix id C-1606780747-6823 in Syhunt Code).
- Fixed: OLE DB related false positive case when scanning C# source code in Syhunt Code.
- Fixed: spider loop situation involving Spring form in Syhunt Dynamic.
Version 6.9.4 (November 19, 2020)
- Re-enables automatic IP geolocation feature in Insight Log Analyzer.
- Improved outdated software checking (additional accuracy) in both Syhunt Dynamic and Syhunt Code.
Version 6.9.3 (November 3, 2020)
- Greatly extended and improved TypeScript checks and analysis.
- Added Affected Variable(s) to vulnerability properties dialog and report, and improved variable usage analysis.
- Improved Syhunt Dynamic spidering - Improved JS analysis, improved JS string handling and improved form handling of forms with multiple submission methods. Improved JS parser loading under Linux.
- Faster Dynamic scans - Faster unvalidated redirect and OAST checks and faster CWE Top 25 and OWASP Top 10 scans.
- Added the Application Scan (Server-Side Focused) hunt method, which allows to scan for server-side vulnerabilities only.
- Added detection of new Node.js-based web backdoors and fixed a false positive case of JS shell.
- Improved incremental cache history loading.
- Fixed: session and report display of hunt method name of a scan started by Syhunt Code.
- Fixed: IP not being properly recognized in web log during web log scan in Syhunt Insight.
- Good bye to 32-bit era - From now on, only the 64-bit version of Syhunt will be available.
Version 184.108.40.206 (August 25, 2020)
- All Syhunt scans are now by default incremental scans, which means that scan data from previous scans against a specific target are automatically stored and used to speed up future scans.
- Allow incremental scan to be enabled or disabled from site preferences screen (enabled by default).
- Allow incremental scan data to be cleared from the Dynamic Targets list.
- Added -inc parameter that allows to set the incremental scan mode in ScanURL and ScanCode CLI tools.
- Added check for SQUID-2020 Cache Poisoning Issue in HTTP Request processing (CVE-2020-15049)
- Allow columns to be sorted.
- Fixed: the status of a scan in progress being reported as Cancelled in the past sessions screen (bug introduced in 220.127.116.11 and now fixed).
- Fixed: a rare crash when generating a hash.
- Fixed: the Target column will display proper target name for new scans in the past sessions screen.
Version 18.104.22.168 (August 11, 2020)
- On Linux, please remember to uninstall Syhunt before installing the new version.
- CLI commands now use lowercase name (eg scanurl instead of ScanURL) on Linux.
- Allow setting custom repository branch in scancode on Linux.
- Improved cross-platform setup.
Version 6.9.0 (August 4, 2020)
- Added compatibility with Linux 64-bit. Syhunt CLI now runs on most Linux distributions and runs out-of-the-box on Kali Linux and Parrot Security OS.
- Allow by default complete export of preferences through menu -> Import & Export options with new .scpbak extension.
- Past Sessions now displays by default scans from last 7 days and can be changed to display different periods from toolbar. The new feature will only work for sessions generated by this version or up. You can still see older sessions by selecting View Sessions by Period -> All Sessions from toolbar.
- HTML report now include all required assets within the same file.
- Improved recon against start URL.
- Improved task management and setup application.
- Improved spider rules.
Version 6.8.6 (July 1, 2020)
- Revised extension checking and structure brute force with faster execution and improved accuracy.
- Added an option that allows to stop scans from the sessions screen.
- Added CWE references to outdated checks.
- Improved ngx_lua support in Syhunt Code (additional checks).
- Fixed: outdated false positive involving latest mod_fcgid.
- Fixed: false positive cases in ASP.Net C# code (Syhunt Code) related to NoSQL Injection, Insecure Salting, Hardcoded Password and Command Execution Vulnerability.
- Fixed: crawling taking too long against specific Drupal installation (Syhunt Dynamic).
- New debug option eliminates the need of generating two debug files when sending debug info to Syhunt.
- Updated Catarinka library with improved string handling.
Version 6.8.5 (June 10, 2020)
- Fixed: a Permissive HSTS Header check false positive case.
- Fixed: Missing Content Sniffing XSS Protection false positive (X-Content-Type-Options).
- Fixed: a http-equiv related redirect handling issue case.
- Fixed: a TLS 1.2 handshake issue.
- Fixed: a bug in experimental IDS Evasion feature causing the request version to be set incorrectly.
- The OpenSSL library was upgraded.
Version 6.8.4 (May 21, 2020)
- Fixed: a browser behaviour issue involving hashtag usage in Syhunt Dynamic.
- Fixed: Vulnerable Code section in reported vulnerability sometimes displaying vulnerable portions polluted in Syhunt Code.
- Fixed: invalid license error in reports generated by Syhunt Community.
- Added missing vcruntime140.dll dependency - this fixes an error message when opening dialogs in a specific situation.
Version 6.8.3 (May 1, 2020)
- Improved fingerprint, including the ability to guess the server software version.
- Added checks for vulnerabilities in various outdated server software and components.
- Moved crawling depth limit option to the Site Preferences screen.
- Changed default browser emulation mode and user agent to Chrome.
- Fixed: re-scan source button not working in Syhunt Code toolbar since update 6.8.1.
- Fixed: crash during outdated code check when scanning known third-party script.
- Report generation now runs in an isolated task.
Version 22.214.171.124 (April 7, 2020)
- Faster fault injection testing in websites with large number of POST-based forms.
- Improved relative path handling (overly long and POST URLs).
- Improved fingerprinting (index).
- Fixed: typo in newly introduced CWE Top 25 and OWASP PHP Top 5 hunt method names preventing them to work.
Version 6.8.2 (April 2, 2020)
- Added the ability to scan the source code of web applications in Ruby (Rails and ERB) for security bugs with coverage for over 19 vulnerability categories, including: Cross-Site Scripting (XSS), SQL Injection, Arbitrary File Manipulation, Code Injection, Command Execution, Unvalidated Redirect and many more.
- Added two new scan methods: CWE Top 25 and OWASP Top 10, which allow to scan specifically for the 2019 top 25 most dangerous software errors and the 10 most critical web application security risks.
- Improved parsing of Python code.
- Updated the application icon.
Version 6.8.1 (March 6, 2020)
- Added the ability to scan a single source code file from the New Scan dialog.
- Fixed: some redundant reporting of remote file inclusion vulnerabilities.
Version 6.8 (January 27, 2020)
- Added dozens of checks for missing protection measures against attacks like clickjacking, content-sniffing XSS and others. This includes checks for missing or weak HTTP security headers, permissive HTTP Strict Transport Security (HSTS) policy, the use of deprecated policies and more.
- Added 184 new security code checks targeting Swift and Objective-C, the primary iOS development languages.
- Added additional XSS cases to Android checks.
- Added new outdated Angular vulnerability checks (Prototype Pollution, DoS and multiple XSS vulnerabilities) in Syhunt Code.
- Added syntax highlighting of C/C++ files and analysis of C/C++ header files.
- Added new crawling optimizations for heavily dynamically generated web sites in Syhunt Dynamic.
- Added the ability to import targets and bookmarks from CSV and list files.
- Improved auto form filling of dynamically adjusted fields in Syhunt Dynamic.
- Expanded the brute force against the structure of the Start URL path in Syhunt Dynamic.
- Fixed: a Start URL redirect handling bug involving relative paths and improved an additional case of JS redirect handling in Syhunt Dynamic.
- Fixed: CVE reference not appearing for specific check groups in Syhunt Dynamic.
- Fixed: false positive involving version number and hardcoded resource check in Syhunt Code.
- Changed the date/time format in the Past Sessions screen and report for better visualization.
- Fixed: the user interface not highlighting when Git for Windows needs to be installed or about other fatal errors.
- Fixed: Canceled scans sometimes being listed with Scanning as status in the Past Sessions screen.
Version 6.7 (September 17, 2019)
- Enabled all code checks (though the details of High-rated and specific Medium-rated vulnerabilities are only available in the professional editions of Syhunt).
- Added SAST support and checks for mobile (iOS and Android) apps. This includes support for the programming languages Objective-C, C, C++ and Swift.
- Added many new and improved SAST checks for Java.
- Improved code vulnerability detection accuracy and vulnerable line detection precision.
- Improved insecure randomness checks (additional checks) in Syhunt Code.
- Improved multi-language source code parsing.
- Improved automated web form login (alternative schemes) in Syhunt Dynamic.
- Improved spidering of heavily dynamically generated web stores.
- Minor optimizations for Wordpress-based websites in Syhunt Dynamic.
- Additional entry point coverage and input filtering/validation analysis in Syhunt Code.
- Allow to ignore specific vulnerabilities in Site Preferences and Code Scanner Preferences screen.
- Improved session status and icons in session manager.
- Fixed a few bugs and false positives:
- GIT for Windows 64-bit not being detected by Syhunt Code.
- Improved hardcoded resource checks (eliminating some common false positives) in Syhunt Code.
- Improved insecure salting checks (fixed two false positive cases) in Syhunt Code.
- Fixed: an overly-broad path rejection rule in spider.
- Make user check preferences overwrite hunt method check preferences in both Syhunt Dynamic and Syhunt Code.
- Error message involving options table when trying to add target to the Dynamic Target list.
Version 6.6 (June 3, 2019)
- Added the ability to start a scan against a website after manually logging in (when you start a Dynamic scan from within the Sandcat Browser the tab session data is used as part of the scan).
- Added SAST support, optimizations and checks for AngularJS-based web apps.
- Added SAST support and checks for Angular-based web apps (v2 and higher).
- Added SAST support and checks for Electron-based apps.
- Added the ability to scan GIT repositories via user interface, and to create and manage a list of favorite target repositories.
- Added support for Azure Repos using GIT.
- Improved HTTP/HTTPS protocol and SSL support (fixed: connection reset by peer error when trying to scan some websites) in Syhunt Dynamic.
- Added option to auto follow off-domain redirect in Start URL (enabled by default in GUI and CLI).
- Ask about off-domain URL redirect when defining a dynamic target.
- Added additional Joomla-specific optimizations in Syhunt Dynamic.
- Added View Vulnerabilities option to Dynamic and Code menu bars.
- Improved spider (handling of redundant form sections).
- Improved handling of popups in Sandcat Browser.
- Improved input dialog for adding Dynamic targets.
- Canceling the site preferences screen before starting a scan cancels the scan.
- Reverse list in session manager (recent sessions first).
- Fixed: inability to properly pin app to the Windows taskbar.
- Fixed: UI folder tree insertion bug related to hidden files in Syhunt Code.
- Fixed: footer user notes not being added to report when generating one.
- Fixed: session status not being updated to Canceled after a scan has been manually stopped via UI.
- Fixed: SQL Injection toolbar menu option mapping to invalid hunt method in Syhunt Code.
- Fixed: a false positive involving a SQL Injection protection filter not being recognized in Syhunt Code.
- Fixed: a false positive involving authentication bypass check in Syhunt Dynamic.
- Fixed: a false positive involving non-standard autocomplete attribute value in Syhunt Dynamic/Code.
- Fixed: sidetree sometimes not properly loading item after switching between simultaneous scan tabs.
Version 6.5 (December 26, 2018)
- Added a revamped vulnerability details dialog with editing capabilities.
- Added Dynamic Targets screen to launcher - allows to manage a list of common target URLs. You can access it through the purple bookmark icon in the Launcher toolbar or the New Scan dialog.
- Added Rails framework, WII framework and WordPress related optimizations.
- Added the ability to import and export a scan session from/to a file.
- Added additional scan progress info to the results tab
- Reviewed hunt methods Malware Content and Structure Brute Force and enabled additional checks. Improved extension checking and structure brute force checks and fixed a false positive case.
- Improved fingerprinting and added detected languages and OS type to reports.
- Improved spider (improved web site caching and mapping).
- Improved compatibility with source control systems (GIT and SVN) in Syhunt Code
- Reclassified dynamic XSS risk based on CVSS3 score.
- This release comes with the latest Syhunt Sandcat browser updates and drops support for Windows Vista:
- Added the ability to import/export/clear bookmarks.
- Confirm exit when tasks are running.
Version 6.4 (October 17, 2018)
- Revamped launcher screen.
- Added additional password file disclosure checks.
- Added Jooma-specific optimizations.
- Added Nginx support in Syhunt Insight.
- Improved spidering (additional link extraction and improved relative path handling).
- Combined link list with additional details into new Coverage report section.
Version 6.3 (September 8, 2018)
- Added full support for CVSS (Common Vulnerability Scoring System). (Full details)
- Added the ability to compare past scan sessions to determine new, unchanged or removed vulnerabilities, and save the comparison results as HTML (Menu -> Past Sessions -> Compare Checked button).
- Added File Inclusion and OWASP Top 5 hunt methods to Syhunt Code.
Version 6.2 (June 15, 2018)
- Added code scan support for Node.js based web applications. (Full details)
Version 6.1 (May 17, 2018)
- Several improvements in Syhunt Code:
- Added code scan support for Java EE, JSP and Lua based web applications. (Full details)
- Improved XSS detection in multiple languages (classic ASP, ASP.NET & PSP).
- Improved input filtering analysis.
- Improved speed (scan optimization).
- Automatic Python WSGI script detection.
- Improved fingerprinter (additional WAF detection) in Syhunt Dynamic.
Version 6.0 (October 10, 2017)
- Major overhaul of both its scan engine and user interface, adding advanced fingerprinting capabilities, enhanced spidering, injection, browsing and code scan capabilities, and a large number of new and improved checks. (Full details)