What's New in Syhunt Community
Version 6.8.4 (May 21, 2020)
- Fixed: a browser behaviour issue involving hashtag usage in Syhunt Dynamic.
- Fixed: Vulnerable Code section in reported vulnerability sometimes displaying vulnerable portions polluted in Syhunt Code.
- Fixed: invalid license error in reports generated by Syhunt Community.
- Added missing vcruntime140.dll dependency - this fixes an error message when opening dialogs in a specific situation.
Version 6.8.3 (May 1, 2020)
- Improved fingerprint, including the ability to guess the server software version.
- Added checks for vulnerabilities in various outdated server software and components.
- Moved crawling depth limit option to the Site Preferences screen.
- Changed default browser emulation mode and user agent to Chrome.
- Fixed: re-scan source button not working in Syhunt Code toolbar since update 6.8.1.
- Fixed: crash during outdated code check when scanning known third-party script.
- Report generation now runs in an isolated task.
Version 188.8.131.52 (April 7, 2020)
- Faster fault injection testing in websites with large number of POST-based forms.
- Improved relative path handling (overly long and POST URLs).
- Improved fingerprinting (index).
- Fixed: typo in newly introduced CWE Top 25 and OWASP PHP Top 5 hunt method names preventing them to work.
Version 6.8.2 (April 2, 2020)
- Added the ability to scan the source code of web applications in Ruby (Rails and ERB) for security bugs with coverage for over 19 vulnerability categories, including: Cross-Site Scripting (XSS), SQL Injection, Arbitrary File Manipulation, Code Injection, Command Execution, Unvalidated Redirect and many more.
- Added two new scan methods: CWE Top 25 and OWASP Top 10, which allow to scan specifically for the 2019 top 25 most dangerous software errors and the 10 most critical web application security risks.
- Improved parsing of Python code.
- Updated the application icon.
Version 6.8.1 (March 6, 2020)
- Added the ability to scan a single source code file from the New Scan dialog.
- Fixed: some redundant reporting of remote file inclusion vulnerabilities.
Version 6.8 (January 27, 2020)
- Added dozens of checks for missing protection measures against attacks like clickjacking, content-sniffing XSS and others. This includes checks for missing or weak HTTP security headers, permissive HTTP Strict Transport Security (HSTS) policy, the use of deprecated policies and more.
- Added 184 new security code checks targeting Swift and Objective-C, the primary iOS development languages.
- Added additional XSS cases to Android checks.
- Added new outdated Angular vulnerability checks (Prototype Pollution, DoS and multiple XSS vulnerabilities) in Syhunt Code.
- Added syntax highlighting of C/C++ files and analysis of C/C++ header files.
- Added new crawling optimizations for heavily dynamically generated web sites in Syhunt Dynamic.
- Added the ability to import targets and bookmarks from CSV and list files.
- Improved auto form filling of dynamically adjusted fields in Syhunt Dynamic.
- Expanded the brute force against the structure of the Start URL path in Syhunt Dynamic.
- Fixed: a Start URL redirect handling bug involving relative paths and improved an additional case of JS redirect handling in Syhunt Dynamic.
- Fixed: CVE reference not appearing for specific check groups in Syhunt Dynamic.
- Fixed: false positive involving version number and hardcoded resource check in Syhunt Code.
- Changed the date/time format in the Past Sessions screen and report for better visualization.
- Fixed: the user interface not highlighting when Git for Windows needs to be installed or about other fatal errors.
- Fixed: Canceled scans sometimes being listed with Scanning as status in the Past Sessions screen.
Version 6.7 (September 17, 2019)
- Enabled all code checks (though the details of High-rated and specific Medium-rated vulnerabilities are only available in the professional editions of Syhunt).
- Added SAST support and checks for mobile (iOS and Android) apps. This includes support for the programming languages Objective-C, C, C++ and Swift.
- Added many new and improved SAST checks for Java.
- Improved code vulnerability detection accuracy and vulnerable line detection precision.
- Improved insecure randomness checks (additional checks) in Syhunt Code.
- Improved multi-language source code parsing.
- Improved automated web form login (alternative schemes) in Syhunt Dynamic.
- Improved spidering of heavily dynamically generated web stores.
- Minor optimizations for Wordpress-based websites in Syhunt Dynamic.
- Additional entry point coverage and input filtering/validation analysis in Syhunt Code.
- Allow to ignore specific vulnerabilities in Site Preferences and Code Scanner Preferences screen.
- Improved session status and icons in session manager.
- Fixed a few bugs and false positives:
- GIT for Windows 64-bit not being detected by Syhunt Code.
- Improved hardcoded resource checks (eliminating some common false positives) in Syhunt Code.
- Improved insecure salting checks (fixed two false positive cases) in Syhunt Code.
- Fixed: an overly-broad path rejection rule in spider.
- Make user check preferences overwrite hunt method check preferences in both Syhunt Dynamic and Syhunt Code.
- Error message involving options table when trying to add target to the Dynamic Target list.
Version 6.6 (June 3, 2019)
- Added the ability to start a scan against a website after manually logging in (when you start a Dynamic scan from within the Sandcat Browser the tab session data is used as part of the scan).
- Added SAST support, optimizations and checks for AngularJS-based web apps.
- Added SAST support and checks for Angular-based web apps (v2 and higher).
- Added SAST support and checks for Electron-based apps.
- Added the ability to scan GIT repositories via user interface, and to create and manage a list of favorite target repositories.
- Added support for Azure Repos using GIT.
- Improved HTTP/HTTPS protocol and SSL support (fixed: connection reset by peer error when trying to scan some websites) in Syhunt Dynamic.
- Added option to auto follow off-domain redirect in Start URL (enabled by default in GUI and CLI).
- Ask about off-domain URL redirect when defining a dynamic target.
- Added additional Joomla-specific optimizations in Syhunt Dynamic.
- Added View Vulnerabilities option to Dynamic and Code menu bars.
- Improved spider (handling of redundant form sections).
- Improved handling of popups in Sandcat Browser.
- Improved input dialog for adding Dynamic targets.
- Canceling the site preferences screen before starting a scan cancels the scan.
- Reverse list in session manager (recent sessions first).
- Fixed: inability to properly pin app to the Windows taskbar.
- Fixed: UI folder tree insertion bug related to hidden files in Syhunt Code.
- Fixed: footer user notes not being added to report when generating one.
- Fixed: session status not being updated to Canceled after a scan has been manually stopped via UI.
- Fixed: SQL Injection toolbar menu option mapping to invalid hunt method in Syhunt Code.
- Fixed: a false positive involving a SQL Injection protection filter not being recognized in Syhunt Code.
- Fixed: a false positive involving authentication bypass check in Syhunt Dynamic.
- Fixed: a false positive involving non-standard autocomplete attribute value in Syhunt Dynamic/Code.
- Fixed: sidetree sometimes not properly loading item after switching between simultaneous scan tabs.
Version 6.5 (December 26, 2018)
- Added a revamped vulnerability details dialog with editing capabilities.
- Added Dynamic Targets screen to launcher - allows to manage a list of common target URLs. You can access it through the purple bookmark icon in the Launcher toolbar or the New Scan dialog.
- Added Rails framework, WII framework and WordPress related optimizations.
- Added the ability to import and export a scan session from/to a file.
- Added additional scan progress info to the results tab
- Reviewed hunt methods Malware Content and Structure Brute Force and enabled additional checks. Improved extension checking and structure brute force checks and fixed a false positive case.
- Improved fingerprinting and added detected languages and OS type to reports.
- Improved spider (improved web site caching and mapping).
- Improved compatibility with source control systems (GIT and SVN) in Syhunt Code
- Reclassified dynamic XSS risk based on CVSS3 score.
- This release comes with the latest Syhunt Sandcat browser updates and drops support for Windows Vista:
- Added the ability to import/export/clear bookmarks.
- Confirm exit when tasks are running.
Version 6.4 (October 17, 2018)
- Revamped launcher screen.
- Added additional password file disclosure checks.
- Added Jooma-specific optimizations.
- Added Nginx support in Syhunt Insight.
- Improved spidering (additional link extraction and improved relative path handling).
- Combined link list with additional details into new Coverage report section.
Version 6.3 (September 8, 2018)
- Added full support for CVSS (Common Vulnerability Scoring System). (Full details)
- Added the ability to compare past scan sessions to determine new, unchanged or removed vulnerabilities, and save the comparison results as HTML (Menu -> Past Sessions -> Compare Checked button).
- Added File Inclusion and OWASP Top 5 hunt methods to Syhunt Code.
Version 6.2 (June 15, 2018)
- Added code scan support for Node.js based web applications. (Full details)
Version 6.1 (May 17, 2018)
- Several improvements in Syhunt Code:
- Added code scan support for Java EE, JSP and Lua based web applications. (Full details)
- Improved XSS detection in multiple languages (classic ASP, ASP.NET & PSP).
- Improved input filtering analysis.
- Improved speed (scan optimization).
- Automatic Python WSGI script detection.
- Improved fingerprinter (additional WAF detection) in Syhunt Dynamic.
Version 6.0 (October 10, 2017)
- Major overhaul of both its scan engine and user interface, adding advanced fingerprinting capabilities, enhanced spidering, injection, browsing and code scan capabilities, and a large number of new and improved checks. (Full details)