What's New in Syhunt Community

Version (October 26, 2022)

  • Improves handling of non-standard header.
  • New, revamped responsive HTML report template.
  • Improved Breach severity evaluation.
  • Additional spider optimizations added to Dynamic.

Version (October 11, 2022)

  • Reviewed and significantly improved memory usage during Dynamic scans.

Version (October 10, 2022)

  • When generating a SAST report, prevent similar instances of the same vulnerability within a file to be displayed as individual vulnerability entries and instead display such instances within the first reported entry.
  • Fixed: a case of false positive related to hardcoded password.
  • Additional spider optimizations added to Dynamic.

Version (October 4, 2022)

  • Fixed: false positive case related to a Path Disclosure check (DI-1603660960-2580).
  • Fixed: inconsistency when reporting CVSS3 score related to some checks.
  • Additional spider optimizations added to Dynamic.
  • Fixed: a case of false positive affecting Insecure Randomness (C-1603659005-1147) in Syhunt Code.

Version (September 23, 2022)

  • Fixed: a case of redundant reporting of hardcoded IP address by Syhunt Code.
  • Fixed: duration not showing number of days after reaching 24h.

Version (September 22, 2022)

  • Added the consolidated total of targets, scans and vulnerabilities to the end of the summary report.
  • Additional spider optimizations added to Dynamic.
  • Check session status at the end of a scan.

Version (September 13, 2022)

  • Added a new button in the Past Sessions screen that allows to generate summary report of scans by scan methodology. The period covered can be set through the button List Sessions By Period.
  • Added the ability to list all sessions for a given month to the option List Sessions By Period.
  • Added the ability to generate reports for multiple selected sessions in the Past Sessions screen.
  • In Menu -> Preferences -> Other Hybrid Preferences, it is now possible to set the default output format in the save dialog when saving a scan report.
  • Additional spider optimizations added to Dynamic.
  • Fixed: when importing a list of targets, Syhunt was not properly handling a file with .list extension.
  • Fixed: a crash when scanning a specific PDF file in Syhunt Code.

Version (August 11, 2022)

  • Improvements and fixes in manual authentication method using Sandcat browser.
  • Auto handle off-domain redirect in Start URL moved from New Scan dialog to Site Preferences screen.
  • Fixed: CVE-2013-6420 receiving medium CVSS3 score, when it should be high.
  • Fixed: failure sometimes when opening connection to external assets in Dynamic. A bug introduced in the last update.
  • Fixed: an anomaly with some structure checks performing POST instead of GET.

Version (August 8, 2022)

  • Added short alias for pass/fail conditions: low, medium and high.
  • Simplified report and export generation.

Version (July 27, 2022)

  • Improved results for C and Java code scan of larger codebases using default scan method.
  • Fixed a hardcoded password false positive in Syhunt Code.
  • Fixed: long delay when loading Past Sessions screen or generating a report after scanning a very large source code base with Syhunt Code.
  • Improved setup application.

Version (June 28, 2022)

  • Simplified code for SSL/TLS check in Dynamic.
  • Comes with newer OpenSSL binaries.

Version (June 22, 2022)

  • Additional entry point detection for JS-based applications in Dynamic.
  • Additional spider optimizations in Dynamic.
  • Improved accuracy of SSL/TLS check in Dynamic.
  • Faster injection checks during application scan.
  • Fixed: long delay happening sometimes when applying an update.
  • Fixed: a false positive XSS case (XSS-228).

Version (June 17, 2022)

  • Added checks for the high severity Fastjson remote command execution vulnerability (CVE-2022-25845, CVSS score: 8.1) to Syhunt Code.
  • Added additional alerts related to the Log4J vulnerabilities disclosed last year (CVE-2021-44832 and CVE-2021-45105) to Syhunt Code.
  • Fixed: session list displaying older sessions first since the last update.

Version (June 15, 2022)

  • Significantly faster Past Sessions loading.
  • Added additional spider optimizations to Dynamic.
  • Improved start URL handling in Dynamic (Angular applications).
  • Fixed: Long waiting when loading past sessions list when a large number of sessions has been archived.
  • Fixed: the bug of 2038.

Version (June 2, 2022)

  • Breach: added support for concurrent scans and various user interface and experience improvements
  • Breach: significantly faster scans (from 1m18sec against a .com domain to around 23sec and 3sec after first scan).
  • DAST: Minor improvements to the handling of Start URLs in Syhunt Dynamic.
  • DAST: vulnerabilities can now be ignored by their ignore ID.
  • DAST: Added various checks for JBoss/Wildfly vulnerabilities.
  • SAST: Added ability to ignore vulnerabilities by creating .vulnignore file within repositories or code directories. If a Ignore ID shown in report is added to the .vulnignore file, then the vulnerability will not be reported again.
  • SAST: Improved detection of Log4Shell vulnerability in Java applications.
  • SAST: fixed a few false positives in Java applications (three cases reporting Information Disclosure, Log Forging and XML Injection)
  • Fixed: session import option not working from session manager.

Version (April 7, 2022)

  • Added checks for Spring4Shell vulnerability to Syhunt Code Composition: checks for vulnerable Spring, SpringBeans, SpringBoot, SpringWebFlux and SpringWebMVC components.
  • Added checks for web backdoors related to Spring4Shell to Syhunt Dynamic.
  • Added checks for Spring4Shell scans to Syhunt Forensic log scanner.
  • Improved Debug Parameters check.
  • Make it easier to enter business registration number in domain preferences screen.
  • Renamed IcyDark to Breach Scanner.
  • Renamed Insight Log Scanner to Forensic Scanner.

Version (March 29, 2022)

  • Dynamic: Improved crawling in login situations.

Version (March 28, 2022)

  • Dynamic: Improved session and token management.
  • Dynamic: Improved form handling.
  • Dynamic: Optimized scan against vulnerable targets.
  • Dynamic: Improved PHPInfo detection.
  • Dynamic: Added detection of weak session ID.

What's New in Syhunt Community

Version (March 9, 2022)

  • Added 69 additional vulnerability checks for ASP.NET apps in Syhunt Code covering various vulnerability categories.
  • Added the detection of additional entry points in ASP.NET apps.

Version (February 22, 2022)

  • Added an option that allows to limit the scan time
  • Added new variables that can be used in report file names: {$DT} (current date and time), {$DD} (current date) and {$TM} (current time) - Available through CLI and Scheduler
  • Removed the -gr CLI parameter. Now reports are generated by default.
  • Added the -nr parameter which allows to disable report generation
  • Removed the -gx CLI parameter. Exports are generated if -xout or -xout2 are provided.
  • Added new checks for outdated Nginx.
  • Improved: the Syhunt Hybrid's user interface now saves settings to the disk immediately after closing the preferences dialog (unless the Cancel button is pressed).
  • Improved: perform Denial-of-Service option moved from Start Dynamic Scan dialog to the site preferences dialog.
  • Fixed: error after setting improper and overly big maximum response size in Dynamic preferences.
  • Fixed: a failure when performing NTLM authentication with Syhunt Dynamic.
  • Fixed: a false positive in Syhunt Dynamic related to a JSON error response.

Version (December 28, 2021)

  • Added checks for Log4J CVE-2021-44832 and CVE-2021-45105 vulnerabilities in Syhunt Code.
  • Added the detection of Log4Shell WAF bypass attempt in web server logs through Syhunt log analyzer.

Version (December 17, 2021)

  • Improved the detection of Log Forging vulnerabilities, which lead to Log4Shell injection in Syhunt Code.
  • Added the detection of the vulnerable Log4J jar file within a repository through Syhunt Code.
  • Added the detection of Log4Shell injection in web server logs through Syhunt log analyzer.
  • Added Bearer and Digest (MD5/SHA256/SHA512) authentication support through GUI and CLI.
  • New spidering optimizations.

Version (November 17, 2021)

  • Added support for MacOS Big Sur and Monterey.

Version (November 11, 2021)

  • Fixes: a finalization problem during end of Hybrid/Dynamic scan due to variable bug in release

Version (November 8, 2021)

  • Added the first release of Syhunt IcyDark.
  • The branch parameter is now empty by default in Syhunt Code, allowing git to fetch the default branch if no branch is provided.
  • CLI: Removed the -mcd parameter in scanurl. From now on, please use the command scancore to set depth limit

Version (October 11, 2021)

  • Added the OWASP Top 10 2021 compliance checks.
  • Added the CWE/SANS Top 25 2021 compliance checks.
  • Added checks for deprecated TLS protocol versions and insecure SSL versions.
  • Added new Wordpress-related spidering optimizations.
  • Abort dynamic scan if start URL is static asset.
  • Updated SSL code (this fixes some issues with binary transmissions).
  • Fixed: removed the need of admin permission request from UI (added temporarily after a recent update).

Version (August 12, 2021)

  • Improved crawling rules.
  • Improved insecure salting check to prevent false positive cases (SAST).
  • Added a few extra entry points to complete scan paranoid hunt method (SAST).
  • Fixed: Server-Side Request Forgery and HTTP Response Splitting false positives in Java (SAST).
  • Fixed: a few Hardcoded Password and Unprotected Resource false positive cases (SAST).
  • Fixed: Arbitrary File Manipulation and Write false positive cases in Java (SAST).

Version (June 24, 2021)

  • Allow updating preferences through command-line interface. More
  • Added compatibility with Doku wiki in Syhunt Dynamic.
  • Added the -runcmd parameter to the scancore CLI tool with many available commands.
  • Added the check category Use of Dangerous Obsolete Methods to Syhunt Code and moved Bad Practice checks related to use of deprecated or potentially dangerous methods and functions to it.
  • Improved crawling rules.
  • Improved issue tracker updating through CLI. More
  • Improved and documented the Syhunt Lua API. More
  • Updated security header checks in Syhunt Dynamic.
  • Fixed: GIT URL in Azure DevOps Server not being accepted.
  • Fixed: missing fatal error for SSL_ERROR_RX_RECORD_TOO_LONG in Dynamic.
  • Fixed: a few false positive cases in Hardcoded Password and Unprotected Resources categories in Syhunt Code.

Version (May 26, 2021)

  • Added the ability to code scan Azure DevOps and TFS project URLs. More
  • Added -excp CLI parameter in scancode, which allows to specify a list of paths to be excluded from the analysis.
  • Improved crawling of versioned JavaScript in Syhunt Dynamic.
  • Warn when target repository URL is empty or invalid.

Version (May 17, 2021)

  • Improved enforcing of depth limit during crawling.
  • Allow depth limit zero, which makes the spider not to crawl pages beyond the first page.
  • Fixed: depth limit option in Site Preferences dialog not reflecting the last state.
  • Fixed: error when code scanning malformed UTF8 files.

Version (May 10, 2021)

  • Added TLS 1.3 support in Syhunt Dynamic and Code scans.
  • Improved cookie management in Syhunt Dynamic.
  • Improved vulnerability editing dialog opening.
  • Fixed: internal links in table of contents not working in PDF report.
  • Fixed: missing date/time in report for India region.
  • Fixed: some temporary files not being removed from disk after scheduled code scan execution against GIT URLs.

Version (February 8, 2021)

  • Improved outdated software checks accuracy.
  • Updated OpenSSL vulnerabilities.
  • Fixed: control panel web backdoor false positive.

Version (January 18, 2021)

This release fixes minor bugs and false positive cases in Syhunt Dynamic:

  • Enabled Path Disclosure and Directory Listing checks as part of the Passive Analysis scan method.
  • Reports now display link for multiple affected locations within a specific vulnerability entry (when available).
  • Improved start URL path handling during structure brute force checks - this speeds up checks and fixes some false positive cases.
  • Removed some redundant admin page alerts.
  • Fixed: vulnerability progress bars in results tab now properly linked to the total of vulnerabilities per severity.
  • Fixed: rare signature response loop during Remote Command Execution checks.
  • Fixed: a false positive in Source Code Disclosure (ASP) check.
  • Fixed: a false positive involving OpenSSL Library 1.0.2k-fips.
  • Fixed: auto follow redirect option not being assigned when disabled in the Dynamic scan dialog.
  • Fixed: HunterSense rule issue for detecting PHP 5.4.16.

Version (January 11, 2021)

  • Improved outdated script and version checks.
  • Improved handling of corrupted compressed streams.
  • Improved JS string analysis in Syhunt Dynamic.
  • Added handling of certificate files during spidering in Syhunt Dynamic.
  • Fixed: command execution false positive involving Unix's id command in Syhunt Dynamic.
  • Fixed: offline assets in a website creating delay during Dynamic scans.
  • Fixed: scrolling issue in some big report lists affecting Sandcat and Syhunt UI.
  • Fixed: SQL injection false positive case when scanning C# source code (fix id C-1606780747-6823 in Syhunt Code).
  • Fixed: OLE DB related false positive case when scanning C# source code in Syhunt Code.
  • Fixed: spider loop situation involving Spring form in Syhunt Dynamic.

Version 6.9.4 (November 19, 2020)

  • Re-enables automatic IP geolocation feature in Insight Log Analyzer.
  • Improved outdated software checking (additional accuracy) in both Syhunt Dynamic and Syhunt Code.

Version 6.9.3 (November 3, 2020)

  • Around 5x faster code scans, and optimizations to accelerate scans of JavaScript code.
  • Greatly extended and improved TypeScript checks and analysis.
  • Greatly improved SAST of Ruby, ASP (classic) and JavaScript web apps (additional accuracy and checks). Improved auto-detection of JavaScript type.
  • Improved input validation analysis in a variety of languages, including ASP and JavaScript web apps.
  • Added Affected Variable(s) to vulnerability properties dialog and report, and improved variable usage analysis.
  • Improved Syhunt Dynamic spidering - Improved JS analysis, improved JS string handling and improved form handling of forms with multiple submission methods. Improved JS parser loading under Linux.
  • Faster Dynamic scans - Faster unvalidated redirect and OAST checks and faster CWE Top 25 and OWASP Top 10 scans.
  • Added the Application Scan (Server-Side Focused) hunt method, which allows to scan for server-side vulnerabilities only.
  • Added detection of new Node.js-based web backdoors and fixed a false positive case of JS shell.
  • Improved incremental cache history loading.
  • Fixed: session and report display of hunt method name of a scan started by Syhunt Code.
  • Fixed: IP not being properly recognized in web log during web log scan in Syhunt Insight.
  • Good bye to 32-bit era - From now on, only the 64-bit version of Syhunt will be available.

Version (August 25, 2020)

  • All Syhunt scans are now by default incremental scans, which means that scan data from previous scans against a specific target are automatically stored and used to speed up future scans.
  • Allow incremental scan to be enabled or disabled from site preferences screen (enabled by default).
  • Allow incremental scan data to be cleared from the Dynamic Targets list.
  • Added -inc parameter that allows to set the incremental scan mode in ScanURL and ScanCode CLI tools.
  • Added check for SQUID-2020 Cache Poisoning Issue in HTTP Request processing (CVE-2020-15049)
  • Allow columns to be sorted.
  • Fixed: the status of a scan in progress being reported as Cancelled in the past sessions screen (bug introduced in and now fixed).
  • Fixed: a rare crash when generating a hash.
  • Fixed: the Target column will display proper target name for new scans in the past sessions screen.

Version (August 11, 2020)

  • On Linux, please remember to uninstall Syhunt before installing the new version.
  • CLI commands now use lowercase name (eg scanurl instead of ScanURL) on Linux.
  • Allow setting custom repository branch in scancode on Linux.
  • Improved cross-platform setup.

Version 6.9.0 (August 4, 2020)

  • Added compatibility with Linux 64-bit. Syhunt CLI now runs on most Linux distributions and runs out-of-the-box on Kali Linux and Parrot Security OS.
  • Allow by default complete export of preferences through menu -> Import & Export options with new .scpbak extension.
  • Past Sessions now displays by default scans from last 7 days and can be changed to display different periods from toolbar. The new feature will only work for sessions generated by this version or up. You can still see older sessions by selecting View Sessions by Period -> All Sessions from toolbar.
  • HTML report now include all required assets within the same file.
  • Improved recon against start URL.
  • Improved task management and setup application.
  • Improved spider rules.

Version 6.8.6 (July 1, 2020)

  • Revised extension checking and structure brute force with faster execution and improved accuracy.
  • Added an option that allows to stop scans from the sessions screen.
  • Added CWE references to outdated checks.
  • Improved ngx_lua support in Syhunt Code (additional checks).
  • Fixed: outdated false positive involving latest mod_fcgid.
  • Fixed: false positive cases in ASP.Net C# code (Syhunt Code) related to NoSQL Injection, Insecure Salting, Hardcoded Password and Command Execution Vulnerability.
  • Fixed: crawling taking too long against specific Drupal installation (Syhunt Dynamic).
  • New debug option eliminates the need of generating two debug files when sending debug info to Syhunt.
  • Updated Catarinka library with improved string handling.

Version 6.8.5 (June 10, 2020)

  • Fixed: a Permissive HSTS Header check false positive case.
  • Fixed: Missing Content Sniffing XSS Protection false positive (X-Content-Type-Options).
  • Fixed: a http-equiv related redirect handling issue case.
  • Fixed: a TLS 1.2 handshake issue.
  • Fixed: a bug in experimental IDS Evasion feature causing the request version to be set incorrectly.
  • The OpenSSL library was upgraded.

Version 6.8.4 (May 21, 2020)

  • Fixed: a browser behaviour issue involving hashtag usage in Syhunt Dynamic.
  • Fixed: Vulnerable Code section in reported vulnerability sometimes displaying vulnerable portions polluted in Syhunt Code.
  • Fixed: invalid license error in reports generated by Syhunt Community.
  • Added missing vcruntime140.dll dependency - this fixes an error message when opening dialogs in a specific situation.

Version 6.8.3 (May 1, 2020)

  • Improved fingerprint, including the ability to guess the server software version.
  • Added checks for vulnerabilities in various outdated server software and components.
  • Added the ability to perform SAST in client-side JavaScript code during DAST.
  • Moved crawling depth limit option to the Site Preferences screen.
  • Changed default browser emulation mode and user agent to Chrome.
  • Improved parsing of JavaScript in HTML files.
  • Fixed: re-scan source button not working in Syhunt Code toolbar since update 6.8.1.
  • Fixed: crash during outdated code check when scanning known third-party script.
  • Report generation now runs in an isolated task.

Version (April 7, 2020)

  • Faster fault injection testing in websites with large number of POST-based forms.
  • Improved relative path handling (overly long and POST URLs).
  • Improved fingerprinting (index).
  • Fixed: typo in newly introduced CWE Top 25 and OWASP PHP Top 5 hunt method names preventing them to work.

Version 6.8.2 (April 2, 2020)

  • Added the ability to scan the source code of web applications in Ruby (Rails and ERB) for security bugs with coverage for over 19 vulnerability categories, including: Cross-Site Scripting (XSS), SQL Injection, Arbitrary File Manipulation, Code Injection, Command Execution, Unvalidated Redirect and many more.
  • Added two new scan methods: CWE Top 25 and OWASP Top 10, which allow to scan specifically for the 2019 top 25 most dangerous software errors and the 10 most critical web application security risks.
  • Improved parsing of Python code.
  • Updated the application icon.

Version 6.8.1 (March 6, 2020)

  • Added the ability to scan a single source code file from the New Scan dialog.
  • Fixed: some redundant reporting of remote file inclusion vulnerabilities.

Version 6.8 (January 27, 2020)

  • Added dozens of checks for missing protection measures against attacks like clickjacking, content-sniffing XSS and others. This includes checks for missing or weak HTTP security headers, permissive HTTP Strict Transport Security (HSTS) policy, the use of deprecated policies and more.
  • Added 184 new security code checks targeting Swift and Objective-C, the primary iOS development languages.
  • Added additional XSS cases to Android checks.
  • Added new outdated Angular vulnerability checks (Prototype Pollution, DoS and multiple XSS vulnerabilities) in Syhunt Code.
  • Added syntax highlighting of C/C++ files and analysis of C/C++ header files.
  • Added new crawling optimizations for heavily dynamically generated web sites in Syhunt Dynamic.
  • Added the ability to import targets and bookmarks from CSV and list files.
  • Improved auto form filling of dynamically adjusted fields in Syhunt Dynamic.
  • Expanded the brute force against the structure of the Start URL path in Syhunt Dynamic.
  • Fixed: a Start URL redirect handling bug involving relative paths and improved an additional case of JS redirect handling in Syhunt Dynamic.
  • Fixed: CVE reference not appearing for specific check groups in Syhunt Dynamic.
  • Fixed: false positive involving version number and hardcoded resource check in Syhunt Code.
  • Changed the date/time format in the Past Sessions screen and report for better visualization.
  • Fixed: the user interface not highlighting when Git for Windows needs to be installed or about other fatal errors.
  • Fixed: Canceled scans sometimes being listed with Scanning as status in the Past Sessions screen.

Version 6.7 (September 17, 2019)

  • Enabled all code checks (though the details of High-rated and specific Medium-rated vulnerabilities are only available in the professional editions of Syhunt).
  • Added SAST support and checks for mobile (iOS and Android) apps. This includes support for the programming languages Objective-C, C, C++ and Swift.
  • Added many new and improved SAST checks for Java.
  • Improved code vulnerability detection accuracy and vulnerable line detection precision.
  • Improved insecure randomness checks (additional checks) in Syhunt Code.
  • Improved multi-language source code parsing.
  • Improved automated web form login (alternative schemes) in Syhunt Dynamic.
  • Improved spidering of heavily dynamically generated web stores.
  • Minor optimizations for Wordpress-based websites in Syhunt Dynamic.
  • Additional entry point coverage and input filtering/validation analysis in Syhunt Code.
  • Allow to ignore specific vulnerabilities in Site Preferences and Code Scanner Preferences screen.
  • Improved session status and icons in session manager.
  • Fixed a few bugs and false positives:
    • GIT for Windows 64-bit not being detected by Syhunt Code.
    • Improved hardcoded resource checks (eliminating some common false positives) in Syhunt Code.
    • Improved insecure salting checks (fixed two false positive cases) in Syhunt Code.
    • Fixed: an overly-broad path rejection rule in spider.
    • Make user check preferences overwrite hunt method check preferences in both Syhunt Dynamic and Syhunt Code.
    • Error message involving options table when trying to add target to the Dynamic Target list.

Version 6.6 (June 3, 2019)

  • Added the ability to start a scan against a website after manually logging in (when you start a Dynamic scan from within the Sandcat Browser the tab session data is used as part of the scan).
  • Significantly faster code scans (added additional optimizations for apps specific frameworks and libraries such as jQuery, Bootstrap, Kendo UI, momentjs, fullPage and more). Improved JavaScript analysis.
  • Added SAST support, optimizations and checks for AngularJS-based web apps.
  • Added SAST support and checks for Angular-based web apps (v2 and higher).
  • Added SAST support and checks for Electron-based apps.
  • Additional SAST checks for Node.js, Express, JavaScript and Java.
  • Added the ability to scan GIT repositories via user interface, and to create and manage a list of favorite target repositories.
  • Added support for Azure Repos using GIT.
  • Improved HTTP/HTTPS protocol and SSL support (fixed: connection reset by peer error when trying to scan some websites) in Syhunt Dynamic.
  • Added option to auto follow off-domain redirect in Start URL (enabled by default in GUI and CLI).
  • Ask about off-domain URL redirect when defining a dynamic target.
  • Added additional Joomla-specific optimizations in Syhunt Dynamic.
  • Added View Vulnerabilities option to Dynamic and Code menu bars.
  • Improved spider (handling of redundant form sections).
  • Improved handling of popups in Sandcat Browser.
  • Improved input dialog for adding Dynamic targets.
  • Canceling the site preferences screen before starting a scan cancels the scan.
  • Reverse list in session manager (recent sessions first).
  • Fixed: inability to properly pin app to the Windows taskbar.
  • Fixed: UI folder tree insertion bug related to hidden files in Syhunt Code.
  • Fixed: footer user notes not being added to report when generating one.
  • Fixed: session status not being updated to Canceled after a scan has been manually stopped via UI.
  • Fixed: SQL Injection toolbar menu option mapping to invalid hunt method in Syhunt Code.
  • Fixed: a false positive involving a SQL Injection protection filter not being recognized in Syhunt Code.
  • Fixed: a false positive involving authentication bypass check in Syhunt Dynamic.
  • Fixed: a false positive involving non-standard autocomplete attribute value in Syhunt Dynamic/Code.
  • Fixed: sidetree sometimes not properly loading item after switching between simultaneous scan tabs.

Version 6.5 (December 26, 2018)

  • Added a revamped vulnerability details dialog with editing capabilities.
  • Added Dynamic Targets screen to launcher - allows to manage a list of common target URLs. You can access it through the purple bookmark icon in the Launcher toolbar or the New Scan dialog.
  • Added Rails framework, WII framework and WordPress related optimizations.
  • Added the ability to import and export a scan session from/to a file.
  • Added additional scan progress info to the results tab
  • Reviewed hunt methods Malware Content and Structure Brute Force and enabled additional checks. Improved extension checking and structure brute force checks and fixed a false positive case.
  • Improved fingerprinting and added detected languages and OS type to reports.
  • Improved spider (improved web site caching and mapping).
  • Improved compatibility with source control systems (GIT and SVN) in Syhunt Code
  • Reclassified dynamic XSS risk based on CVSS3 score.
  • This release comes with the latest Syhunt Sandcat browser updates and drops support for Windows Vista:
    • Added the ability to import/export/clear bookmarks.
    • Confirm exit when tasks are running.

Version 6.4 (October 17, 2018)

  • Revamped launcher screen.
  • Added additional password file disclosure checks.
  • Added Jooma-specific optimizations.
  • Added Nginx support in Syhunt Insight.
  • Improved spidering (additional link extraction and improved relative path handling).
  • Combined link list with additional details into new Coverage report section.

Version 6.3 (September 8, 2018)

  • Added full support for CVSS (Common Vulnerability Scoring System). (Full details)
  • Added the ability to compare past scan sessions to determine new, unchanged or removed vulnerabilities, and save the comparison results as HTML (Menu -> Past Sessions -> Compare Checked button).
  • Added File Inclusion and OWASP Top 5 hunt methods to Syhunt Code.

Version 6.2 (June 15, 2018)

  • Added code scan support for Node.js based web applications. (Full details)
  • Added Server-Side JavaScript and MongoDB to Technologies tab in the Site Preferences screen.

Version 6.1 (May 17, 2018)

  • Several improvements in Syhunt Code:
    • Added code scan support for Java EE, JSP and Lua based web applications. (Full details)
    • Improved XSS detection in multiple languages (classic ASP, ASP.NET & PSP).
    • Improved input filtering analysis.
    • Improved speed (scan optimization).
    • Automatic Python WSGI script detection.
  • Improved fingerprinter (additional WAF detection) in Syhunt Dynamic.

Version 6.0 (October 10, 2017)

  • Major overhaul of both its scan engine and user interface, adding advanced fingerprinting capabilities, enhanced spidering, injection, browsing and code scan capabilities, and a large number of new and improved checks. (Full details)