FREE ACCESS & MORE: Syhunt takes action to help secure entities and businesses amid COVID-19 pandemic Read now


The bug hunter's notepad

Syhunt Huntpad is an open source notepad application with features that are particularly useful to penetration testers and bug hunters - a collection of common injection string generators, hash generators, encoders and decoders, HTML and text manipulation functions, and so on, coupled with syntax highlighting for several programming languages.


Huntpad borrows many features from Syhunt Sandcat's QuickInject sidebar. Like its cousin, it is focused on File Inclusion, XSS and SQL Injection and comes with the following options:

  • Syntax Highlighting - supporting HTML, JavaScript, CSS, XML, PHP, Ruby, SQL, Pascal, Perl, Python and VBScript.
  • SQL Injection functions
    • Filter Evasion - Database-Specific String Escape (CHAR & CHR). Conversion of strings to quoted strings, conversion of spaces to comment tags or new lines
    • Filter Evasion (MySQL-Specific) - String Concatenation, Percent Obfuscation & Integer Representation (eg: '26' becomes 'ceil(pi()*pi())*(!!!pi()+true)+ceil(@@version)', a technique presented by Johannes Dahse).
    • UNION Statement Maker
    • Quick insertion of common injections covering DB2, Informix, Ingres, MySQL, MSSQL, Oracle & PostgreSQL
  • File Inclusion functions
    • Quick Shell Upload code generator
    • PHP String Escape (chr)
  • Cross-Site Scripting (XSS) functions
    • Filter Evasion - JavaScript String Escape (String.fromCharCode), CSS Escape
    • Various handy alert statements for testing for XSS vulnerabilities.
  • Hash functions
    • Hash Generators - MD5, SHA-1, SHA-2 (224, 256, 384 & 512), GOST, HAVAL (various), MD2, MD4, RIPEMD (128, 160, 256 & 320), Salsa10, Salsa20, Snefru (128 & 256), Tiger (various) & WHIRLPOOL
  • Encoders/Decoders
    • URL Encoder/Decoder
    • Hex Encoder/Decoder - Converts a string or integer to hexadecimal or vice-versa (multiple output formats supported).
    • Base64 Encoder/Decoder
    • CharCode Converter - Converts a string to charcodes (eg: 'abc' becomes '97,98,99') or vice-versa.
    • IP Obfuscator - Converts an IP to dword, hex or octal.
    • JavaScript Encoders - Such as JJEncode by Yosuke HASEGAWA
  • HTML functions
    • HTML Escape/Unescape
    • HTML Entity Encoder/Decoder - Decimal and hexadecimal HTML entity encoders & decoders
    • JavaScript and CSS beautifiers
    • JavaScript String Escape
  • Text Manipulation functions - Uppercase, Lowercase, Swap Case, Title Case, Reverse, Shuffle, Strip Slashes, Strip Spaces, Add Slashes, Char Separator
  • Time-Based Blind Injection code - Covering MySQL, MSSQL, Oracle, PostgreSQL, Server-Side JavaScript & MongoDB
  • CRC Calculators - CRC16, CRC32, CRC32b, and more.
  • Classical Ciphers - ROT13 & ROT[N]
  • Checksum Calculators - Adler-32 & Fletcher
  • Buffer Overflow String Creator
  • Random String & Number Generation functions
  • URL Splitter
  • Useful Strings - Math, character sets and more.

It has been really rewarding to see this application... many possibilities offered by this notepad turned into a small Swiss army knife for Ethical Hacking.

Pablo González Pérez, Security Researcher, ElevenPaths

HuntPad is similar to CyberChef from GCHQ, but less emphasis on text formats of structured data & PublicKey+symmetric cryptography-not dis`ing cause a non-web approach is needed for websec testing.

Derek Callaway, IOActive, Cybersecurity Consultant