2016 | 2015 | 2014 | 2013 | 2012 | Archive

November 17, 2012

Sandcat Browser 3.0 introduces 'Sandcat Console' and goes multi-process - After months of hard work, Syhunt is excited to announce the release of the 3.0 version of the Syhunt Sandcat Browser. With this release, Syhunt's feature-packed, pen-test oriented web browser incorporates new capabilities and extensibility enhancements. This new version introduces a new major feature called Sandcat Console, which decreases the barrier between the pen-tester and the website, allowing the user to easily run custom commands and scripts against a website.

In addition to this major feature, Sandcat Browser 3.0 evolved from a single to a multi-process architecture (each tab is now its own process), a feature inherited from Chromium. The new version also brings in a richer experience, improved Developer Tools, improved Tor support, new extensions (such as the new encoder extensions and an enhanced Page Info tab extension) and other improvements.

Get the new release here.

November 17, 2012

Brazilian Navy selects Syhunt - The Brazilian Navy, the naval service branch of the Brazilian Armed Forces, has selected Syhunt Hybrid for securing its web applications. Syhunt is pleased to have provided its web application security assessment solution to the largest navy in South America. Syhunt was selected for its ability to perform both static and dynamic analysis, and accurately detect vulnerabilities in custom-built web applications.

June 14, 2012

Syhunt Code 4.5 adds password hash weakness detection - The 4.5 version of the Syhunt Code scanner — released today — adds the ability to detect common weak password hashing vulnerabilities in web applications, expanding its static application security testing capabilities even further.

Password breaches are becoming very common - the recent LinkedIn, Last.fm and eHarmony password breaches are examples of this trend - it is a risk that can be avoided by carrying out assessment to find SQL Injection vulnerabilities, and by enforcing strong password policies involving, for example, the generation of unique, random salts.

"With this update, Syhunt Code is now not only able to help organizations locate and fix SQL Injection vulnerabilities, which are frequently exploited to steal passwords, but also help them assess whether their current password hashing method is secure or not.", says Felipe Aragon, CEO of Syhunt. "It's a very important addition to our solution".

The full list of static tests performed by Syhunt Code can be found here.

Syhunt Code 4.4 is available free of charge to all Syhunt Code and Hybrid users

May 11, 2012

Product Name Change: Sandcat Pro is now Syhunt Dynamic - Today we are announcing that the Sandcat Pro product will now be called Syhunt Dynamic. Same product, new name, Sandcat Pro is now Syhunt Dynamic.

The name change also applies to the former Sandcat Code product, which is now known as Syhunt Code, and Sandcat Pro Hybrid, which is now known as Syhunt Hybrid.

The name changes will more accurately reflect the nature of the different Syhunt web application security products and tools available today. Despite the name changes affecting the Syhunt scanners, the Syhunt Sandcat Browser will continue to be called Sandcat Browser.

The old product names and the corresponding new names

Sandcat Pro Hybrid->Syhunt Hybrid
Sandcat Pro->Syhunt Dynamic
Sandcat Code->Syhunt Code
Sandcat Log Analyzer->Syhunt Insight

March 6, 2012

Syhunt Sandcat Pro 4.4 offers unparalleled XSS detection accuracy - Syhunt Sandcat Pro 4.4 - released today - adds new, advanced false positive filters for Cross Site Scripting (XSS) checks that provide unparalleled accuracy for detecting XSS vulnerabilities via dynamic analysis.

We tested Sandcat 4.4 against several environments including the WAVSEP application version 1.1.1, which can be downloaded from Google Code, and it achieved a detection rate of 100% at a false positive rate of 0%.

In detail, the following rates were obtained:

  • RXSS-TOTAL: 100% (66 of 66) vulnerabilities detected
  • RXSS-GET: 100% (33 of 33) vulnerabilities detected
  • RXSS-POST: 100% (33 of 33) vulnerabilities detected
  • RXSS-FalsePositive: 0.00% (0 of 7) - zero false positives.

In addition to these enhancements, Syhunt Sandcat 4.4 adds 114 new dynamic checks for detecting XSS flaws in custom web applications, covering new HTML5 vectors. The new version also comes with major optimizations to speed up XSS checks and new checks for detecting Server-Side JavaScript Injection vulnerabilities.

Sandcat Pro 4.4 is available free of charge to all Sandcat Pro users.

Acknowledgements - Thanks go to d3v1l (@securityshell), Security Engineer at RandomStorm, for his helpful comments and suggestions in preparation of the final 4.4 release.

See also: Top position in benchmark confirms Syhunt Sandcat as a leading web application security scanner

February 25, 2012

Google V8 Server-Side JavaScript Injection joins the set of web application security vulnerabilities - As you read this, web developers are starting to learn how to use V8Js (Google's V8 JavaScript engine) in PHP, or MongoDB, which is a scalable, high-performance, open source NoSQL database that also allows JavaScript to be used in queries. With the rising adoption of server-side JavaScript, we can expect server-side JS injection vulnerabilities caused by unvalidated user input to become prevalent, and the techniques for exploiting them, commonplace. At Syhunt, we already started a collection of techniques for proactively detecting server-side JS injection flaws. Read more

January 24, 2012

Sandcat Pro 4.3: 10x faster scan report generation

Syhunt releases Sandcat Pro 4.3, adds several enhancements - Sandcat Pro 4.3 — released today — comes with a new, built from the ground up Report Generator utility that offers up to ten times faster scan report generation compared to the previous release.

Sandcat 4.3 also brings enhanced report editing capabilities, support for custom CSS, command-line report generation with multiple output format options, a new data import and export utility, and a new, improved version of the Sandcat Browser which now adds the ability to load and run external JavaScript and Lua scripts.

The new updates will be available free of charge to all Sandcat Pro users.