Syhunt Community Edition Released

Today we made available the Community Edition for our hybrid application security scanner. This is the first release of a free edition of our flagship product Syhunt Hybrid, which now can be used at no charge by the community.

It can help security auditors, security professionals, developers and hackers to start improving the security of web applications and websites right away, helping evaluate the coding practices currently in place within an organization or a group.

With this version you are now able to scan and detect the following vulnerabilities, including commonly exploited coding mistakes, through both dynamic and source code analysis:

• Cross-Site Scripting (XSS)
• SQL Injection (for MySQL and Oracle powered web applications)
• Unvalidated Redirects
• Directory Listing
• Directory Traversal
• Information Disclosure
• Old/Backup Files (Common Backup Files & Folders)
• Path Disclosure
• Source Code Disclosure

Syhunt Community Edition runs under any modern Windows version and can be downloaded at the link below. Feel free to try it and share your feedback and suggestions.

Download Syhunt Community 5.3

File: syhunt-community-5.3.exe
MD5 : 189b5e3ba8c754130891749a99d01b54
SHA-1: cbb24a0b37d187a373ee3fa792d76225327dbd16

Lua Web Application Security Vulnerabilities

Auditing and Defending Lua-Based Web Applications

This paper intends to highlight the risk of unvalidated input in Lua-based web applications.

Some time ago I wrote about how to detect NoSQL and server-side JavaScript (SSJS) injection vulnerabilities using time-based techniques. JavaScript is still rising and becoming more popular as a platform for server-side code. This time I want to cover security aspects of another language/framework that is being increasingly adopted for web development and that has a lot of potential: Lua.

Lua is a powerful language useful for experienced programmers but considered easy for inexperienced programmers at the same time. While Lua has been mostly used for game development, there is a growing ecosystem of Lua web applications and frameworks. Mature web servers, like Apache & Nginx, are the prefered choice for many that are creating or thinking about creating their first Lua-based web applications - together they account for over 70% of the world's web servers and are solid choices to start. Alternative and pioneer Lua web programming tools like CGILua have been around for a while. CGILua runs on top of Apache or any CGI-enabled web server.

At Syhunt, we've been using Lua for quite some time as part of our web application security tools and a primary scripting language, and recently we started using internally the Lua modules for the Apache and Nginx web servers, known as mod_lua and ngx_lua respectively. I decided to check myself how insecurely coded Lua web applications could be targeted and how easily the servers in question could be compromised. To perform the tests, I created a small collection of insecure web applications with input validations issues tailored to each web server software.

Read more »