Skip to content

Hugin v0.1.1 — Platform fixes and scanner FP cleanup

Latest

Choose a tag to compare

@Andrei-Dodu Andrei-Dodu released this 13 Jul 05:59

Hugin v0.1.1 — Platform fixes and scanner FP cleanup

v0.1.1 is a platform and polish release. YesWeHack and Synaps feature work,
proxy latency fixes, and 50+ scanner false-positive and bug fixes from live
engagements. The engine features (session re-auth, checkpointing, CSRF
freshness, payload relocation, consolidation) land in v0.1.2.

Scanner bug fixes from live engagements

Three targets since v0.1.0 surfaced real false-positive classes. 25 passive
scanner fixes, 15 active fixes, 11 BAC fixes (PII redaction, WAF
false-positive gates, coverage gaps), 8 passive FP patches from the
white.market engagement, 4 FP patches (Next.js RSC, minified postMessage,
framework dSIH, JS-bundle CC), 6 patches (prototype-pollution extends
Array, nerve enum FPs, BAC no-op, body_offset, screenshot timeout). Fewer
junk findings to triage.

Proxy

pool_idle_timeout 10s + connect_timeout 10s — kills the 60-120s
keep-alive latency inflation. Three startup deadlock fixes. Null-status on
body collection failure. LazyLock poison fallback (never-match replaces
unreachable!()). Per-flow preflight parallelized (baselines + calibration
run concurrently). REST scanner_start handler parallelized (was the last
sequential bottleneck).

Platform features

  • YesWeHack: modal login with credential persistence
  • Synaps: import .yaml templates and .wasm modules from the UI
  • Browser: no_proxy parameter now works with browse and navigate actions (was only launch)
  • Bug-bounty skills published to docs and as MCP resources (hugin://skill)
  • Crawler: 15s navigation timeout cap (was 60s), aborts after 5 consecutive WAF/challenge responses

Full changelog: v0.1.0...v0.1.1