Releases: ayam04/fya
Release list
v0.5.1 — commercial-license notice
- CLI now prints a one-line notice in the scan header (suppressed under
--quiet): noncommercial and personal use is free; commercial use requires a license. - Added
COMMERCIAL-LICENSE.mddescribing the commercial license and how to obtain it, linked from the README.
No functional scanner changes from 0.5.0.
pip install --upgrade fya
v0.5.0 — 16 new attack techniques, audited bug fixes, dual license
Driven by a multi-agent audit (bug hunt + attack-technique research + adversarial verification).
New checks (58 total, was 42)
- Secrets & files: secrets in client-side JS, exposed source maps, dumpable .git/.svn/.hg/.bzr repos, leaked config/credential files, directory listing.
- SSRF & injection: signature-based SSRF (cloud metadata + file://), MongoDB-style NoSQL injection, XPath/LDAP/SSI injection.
- Headers & access control: advanced CORS bypasses (null/prefix/suffix), forwarded-header cache poisoning, X-Original-URL/X-Rewrite-URL bypass, COOP/CORP/Permissions-Policy, cookie prefix/scope.
- API: GraphQL hardening (field suggestions, batching, GET/CSRF).
- Mobile & source: insecure WebView bridge, unverified App Links, weak custom permissions, dangerous GitHub Actions workflows (pwn-request, script injection).
Bug fixes
15 defects fixed, including a CLI crash on malformed ports, a false-positive sensitive-file detector, missed form-target and CDN-versioned library discovery, and two external-tool integrations (nikto, testssl) that silently never fired.
Licensing change
From 0.5.0, fya is dual-licensed: free for noncommercial and personal use under PolyForm Noncommercial 1.0.0; commercial use requires a paid license (ayamullahkhan04@gmail.com). Versions before 0.5.0 remain available under MIT.
`pip install --upgrade fya`
fya v0.3.0
The "test a real app" release.
New capabilities
- Authenticated scanning: --header/-H, --cookie, --bearer
- Scope and budget controls: --include / --exclude path regexes, --max-requests
- Baseline for CI: --write-baseline and --baseline to suppress known findings, so --fail-on only trips on new ones
- Optional headless-browser crawler for single-page apps: --spa (needs the [browser] extra)
New checks (36 total)
- CSP policy weakness analysis, JWT algorithm/expiry/sensitive-claims, outdated JS libraries, security.txt and robots.txt
Correctness and robustness (from a full internal audit)
- Reflected XSS confidence + content-type gate, SSTI baseline + two-factor, CSRF SameSite/meta awareness, CORS wildcard accuracy, verbose-error baseline, sqlmap requires the real "is vulnerable" banner, external-tool timeouts keep partial output, TLS cert parsing via cryptography, APK implicit-exported detection
Quality
- SARIF fingerprints + rule help, entry-point plugin discovery, py.typed + mypy config, coverage in CI, Dockerfile, pre-commit, CHANGELOG, issue/PR templates
- New tests: false-positive control on a hardened app, integration-parser tests, APK-manifest unit test
Upgrade: pip install -U fya
fya v0.2.1
Docs and demo polish.
- README hero now shows the app icon to the left of the title, and keeps both the web-scan and APK scan snapshots.
- New app icon set (SVG, PNG, favicon) and wordmark logo under assets/.
- Reworked demo GIF: a realistic terminal window (rounded chrome, shell prompt, blinking cursor) with the height trimmed.
- Image URLs are absolute so the demos render on the PyPI project page.
No functional changes to the scanner. Upgrade: pip install -U fya
fya v0.2.0
New in this release:
- Scan modes: pick auto, recon, web, api, mobile, or full with --mode, refine with --only/--skip, or choose from an interactive menu (--interactive). List them with
fya modes. - Live CLI animation: a per-category progress display with spinners and running finding counts while the scan runs.
- Four new genuine dynamic web checks (29 total): server-side template injection (SSTI), missing CSRF token, Host header injection, and CRLF/header injection.
- Branding: app icon set (SVG, PNG, favicon), a wordmark logo, and an animated demo GIF.
Install or upgrade: pip install -U fya
fya v0.1.0
First release of fya, a dynamic target-adaptive security scanner for localhost servers and Android APKs.
Highlights
- One command for two targets: running web servers and .apk files
- 25 checks across web (passive and active), TLS, API, and APK static analysis, mapped to OWASP Top 10 / MASVS and CWE
- Orchestrates nuclei, nikto, sqlmap, nmap, and testssl when installed; falls back to built-in Python checks
- Non-destructive by default, adaptive request pacing, authorization gate for non-local targets
- Reports: console, JSON, SARIF, Markdown, and self-contained HTML
Install: pip install fya