Skip to content

Releases: ayam04/fya

v0.5.1 — commercial-license notice

Choose a tag to compare

@ayam04 ayam04 released this 03 Jul 13:54
  • CLI now prints a one-line notice in the scan header (suppressed under --quiet): noncommercial and personal use is free; commercial use requires a license.
  • Added COMMERCIAL-LICENSE.md describing the commercial license and how to obtain it, linked from the README.

No functional scanner changes from 0.5.0.

pip install --upgrade fya

v0.5.0 — 16 new attack techniques, audited bug fixes, dual license

Choose a tag to compare

@ayam04 ayam04 released this 03 Jul 13:42

Driven by a multi-agent audit (bug hunt + attack-technique research + adversarial verification).

New checks (58 total, was 42)

  • Secrets & files: secrets in client-side JS, exposed source maps, dumpable .git/.svn/.hg/.bzr repos, leaked config/credential files, directory listing.
  • SSRF & injection: signature-based SSRF (cloud metadata + file://), MongoDB-style NoSQL injection, XPath/LDAP/SSI injection.
  • Headers & access control: advanced CORS bypasses (null/prefix/suffix), forwarded-header cache poisoning, X-Original-URL/X-Rewrite-URL bypass, COOP/CORP/Permissions-Policy, cookie prefix/scope.
  • API: GraphQL hardening (field suggestions, batching, GET/CSRF).
  • Mobile & source: insecure WebView bridge, unverified App Links, weak custom permissions, dangerous GitHub Actions workflows (pwn-request, script injection).

Bug fixes

15 defects fixed, including a CLI crash on malformed ports, a false-positive sensitive-file detector, missed form-target and CDN-versioned library discovery, and two external-tool integrations (nikto, testssl) that silently never fired.

Licensing change

From 0.5.0, fya is dual-licensed: free for noncommercial and personal use under PolyForm Noncommercial 1.0.0; commercial use requires a paid license (ayamullahkhan04@gmail.com). Versions before 0.5.0 remain available under MIT.

`pip install --upgrade fya`

fya v0.3.0

Choose a tag to compare

@ayam04 ayam04 released this 01 Jul 11:43

The "test a real app" release.

New capabilities

  • Authenticated scanning: --header/-H, --cookie, --bearer
  • Scope and budget controls: --include / --exclude path regexes, --max-requests
  • Baseline for CI: --write-baseline and --baseline to suppress known findings, so --fail-on only trips on new ones
  • Optional headless-browser crawler for single-page apps: --spa (needs the [browser] extra)

New checks (36 total)

  • CSP policy weakness analysis, JWT algorithm/expiry/sensitive-claims, outdated JS libraries, security.txt and robots.txt

Correctness and robustness (from a full internal audit)

  • Reflected XSS confidence + content-type gate, SSTI baseline + two-factor, CSRF SameSite/meta awareness, CORS wildcard accuracy, verbose-error baseline, sqlmap requires the real "is vulnerable" banner, external-tool timeouts keep partial output, TLS cert parsing via cryptography, APK implicit-exported detection

Quality

  • SARIF fingerprints + rule help, entry-point plugin discovery, py.typed + mypy config, coverage in CI, Dockerfile, pre-commit, CHANGELOG, issue/PR templates
  • New tests: false-positive control on a hardened app, integration-parser tests, APK-manifest unit test

Upgrade: pip install -U fya

fya v0.2.1

Choose a tag to compare

@ayam04 ayam04 released this 01 Jul 07:06

Docs and demo polish.

  • README hero now shows the app icon to the left of the title, and keeps both the web-scan and APK scan snapshots.
  • New app icon set (SVG, PNG, favicon) and wordmark logo under assets/.
  • Reworked demo GIF: a realistic terminal window (rounded chrome, shell prompt, blinking cursor) with the height trimmed.
  • Image URLs are absolute so the demos render on the PyPI project page.

No functional changes to the scanner. Upgrade: pip install -U fya

fya v0.2.0

Choose a tag to compare

@ayam04 ayam04 released this 01 Jul 06:57

New in this release:

  • Scan modes: pick auto, recon, web, api, mobile, or full with --mode, refine with --only/--skip, or choose from an interactive menu (--interactive). List them with fya modes.
  • Live CLI animation: a per-category progress display with spinners and running finding counts while the scan runs.
  • Four new genuine dynamic web checks (29 total): server-side template injection (SSTI), missing CSRF token, Host header injection, and CRLF/header injection.
  • Branding: app icon set (SVG, PNG, favicon), a wordmark logo, and an animated demo GIF.

Install or upgrade: pip install -U fya

fya v0.1.0

Choose a tag to compare

@ayam04 ayam04 released this 01 Jul 06:14

First release of fya, a dynamic target-adaptive security scanner for localhost servers and Android APKs.

Highlights

  • One command for two targets: running web servers and .apk files
  • 25 checks across web (passive and active), TLS, API, and APK static analysis, mapped to OWASP Top 10 / MASVS and CWE
  • Orchestrates nuclei, nikto, sqlmap, nmap, and testssl when installed; falls back to built-in Python checks
  • Non-destructive by default, adaptive request pacing, authorization gate for non-local targets
  • Reports: console, JSON, SARIF, Markdown, and self-contained HTML

Install: pip install fya