Skip to content

v0.5.0 — 16 new attack techniques, audited bug fixes, dual license

Choose a tag to compare

@ayam04 ayam04 released this 03 Jul 13:42

Driven by a multi-agent audit (bug hunt + attack-technique research + adversarial verification).

New checks (58 total, was 42)

  • Secrets & files: secrets in client-side JS, exposed source maps, dumpable .git/.svn/.hg/.bzr repos, leaked config/credential files, directory listing.
  • SSRF & injection: signature-based SSRF (cloud metadata + file://), MongoDB-style NoSQL injection, XPath/LDAP/SSI injection.
  • Headers & access control: advanced CORS bypasses (null/prefix/suffix), forwarded-header cache poisoning, X-Original-URL/X-Rewrite-URL bypass, COOP/CORP/Permissions-Policy, cookie prefix/scope.
  • API: GraphQL hardening (field suggestions, batching, GET/CSRF).
  • Mobile & source: insecure WebView bridge, unverified App Links, weak custom permissions, dangerous GitHub Actions workflows (pwn-request, script injection).

Bug fixes

15 defects fixed, including a CLI crash on malformed ports, a false-positive sensitive-file detector, missed form-target and CDN-versioned library discovery, and two external-tool integrations (nikto, testssl) that silently never fired.

Licensing change

From 0.5.0, fya is dual-licensed: free for noncommercial and personal use under PolyForm Noncommercial 1.0.0; commercial use requires a paid license (ayamullahkhan04@gmail.com). Versions before 0.5.0 remain available under MIT.

`pip install --upgrade fya`