v0.5.0 — 16 new attack techniques, audited bug fixes, dual license
Driven by a multi-agent audit (bug hunt + attack-technique research + adversarial verification).
New checks (58 total, was 42)
- Secrets & files: secrets in client-side JS, exposed source maps, dumpable .git/.svn/.hg/.bzr repos, leaked config/credential files, directory listing.
- SSRF & injection: signature-based SSRF (cloud metadata + file://), MongoDB-style NoSQL injection, XPath/LDAP/SSI injection.
- Headers & access control: advanced CORS bypasses (null/prefix/suffix), forwarded-header cache poisoning, X-Original-URL/X-Rewrite-URL bypass, COOP/CORP/Permissions-Policy, cookie prefix/scope.
- API: GraphQL hardening (field suggestions, batching, GET/CSRF).
- Mobile & source: insecure WebView bridge, unverified App Links, weak custom permissions, dangerous GitHub Actions workflows (pwn-request, script injection).
Bug fixes
15 defects fixed, including a CLI crash on malformed ports, a false-positive sensitive-file detector, missed form-target and CDN-versioned library discovery, and two external-tool integrations (nikto, testssl) that silently never fired.
Licensing change
From 0.5.0, fya is dual-licensed: free for noncommercial and personal use under PolyForm Noncommercial 1.0.0; commercial use requires a paid license (ayamullahkhan04@gmail.com). Versions before 0.5.0 remain available under MIT.
`pip install --upgrade fya`