Detectify

detectify

Detectify security updates for 18 April

For continuous coverage, we push out major Detectify security updates every two weeks, keeping our tool up-to-date with new findings, features and improvements sourced from our security researchers and Crowdsource ethical hacker community. Due to confidentially agreements, we cannot publicize all security update releases here but they are immediately added to our scanner and available to all users. This post highlights a few things that we have improved in the last two weeks.

detectify

What information does Detectify provide for PCI Compliance Requirement 6?

The Payment Card Industry Data Security Standard (PCI DSS) program provides an information security compliance benchmark for companies that are handling, processing and storing cardholder data online. Software development and vulnerability management are covered in the PCI DSS compliance requirements as this concerns products and applications created to handle cardholder data.

Detectify for developers

Detectify is a scalable web app security scanner that automates 1000+ security tests to help you release secure applications. With Detectify, you can test your code with real exploits to identify and fix vulnerabilities in both staging and production environments. The service is continually updated with new security tests thanks to Detectify Crowdsource, a global network of handpicked security researchers.
detectify

Detectify security updates for 4 April

For continuous coverage, we push out major Detectify security updates every two weeks, keeping our tool up-to-date with new findings, features and improvements sourced from our security researchers and Crowdsource ethical hacker community. Due to confidentially agreements, we cannot publicize all security update releases here but they are immediately added to our scanner and available to all users. This post highlights a few things that we have improved in the last two weeks.

detectify

Scaling up Security with DevOps and CI/CD practices

Some believe that “whatever can be automated, should be automated” and in general benefits include faster production, consistency in product and quality, rolling back from failures and all allowing employees to focus on more creative and analytical tasks. The same can be said for the automation of quality assurance and security of developer coding and programming.

detectify

Apache Struts Vulnerabilities

Apache Struts is a well-known development framework for Java-based web applications that is mostly used in enterprise environments. If you search for Apache Struts CVEs on MITRE, you currently get 77 results, and most of the critical ones are due to OGNL expression injection, which is very similar to SSTI (Server Side Template Injection) attacks. In this article we will go through the security history of Apache Struts, common Apache Struts security issues and the impact of these vulnerabilities.

Proof of Concept: CVE-2017-9791 Apache Struts OGNL Expression Injection

Object-Graph Navigation Language (OGNL) is an expression language for handling Java objects. When an OGNL expression injection vulnerability is present, it is possible for the attacker to inject OGNL expressions. Many critical Apache Struts CVEs are the result of GNL expression injection. Watch our short attack demo video where we explain Apache Struts OGNL expression injection and how it works.
detectify

What are the different types of XSS?

Cross-site scripting (XSS) is a common vulnerability that is carried out when an attacker injects malicious JavaScript into a website, which then targets the website’s visitors. By doing so, the attacker may gain access to users’ cookies, sensitive user information, as well as view and/or manipulate the content that is shown to the user. This is not another article explaining what XSS is, why it is a security issue and how to fix it because we have already covered that.

detectify

Meet the Hacker: EdOverflow, motivated by community and knowledge sharing

EdOverflow is known for contributing a bunch of stuff: active in the community, one of the people behind security.txt – a standard for structuring responsible disclosures, bug bounty hunter and a member of Detectify Crowdsource. We got a chance to quiz him about security.txt, his motivates for being involved with hacking communities and why he chooses to report to responsible disclosure programs without bounty rewards.