Detectify

detectify

Detectify now checks for File Disclosure in SSL VPNs - Pulse Secure and Fortinet

Pulse Secure and Fortinet have announced advisories detailing a critical vulnerability found that enables an unauthenticated user to conduct file disclosure in SSL VPN. Thanks to Detectify Crowdsource hackers, Detectify checks your website for these vulnerabilities and will alert you if your version of Pulse Secure or Fortinet gateway is affected.

detectify

Introducing Asset Inventory: stay on top of your web asset security

Good security starts with knowing your web assets. To enable transparency over your tech stack, we have released Asset Inventory, a new view that helps you prioritize security issues and collaborate across teams to stay on top of your web asset security. This release is the first step towards broader asset tracking functionality in Detectify.

detectify

Improving WordPress plugin security from both attack and defense sides

Paul is a front- & backend developer with a passion in security, who creates designs occasionally. After starting out with WordPress plugin vulnerabilities, he joined the bug bounty world and now also a white hat hacker in the Detectify Crowdsource community. As he has acquired his knowledge through community resources himself and wants to make the internet a safer place, he shares his know-how to give something back and in this case tips on WordPress plugin security.

detectify

What is a blind vulnerability and how can it be exploited and detected?

There are times where an attacker can hack a system and yet nothing is sent back, and this is classified as a blind vulnerability. This article will explain blind vulnerability detection and how Detectify’s scanner detects them: If we simplify web hacking, it usually means that an attacker is sending some data from their computer to a server, the server processes the data and then sends something back to the attacker.

detectify

Anne-Marie Eklund Lwinder: "I was good at making others' code stop running very early on."

She’s the CISO of The Internet Foundation of Sweden (IIS) and one of 14 trusted individuals to hold a Key to the Internet, which means the DNSSEC key generation for the internet root zone. Anne-Marie Eklund Löwinder is also one of the few Swedes who have been inducted into the Internet Hall of Fame.

detectify

Content Security Policy (CSP) explained including common bypasses

We have written about Content Security Policy (CSP) on Detectify Labs before. But maybe you’re wondering why should you have it on your site to begin with? This article will explain why having one can prevent header exploits with attributes and common bypasses. CSP is a response header that instructs the web browser from what sources it is allowed to include and execute resources from.

detectify

Lerhan: Bypassing IDOR protection with URL shorteners

Xavier Blasco (a.k.a Lerhan) is a 23-year old security researcher on the Detectify Crowdsource Platform. He’s passionate about security and found a way in through bug bounty programs. As an ethical hacker, he is naturally curious in security testing vendors which he is buying from and this time it led to bypassing IDOR protection using URL shorteners. In the following guest blog, he describes this security flaw that led him to access new client contracts on Jazztel’s platform.

detectify

Fitting automated security throughout the CI/CD pipeline

As companies compete with how fast new features and products can be released on the digital market, a byproduct of DevOps could be the neglect of sufficient and consistent information security throughout the pipeline – yes that means from start to the next improvement. Sure, automated security testing in production is a given, but what about during build and testing in the Continuous Integration and Continuous Delivery (CI/CD) Pipeline?