There are times where an attacker can hack a system and yet nothing is sent back, and this is classified as a blind vulnerability. This article will explain blind vulnerability detection and how Detectify’s scanner detects them: If we simplify web hacking, it usually means that an attacker is sending some data from their computer to a server, the server processes the data and then sends something back to the attacker.

She’s the CISO of The Internet Foundation of Sweden (IIS) and one of 14 trusted individuals to hold a Key to the Internet, which means the DNSSEC key generation for the internet root zone. Anne-Marie Eklund Löwinder is also one of the few Swedes who have been inducted into the Internet Hall of Fame.

We have written about Content Security Policy (CSP) on Detectify Labs before. But maybe you’re wondering why should you have it on your site to begin with? This article will explain why having one can prevent header exploits with attributes and common bypasses. CSP is a response header that instructs the web browser from what sources it is allowed to include and execute resources from.

Xavier Blasco (a.k.a Lerhan) is a 23-year old security researcher on the Detectify Crowdsource Platform. He’s passionate about security and found a way in through bug bounty programs. As an ethical hacker, he is naturally curious in security testing vendors which he is buying from and this time it led to bypassing IDOR protection using URL shorteners. In the following guest blog, he describes this security flaw that led him to access new client contracts on Jazztel’s platform.

HTTP Response Splitting is a type of attack that occurs when an attacker can manipulate the response headers that will be interpreted by the client. This article goes into details on how this can be abused by an attacker to insert arbitrary headers and the impact of this type of attack.

As companies compete with how fast new features and products can be released on the digital market, a byproduct of DevOps could be the neglect of sufficient and consistent information security throughout the pipeline – yes that means from start to the next improvement. Sure, automated security testing in production is a given, but what about during build and testing in the Continuous Integration and Continuous Delivery (CI/CD) Pipeline?

The simplest explanation is that the page takes a value and then creates a redirect to it. If /red.php?url=https://example.com created a redirect to https://example.com that would be a typical Open Redirect-vulnerability.

Inti was recently speaking at Detectify Hacker School, an event for customers where we have hacker talks and user cases presented to the audience. Afterwards our security researcher, Linus Särud, sat down with him for a hacker-to-hacker interview discussing how he got into bug bounty, his unconventional bug hunting ways and his take on why the European market is an ocean opportunity for bug bounty hunters.

For continuous coverage, we push out major Detectify security updates every two weeks, keeping our tool up-to-date with new findings, features and improvements sourced from our security researchers and Crowdsource ethical hacker community. Due to confidentially agreements, we cannot publicize all security update releases here but they are immediately added to our scanner and available to all users. This post highlights a few things that we have improved in the last two weeks.