July 2020 Summaries
4 posts from Detectify
Filter
Month:
Year:
Post Summaries
Back to Blog
Web cache poisoning is a cybersecurity threat that involves tricking a web cache into storing malicious content, which is then served to other users. This threat arises when web applications use unkeyed inputs—such as query strings, header values, and cookie values—that affect the response but are not part of the cache key. This vulnerability can lead to issues like stored cross-site scripting (XSS), open redirects, and denial-of-service attacks. The problem often occurs when a cache is implemented without a thorough understanding of how inputs affect response content, allowing attackers to exploit unkeyed inputs. Mitigation strategies include caching only static resources and ensuring all inputs that affect responses are either removed or included in the cache key. Tools like Arjun, Param Miner, and services like Detectify can help identify and address these vulnerabilities.
Jul 28, 2020
1,392 words in the original blog post.
Detectify, a cybersecurity company based in Sweden, has obtained the ISO/IEC 27001:2013 certification, which is an internationally recognized standard for information security management systems. This certification underscores Detectify's dedication to maintaining high standards in information security and data protection, involving all employees in security training and designating Security Champions across the organization. The certification confirms that Detectify's operations and products adhere to stringent information security protocols, emphasizing a risk-based approach and including policies for incident management, education, training, and supplier evaluation. CEO Rickard Carlsson highlights the company's commitment to security as a collective responsibility, ensuring trust by handling sensitive security information with care.
Jul 14, 2020
341 words in the original blog post.
Detectify releases major security updates every two weeks, incorporating new findings and enhancements from its security researchers and a community of ethical hackers. While not all updates can be disclosed due to confidentiality agreements, they are promptly integrated into the scanner for user access. Recent improvements include addressing CVE-2020-13662, an open redirect vulnerability in Drupal, CVE-2020-9757, a server-side template injection in Craft CMS's SEOmatic component, and CVE-2020-5902, vulnerabilities within the F5 BIG-IP's Traffic Management User Interface that permit arbitrary command execution and local file reading. Additionally, CVE-2020-4038, a cross-site scripting vulnerability in the Prisma GraphQL Playground IDE, is covered, alongside a browser cache SOP bypass vulnerability which could expose sensitive user information on sites with misconfigured CORS policies. Users are encouraged to begin scanning for these vulnerabilities and can start a free trial or log in to check their assets.
Jul 13, 2020
383 words in the original blog post.
Misconfigurations, often resulting from human errors during the setup of web applications, pose significant security risks by exposing systems to potential exploitation by hackers. These vulnerabilities may arise from incorrect application settings, failure to follow security guidelines, or accidentally leaving sensitive files accessible to the public. Common examples include default credentials, information disclosure due to incorrect environment settings, and file disclosure. Hackers exploit these weaknesses, even in systems with strong security standards, as misconfigurations can provide easy access points. However, misconfigurations are also relatively easy to rectify by adjusting the settings to eliminate the security vulnerability. Continuous monitoring and adherence to security best practices are crucial in preventing misconfigurations and safeguarding systems, with tools like Detectify offering assistance in identifying such issues.
Jul 08, 2020
664 words in the original blog post.