Search Go hack yourself with Detectify

An EASM blog from Detectify

3x more subdomain takeovers now discovered

Victor Arellano / October 6, 2022

TL/DR: It’s been a busy past couple of months, from several under-the-hood improvements like improved subdomain takeovers discovery to new features. We’ve also shipped dozens of new tests to customers from our community of ethical hackers.

Major improvement to subdomain takeover

Today, we have over 600+ unique techniques to discover subdomain takeovers in over 2,000 Detectify customers. Identifying subdomain takeovers is tricky business as they rely on signature-based tests which are prone to false positives due to outdated signatures. That’s why we run our subdomain takeover tests on hundreds of thousands of customer assets every day. This continuous feedback loop means we’re keeping an updated repository of signatures to ensure users get low noise, high accuracy results to take action on. 

Our subdomain takeover tests are built internally through our own security research team, which includes Detectify’s co-founder Fredrik Nordberg Almroth. This summer, our internal security research team made some under-the-hood improvements to subdomain takeover which has resulted in 3x more subdomain takeovers discovered in our global customer base. In the last two weeks, we’ve discovered over 50,000 new subdomain takeovers in customers who are using Surface Monitoring

Wondering how comprehensive our subdomain takeover tests are? Fredrik, Co-founder and Security Research at Detectify, reviewed a handful of open-source tools like ‘subjack’ to ‘aquatone’. These opensource tools are fantastic and give hackers the ability to easily monitor for subdomain takeovers. However, these tools are built for a particular use case and may not be suitable for all security teams. Our tool can discover 6.3 times more subdomain takeovers than many open source tools, including various critical findings that are not widely known.

Detectify customers can expect more subdomain takeover findings produced, and we recommend users check out our knowledge base to learn more about it.

Bulk vulnerabilities now load 80% faster

Earlier this year, we made it possible for users to access large volumes of vulnerability findings from the UI. This means you users can easily change the status of large volumes of vulnerabilities (incl. subdomain takeovers), such as “fixed” or “accepted risk.” We observed that rendering such large volumes of vulnerabilities was slow. We’ve now made it 80% faster to view 500 vulnerabilities on a single page.

Still getting acquainted with the vulnerabilities view? Check out our knowledge base to learn how you can take action on the most critical information.

Product improvements

  • New UI for Recorded Login Validator. Improvements to getting screenshots of the latest page we ended up on while performing the login flow, detailed error messaging and troubleshooting suggestions for each error, and warnings suggesting potential issues.
  • More detailed failed scans descriptions. Application Scanning users will now receive better details on why a scan failed from the UI.
  • Improvements to Organization in UI. The “Members” page is now found under the new “Organization” navigation item in the Team Menu.

Recently added crowdsourced vulnerabilities

Here is a list of all new medium, high, and critical severity modules added in recent days from our community of ethical hackers. You can find a complete list of new vulnerabilities added to Surface Monitoring and Application Scanning by viewing the “What’s New?” section in tool.

  • CVE-2022-38463: ServiceNow XSS
  • CVE-2022-36883: Jenkins Plugin “Git” Lack of Authentication For Webhook
  • CVE-2022-32195: Open edX XSS
  • CVE-2022-31798: Linear Solutions eMerge XSS
  • CVE-2022-31656: VMware Workspace ONE Access and Identity Manager Authentication Bypass
  • CVE-2022-31269: Linear Solutions eMerge Credentials Disclosure
  • CVE-2022-26138: Atlassian Confluence App “Questions for Confluence” Hardcoded Password
  • CVE-2022-2414: FreeIPA XXE
  • CVE-2022-1386: WordPress Plugin “Avada Theme” SSRF
  • CVE-2022-0169: WordPress Plugin “Photo Gallery by 10Web / Mobile-Friendly Image Gallery” (photo-gallery) SQLI
  • CVE-2021-42013: Apache HTTP Server Path Traversal
  • CVE-2021-41749: CraftCMS SEOmatic SSTI
  • CVE-2021-20660: SolarView Compact XSS
  • CVE-2020-9757: CraftCMS SEOmatic SSTI
  • CVE-2020-8772: WordPress Plugin “InfiniteWP Client” (iwp-client) Authentication Bypass
  • CVE-2019-10692: WordPress Plugin “WP Google Maps” (wp-google-maps) SQLI
  • CVE-2018-14716: CraftCMS SEOmatic SSTI
  • Adobe Experience Manager MCM Admin Exposure
  • Adobe Experience Manager Misc Admin Exposure
  • Adobe Experience Manager Security Groups Exposure
  • Adobe Experience Manager Security Users Exposure
  • Apache HTTP Server Configuration Exposure
  • Grandstream Default Credentials
  • Jboss JUDDI Exposure
  • Jenkins Username Disclosure
  • Pypi API key disclosure
  • Swagger UI DOM XSS
  • Umbraco Install Exposure
  • Webalizer Exposure
  • WordPress Engine: Cache Poisoned Denial Of Service
  • WordPress Plugin “Ninja Forms Contact Form / The Drag and Drop Form Builder for WordPress” (ninja-forms) Form Submissions Exposure

Log in to get an overview of what is exposed on your attack surface.

Join our team

We’re hiring engineers, product managers, sales, & more! Learn more.