Introducing Dynamic API Scanning
Application environments are more complex than ever, with APIs forming the critical connective tissue. But this proliferation has created a vast, often invisible, attack surface. …
Victor Arellano
It’s been a busy past couple of months, from several under-the-hood improvements like improved subdomain takeovers discovery to new features. We’ve also shipped dozens of new tests to customers from our community of ethical hackers.
Today, we have over 600+ unique techniques to discover subdomain takeovers in over 2,000 Detectify customers. Identifying subdomain takeovers is tricky business as they rely on signature-based tests which are prone to false positives due to outdated signatures. That’s why we run our subdomain takeover tests on hundreds of thousands of customer assets every day. This continuous feedback loop means we’re keeping an updated repository of signatures to ensure users get low noise, high accuracy results to take action on.
Our subdomain takeover tests are built internally through our own security research team, which includes Detectify’s co-founder Fredrik Nordberg Almroth. This summer, our internal security research team made some under-the-hood improvements to subdomain takeover which has resulted in 3x more subdomain takeovers discovered in our global customer base. In the last two weeks, we’ve discovered over 50,000 new subdomain takeovers in customers who are using Surface Monitoring.
Wondering how comprehensive our subdomain takeover tests are? Fredrik, Co-founder and Security Research at Detectify, reviewed a handful of open-source tools like ‘subjack’ to ‘aquatone’. These opensource tools are fantastic and give hackers the ability to easily monitor for subdomain takeovers. However, these tools are built for a particular use case and may not be suitable for all security teams. Our tool can discover 6.3 times more subdomain takeovers than many open source tools, including various critical findings that are not widely known.
Detectify customers can expect more subdomain takeover findings produced, and we recommend users check out our knowledge base to learn more about it.
Earlier this year, we made it possible for users to access large volumes of vulnerability findings from the UI. This means you users can easily change the status of large volumes of vulnerabilities (incl. subdomain takeovers), such as “fixed” or “accepted risk.” We observed that rendering such large volumes of vulnerabilities was slow. We’ve now made it 80% faster to view 500 vulnerabilities on a single page.
Still getting acquainted with the vulnerabilities view? Check out our knowledge base to learn how you can take action on the most critical information.
Here is a list of all new medium, high, and critical severity modules added in recent days from our community of ethical hackers. You can find a complete list of new vulnerabilities added to Surface Monitoring and Application Scanning by viewing the “What’s New?” section in tool.
Log in to get an overview of what is exposed on your attack surface.
We’re hiring engineers, product managers, sales, & more! Learn more.
Application environments are more complex than ever, with APIs forming the critical connective tissue. But this proliferation has created a vast, often invisible, attack surface. …
The average organization is missing testing 9 out of 10 of their complex web apps that are attacker-attractive targets. To address this, we’re launching new …