Product update: Dynamic API Scanning, Recommendations & Classifications, and more
We know the importance of staying ahead of threats. At Detectify, we’re committed to providing you with the tools you need to secure your applications …
Detectify
For continuous coverage, we push out major Detectify security updates every two weeks, keeping our tool up-to-date with new findings, features and improvements sourced from our security researchers and Crowdsource ethical hacker community. Due to confidentially agreements, we cannot publicize all security update releases here but they are immediately added to our scanner and available to all users. This post highlights a few things that we have improved in the last two weeks.
The following are some of the security vulnerabilities reported by Detectify Crowdsource ethical hackers. We added these tests to the Detectify scanner tool on 17 April.
CGI Servlets are by disabled by default on a Tomcat installation. However, if one would enable this feature without having to disable enableCmdLineArguments it leads to RCE. This became public a few days ago and was quickly submitted by several Crowdsource researchers.
To quote the advisory:
“There was a server-side template injection vulnerability in Confluence Server and Data Center, in the Widget Connector. An attacker is able to exploit this issue to achieve path traversal and remote code execution on systems that run a vulnerable version of Confluence Server or Data Center.”
A backdoor was discovered by Snyk in the gem bootstrap-sass. It makes it possible to send crafted cookies that are then decoded and executed as code.
After receiving a Crowdsource submission about it we have improved the support for handling meta-data in files found during crawling, in this case Office documents. This data can show information about the authors or system it was created on that is not intended to be public.
We know the importance of staying ahead of threats. At Detectify, we’re committed to providing you with the tools you need to secure your applications …
What if we told you that our newly released API Scanner has 922 quintillion payloads for a single type of vulnerability test? A quintillion is …