Detectify Labs

Our guest blogger and Detectify Crowdsource hacker Evgeny Morozov explains how he bypassed Detectify’s domain control verification by using DNS response spoofing.

Detectify Crowdsource DNS spoofing vulnerability

TL;DR The Facebook malware that spread last week was dissected in a collaboration with Kaspersky Labs and Detectify. We were able to get help from the involved companies and cloud services to quickly shut down parts of the attack to mitigate it as fast as possible.

Chrome Chrome extensions Facebook Frans Rosén XSS

Many have seen the video where vexal modifies his Porsche 911 to run DOOM. It is the same guy who used a toaster to control a PC game a few years ago. How technically accurate these videos are can be discussed, but the underlying creativity is hard to question. Naturally, when we saw the video, we did not want to lag behind, but what is the best way to respond to something like this? Inventing the DOM DOOM XSS, of course!

Tesla XSS

TL;DR: Setting up access control of AWS S3 consists of multiple levels each with its own unique risk of misconfiguration. We will go through the specifics of each level and identify the dangerous cases where weak ACLs can create vulnerable configurations impacting the owner of the S3-bucket and/or through third party assets used by a lot of companies. We also show how to do it properly and how to monitor for these sorts of issues.

AWS bug bounty Frans Rosén privacy XSS

Our guest blogger and Detectify Crowdsource hacker ak1t4 explains how he discovered and reported a persistent XSS vulnerability on Teamtailor that affected thousands of career sites – including Detectify’s external career site. Teamtailor patched the vulnerability within one day after the issue had been reported.

Detectify Crowdsource Persistent XSS Team Tailor XSS

BountyDash was created by @fransrosen and @avlidienbrunn to create a better overview of your bug bounty rewards. By tagging all your reports in the tool you’re also able to categorize all vulnerability types, plotting up a graph around your activity cross platforms and get forecasts around your future findings. Everything runs locally and there are import scripts you can run to fetch the data from each platform.

bug bounty Frans Rosén Github Mathias Karlsson

My stance on login/logout CSRF has changed. I, like many others, used to quickly dismiss them as a non-security issue. However, there are several situations where they could become a security issue.

TLDR; I was able to create a malicious page that would reconnect your Slack WebSocket to my own WebSocket to steal your private Slack token. Slack fixed the bug in 5 hours (on a Friday) and paid me $3,000 for it.

Frans Rosén postmessage Slack

SQL Injection in INSERT can be used not only to extract data, but also add/modify data in the table used in the query. This post describes how.

Mathias Karlsson SQL Injection

Our guest blogger and Detectify Crowdsource hacker Karim Rahal explains how he discovered and reported a stored XSS vulnerability that affected over a million of websites.

Older

Guest blog: Bypassing domain control verification with DNS response spoofing

Dissecting the Chrome Extension Facebook malware

How we invented the Tesla DOM DOOM XSS

A deep dive into AWS S3 access controls – taking full control over your assets

How I found a persistent XSS affecting thousands of career sites

BountyDash - A local bug bounty statistics dashboard

Login/logout CSRF: Time to reconsider?

Hacking Slack using postMessage and WebSocket-reconnect to steal your precious token

SQLi in INSERT worse than SELECT

Stored XSS-ing Millions Of Sites Through HTML Comment Box