What is Detectify?

Writeups

How I found a persistent XSS affecting thousands of career sites

Detectify Crowdsource Persistent XSS Team Tailor XSS
login/logout CSRF Mathias Karlsson

Login/logout CSRF: Time to reconsider?

Frans Rosén postmessage Slack

Hacking Slack using postMessage and WebSocket-reconnect to steal your precious token

Mathias Karlsson SQL Injection

SQLi in INSERT worse than SELECT

Stored XSS-ing Millions Of Sites Through HTML Comment Box

Cookie fixation CSP Mathias Karlsson

CSP flaws: cookie fixation

AddThis Mathias Karlsson postmessage

postMessage XSS on a million sites

Mathias Karlsson postmessage

The pitfalls of postMessage

bug bounty Fastly Frans Rosén Heroku Mathias Karlsson

Combining host header injection and lax host parsing serving malicious data

Frans Rosén Hostile Subdomain takeover SSL

The story of EV-SSL, AWS and trailing dot domains