Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

tl;dr – CVE-2019-11043 PHP-FPM & NGINX RCE was publicly disclosed and a Proof-of-Concept exploit code was made available on GitHub. We received the report from our Crowdsource community, and now the CVE-2019-11043 Nginx/PHP-FPM RCE vulnerability is detected by Detectify. Nginx is a common web server used to run web applications. PHP-FPM (FastCGI Process Manager) is a processor for PHP scripts that is efficient at handling heavy website traffic and is commonly used by websites that have e.g.

October is Cyber Security Awareness month, and a good time for organizations and anyone who uses the Internet (yes that means everyone) to review security best practices, for a safer user experience. Based on the current state of the Internet, here are our best tips for a better online browsing experience, for website guardians and end users.

Detectify now has a built-in detection for vBulletin RCE CVE-2019-16759, thanks to a report from our Crowdsource community. Last week, a proof-of-concept exploit for a Remote Code Execution (RCE) vulnerability for vBulletin forum software CVE 2019-16759 was disclosed publicly. The vulnerability was exploited in the wild and actively being exploited by malicious attackers.

Finding a zero-day (0-day) is probably one of the best feelings in the world for a hacker, and sometimes we receive these submissions through Detectify Crowdsource, our bug bounty platform. This article will explain how Detectify handles 0-days with transparency to responsibly work with vendors, researchers and customers with the disclosure.

Karim Rahal, Detectify Crowdsource hacker, is a 17-year-old web-hacker who has been hacking for the greater part of his teenager years. At age 13, he started to responsibly disclose vulnerabilities—and he even blogged about one he found in Spotify! Karim still makes time for bug bounty programs, despite school. We asked Karim to tell us why Firefox is the best choice from a white hat hacker’s point-of-view.

Detectify Crowdsource hacker, Alyssa Herrera, is a full-time bug bounty hacker and web application security researcher who works to protect organizations. She was one of several Crowdsource hackers to submit a working proof of concept for File Disclosure in Pulse Secure Connect (CVE-2019-11510). This guest blog post will walk through how she developed an exploitable-payload for this vulnerability.

The backend developer team at Detectify has been working with Go for some years now, and it’s the language chosen by us to power our microservices. We think Go is a fantastic language and it has proven to perform very well for our operations. It comes with a great tool-set, such as the tool we’ll touch on later on called pprof. However, even though Go performs very well, we noticed one of our microservices had a behavior very similar to that of a memory leak.

Pulse Secure and Fortinet have announced advisories detailing a critical vulnerability found that enables an unauthenticated user to conduct file disclosure in SSL VPN. Thanks to Detectify Crowdsource hackers, Detectify checks your website for these vulnerabilities and will alert you if your version of Pulse Secure or Fortinet gateway is affected.

Good security starts with knowing your web assets. To enable transparency over your tech stack, we have released Asset Inventory, a new view that helps you prioritize security issues and collaborate across teams to stay on top of your web asset security. This release is the first step towards broader asset tracking functionality in Detectify.