labs.detectify.com
What HPKP is but isn’t
So should you use HPKP? Yes, you should. If you pin correctly, the chance of everything going south is pretty small.
6 links collected from detectify.com between 2016 and 2018
- Sorting: Oldest links first
- Domain: detectify.com
2016
- labs.detectify.com
The story of EV-SSL, AWS and trailing dot domains
AWS did not perform any conflict check between regular domains and trailing dot domains. Some browsers hide the URL completely using Extended Validation (EV) SSL. Combined, these issues created some interesting attack vectors.
2017
- labs.detectify.com
Dissecting the Chrome Extension Facebook malware
The Facebook malware that spread last week was dissected in a collaboration with Kaspersky Lab and Detectify
- labs.detectify.com
Security Questions are not secure
In the US, you would never use your phone number as a security question because anyone could look it up. However, you would have no problem using the SSN as a security question.
2018
- labs.detectify.com
Using Google Analytics for data extraction
If an attacker finds an HTML injection on your website and you allow Google Analytics in the CSP, they are able to inject an image making an event request to Google Analytics
- labs.detectify.com
GraphQL abuse: Bypass account level permissions through parameter smuggling
the ability to bypass the account level permissions set within the application and call queries through GraphQL that are normally only allowed to be called by administrators. I call this "smuggling" queries but there is probably a much more technical explanation