Back

What's under the hood

Technology

Detectify is the newest and most exciting SaaS vulnerability scanner on the market.

We strive to be the very bleeding edge of web application security and serve it in a way that fits companies who wish to step up from traditional and difficult installations to a click-of-a-button modern solution.

What we do

We perform automatic penetration tests against web applications, based on the OWASP Top 10 specifications, seemingly magic fingerprinting of content management systems, and the very latest trends in vulnerability research.

Features

To deliver the absolute best quality we check for the absolute latest vulnerabilities combined with having no limits on how many pages we crawl gives us a total coverage of your site.

The Crawler

Our crawler does not have a cap on any specific limit of URL’s like most of our competitors does. We aim to find all unique code flows on which vulnerabilities may reside, without missing anything of relevance. We do that by finding similarities between different URL’s as well as repeating content by the use of a sophisticated system of clustering algorithms. In other words, we crawl until there's no more content of relevance instead of stopping at a fixed number of URL's. Do you know the size of your website? Most organization don’t as there is a large share of automatic and hidden pages.

Our auditing modules may also find information leakages in your platform (e.g. unlinked files), which in turn may lead to further links to crawl. We do all this to cover as much of your application as possible. We do not believe in caps.

Vulnerability Detection

We cover OWASP Top 10 . That means we find a wide variety of flaws, including SQL, LDAP, XPATH and NoSQL injections, Cross Site Scripting flaws, broken session management, remote code and command execution, malware, etc.

All our findings are classified according to the CVSSv2 specifications in order to make it easier for you as a developer to prioritize the threats.

The Infrastructure

We do all this from the Amazon AWS cloud. What that means is that we scale up our capacity the more users there are, without having our scanner compromise on the effort put in on your penetration tests.

The Detectify Engine

A scan is completed in six phases, each individually explained in detail below.

Information Gathering

During the initial phase we try to learn as much as possible about your infrastructure, by, for example, identifying subdomains and hosts. Anyone in your corporation may put a web application wide open to the net in the scope of your domain. Most of the time, those applications may be forgotten. We will find them.

Crawling

After collecting the initial information, Detectify will move on to crawl your web application to find as many unique URLs as possible within the scope of your domain. While doing this, we’re keeping an eye on the content to make sure that it’s of no harm to you.

Information Analysis

During this phase we analyze the collected data from the previous phases. We look for incorrectly configured login forms, error messages, database backups and other common flaws and mistakes based on static source code analysis. We also scan for malware using VirusTotal and its many anti-virus solutions.

Fingerprinting

This phase is used for extended fingerprinting of the domains and the software they run. We will, for example, try to resolve the CMS (if any), the technology stack, the operating system and so forth. All this to customize the vulnerability scanning in the next phase.

Exploitation

This is what it all comes down to. Based on the information gathered in the previous phases, Detectify performs extensive tests using known pentesting methods as well as the very latest methods in web security.

Finalization

During this phase we finalize your report and remove any “false positives” that we could detect. When we’re done you will get an email with a link to your report. However, if you were curious and watched the live report, this won’t be any new information for you.

How we handle security

As we are are security company, we really care about your and our own data. We also like to be transparent about our policies and security practices. That being said, this is our model.

Encrypted data

Your password is encrypted using the key derivation algorithm bcrypt. This means that any potential leak of user data from our servers will remain encrypted. This is to ensure that your data will never be put at risk.

Your data is also not stored on any of our web servers, instead we store all sensitive data on dedicated database servers, out of reach for any attacker.

Protected reports

The reports are stored on dedicated database servers out of reach from the web servers. The reports are protected from SQL injections by the means of data segregation and prepared statements. If an attacker against all odds were to pull off a SQL injection attack, the only report data he would get would be his own.

The web servers cannot directly communicate with any report database. All layers of the service happen in different networks to reduce the risk of compromise.

Secure communication

All our endpoints are encrypted using the TLS protocol suite (the successor of SSL). Even internal communication between subsystems empowers encrypted communication. We do so just to really tighten up the transport security and prevent you from man-in-the-middle attacks.

In fact, you cannot even visit detectify.com using cleartext HTTP in neither Chrome, Firefox, IE or Edge. Chances are the web browser you're currently using have a little bit of text stating that "detectify.com" is a protected domain were plaintext HTTP is not allowed.

We use DigiCert as our certificate authority.

Well tested security

As we perform automated security tests, we also practice what we preach. We do the very best in order to keep our platform up to date from the latest security threats. We’re a small team, and we’re not more than human. Therefore we encourage you to report any vulnerabilities, flaws and bugs you come across by participating in our responsible disclosure program.

Questions?

Do you have any questions about our security, or perhaps your own? If so, feel free to contact us!