Introduction| Doyensec's Blog
Trivial C# Random Exploitation| blog.doyensec.com
SCIM Hunting - Beyond SSO| blog.doyensec.com
CSPT Resources| blog.doyensec.com
Introduction| Doyensec's Blog
!exploitable Episode Two - Enter the Matrix| blog.doyensec.com
Introduction| Doyensec's Blog
Common OAuth Vulnerabilities| blog.doyensec.com
In my previous blog post, I demonstrated how a JSON file could be used as a gadget for Client-Side Path Traversal (CSPT) to perform Cross-Site Request Forgery (CSRF). That example was straightforward because no file upload restriction was enforced. However, real-world applications often impose restrictions on file uploads to ensure security.| Doyensec's Blog
ksmbd vulnerability research| blog.doyensec.com
Introduction| Doyensec's Blog
Doyensec’s Maxence Schmitt recently built a| Doyensec's Blog
Introduction| Doyensec's Blog
Introduction| Doyensec's Blog
Windows Installer, Exploiting Custom Actions| blog.doyensec.com
Introduction| Doyensec's Blog
Exploiting Client-Side Path Traversal to Perform Cross-Site Request Forgery - Introducing CSPT2CSRF| blog.doyensec.com
Single Sign-On Or Single Point of Failure?| blog.doyensec.com
Product Security Audits vs. Bug Bounty| blog.doyensec.com
Internship Experiences at Doyensec| blog.doyensec.com
Background| Doyensec's Blog
Introduction| Doyensec's Blog
We are releasing a previously internal-only tool to improve Infrastructure as Code (IaC) analysis and enhance Visual Studio Code allowing real-time collaboration during manual code analysis activities. We’re excited to announce that PoIEx is now available on Github.| Doyensec's Blog
During testing activities, we usually analyze the design choices and context needs in order to suggest applicable remediations depending on the different Kubernetes deployment patterns. Scheduling is often overlooked in Kubernetes designs. Typically, various mechanisms take precedence, including, but not limited to, admission controllers, network policies, and RBAC configurations.| Doyensec's Blog
Hello, folks! We’re back with an exciting update on Session Hijacking Visual Exploitation (SHVE) that introduces an insidious twist to traditional exploitation techniques using Office documents. We all know how Office documents laced with macros have been a longstanding entry point for infiltrating systems. SHVE now takes a step further by leveraging XSS vulnerabilities and the inherent trust users have in websites they regularly visit.| Doyensec's Blog
There is a ton of code that is not worth your time and brain power. Binary| Doyensec's Blog
Greetings, folks! Today, we’re thrilled to introduce you to our latest tool: Session Hijacking Visual Exploitation, or SHVE. This open-source tool, now available on our GitHub, offers a novel way to hijack a victim’s browser sessions, utilizing them as a visual proxy after hooking via an XSS or a malicious webpage. While some exploitation frameworks, such as BeEF, do provide hooking features, they don’t allow remote visual interactions.| Doyensec's Blog
We’re thrilled to pull back the curtain on the latest iteration of our| Doyensec's Blog
Back in 2019, we were lucky enough to take part in the newly-launched Huawei mobile bug bounty. For that, we decided to research Huawei’s Themes.| Doyensec's Blog
In an era defined by instant gratification, where life zips by quicker than a teenager’s TikTok scroll, WebSockets have evolved into the heartbeat of web applications. They’re the unsung heroes in data streaming and bilateral communication, serving up everything in real-time, because apparently, waiting is so last century.| Doyensec's Blog
From The Previous Episode… Have you solved the CloudSecTidbit Ep. 2 IaC lab?| Doyensec's Blog
Logistics and shipping devices across the world can be a challenging task, especially when dealing with customs regulations. For the past few years, I have had the opportunity to learn about these complex processes and how to manage them efficiently. As a Practice Manager at Doyensec, I was responsible for building processes from scratch and ensuring that our logistics operations ran smoothly.| Doyensec's Blog
R2pickledec is the first pickle decompiler to support all instructions up to| Doyensec's Blog
As more companies develop in-house services and tools to moderate access to production environments, the importance of understanding and testing these Zero Touch Production (ZTP) platforms grows 12. This blog post aims to provide an overview of ZTP tools and services, explore their security role in DevSecOps, and outline common pitfalls to watch out for when testing them.| Doyensec's Blog
Anatomy Of A Modern Day Crypto Scam| Doyensec's Blog
Server Side Request Forgery (SSRF) is a fairly known vulnerability with established prevention methods. So imagine my surprise when I bypassed an SSRF mitigation during a routine retest. Even worse, I have bypassed a filter that we have recommended ourselves! I couldn’t let it slip and had to get to the bottom of the issue.| Doyensec's Blog
Arbitrary file write (AFW) vulnerabilities in web application uploads can be a powerful tool for an attacker, potentially allowing them to escalate their privileges and even achieve remote code execution (RCE) on the server. However, the specific tactics that can be used to achieve this escalation often depend on the specific scenario faced by the attacker. In the wild, there can be several scenarios that an attacker may encounter when attempting to escalate from AFW to RCE in web application...| Doyensec's Blog
PESD Exporter is now public!| Doyensec's Blog
From The Previous Episode… Did you solve the CloudSecTidbit Ep. 1 IaC lab?| Doyensec's Blog
During our audits we occasionally stumble across ImageMagick security policy configuration files (policy.xml), useful for limiting the default behavior and the resources consumed by the library. In the wild, these files often contain a plethora of recommendations cargo cultured from around the internet. This normally happens for two reasons:| Doyensec's Blog
Do you need a Go HTTP library to protect your applications from SSRF attacks? If so, try safeurl. | Doyensec's Blog
Introduction| Doyensec's Blog
At Doyensec, the application security engineer recruitment process is 100% remote. As the final step, we used to organize an onsite interview in Warsaw for candidates from Europe and in New York for candidates from the US. It was like that until 2020, when the Covid pandemic forced us to switch to a 100% remote recruitment model and hire people without meeting them in person.| Doyensec's Blog
I spared a few hours over the past weekend to look into the exploitation of this Visual Studio Code .ipynb Jupyter Notebook bug discovered by Justin Steven in August 2021.| Doyensec's Blog
Introduction to the series| Doyensec's Blog
There are many security solutions available today that rely on the Extended Berkeley Packet Filter (eBPF) features of the Linux kernel to monitor kernel functions. Such a paradigm shift in the latest monitoring technologies is being driven by a variety of reasons. Some of them are motivated by performance needs in an increasingly cloud-dominated world, among others. The Linux kernel always had kernel tracing capabilities such as kprobes (2.6.9), ftrace (2.6.27 and later), perf (2.6.31), or up...| Doyensec's Blog
Introduction| Doyensec's Blog
Introduction| Doyensec's Blog
As promised in November 2021 at Hack In The Box#CyberWeek event in Abu Dhabi, we’re excited to announce that ElectroNG is now available for purchase at https://get-electrong.com/.| Doyensec's Blog
Throughout the Summer of 2022, I worked as an intern for Doyensec. I’ll be describing my experience with Doyensec in this blog post so that other potential interns can decide if they would be interested in applying.| Doyensec's Blog
On Feb 9th, 2022 PortSwigger announced Alex Birsan’s Dependency Confusion as the winner of the Top 10 web hacking techniques of 2021. Over the past year this technique has gained a lot of attention. Despite that, in-depth information about hunting for and mitigating this vulnerability is scarce.| Doyensec's Blog
The database platform Apache Pinot has been growing in popularity. Let’s attack it!| Doyensec's Blog
Introduction| Doyensec's Blog
As crazy as it sounds, we’re releasing a casual free-to-play mobile auto-battler for Android and iOS. We’re not changing line of business - just having fun with computers!| Doyensec's Blog
With the increasing popularity of GraphQL on the web, we would like to discuss a particular class of vulnerabilities that is often hidden in GraphQL implementations.| Doyensec's Blog
When thinking of Denial of Service (DoS), we often focus on Distributed Denial of Service (DDoS) where millions of zombie machines overload a service by launching a tsunami of data.| Doyensec's Blog
ElectronJs is getting more secure every day. Context isolation and other security settings are planned to become enabled by default with the upcoming release of Electron 12 stable, seemingly ending the somewhat deserved reputation of a systemically insecure framework.| Doyensec's Blog
This is the first in a series of non-technical blog posts aiming at discussing the opportunities and challenges that arise when running a small information security consulting company. After all, day to day life at Doyensec is not only about computers and stories of breaking bits.| Doyensec's Blog
The Wi-Fi Direct specification (a.k.a. “peer-to-peer” or “P2P” Wi-Fi) turned 10 years old this past April. This 802.11 extension has been available since Android 4.0 through a dedicated API that interfaces with a devices’ built-in hardware which directly connects to each other via Wi-Fi without an intermediate access point. | Doyensec's Blog
We’re very happy to announce that a new major release of InQL is now available on our Release Page.| Doyensec's Blog
Background| Doyensec's Blog
This blog post illustrates a vulnerability affecting the Play framework that we discovered during a client engagement. This issue allows a complete Cross-Site Request Forgery (CSRF) protection bypass under specific configurations.| Doyensec's Blog
InQL dyno-mites release| Doyensec's Blog
A good part of my research time at Doyensec was devoted to building a flexible ASN.1 grammar-based fuzzer for testing TLS certificate parsers.| Doyensec's Blog
A few months ago I came across a curious design pattern on Google Scholar. Multiple screens of the web application were fetched and rendered using a combination of location.hash parameters and XHR to retrieve the supposed templating snippets from a relative URI, rendering them on the page unescaped.| Doyensec's Blog
The story of a fuzzing integration reward| Doyensec's Blog
This is the story of how I stumbled upon a code execution vulnerability in the Visual Studio Code Python extension. It currently has 16.5M+ installs reported in the extension marketplace.| Doyensec's Blog
This is a re-post of the original blogpost published by Gravitational on the 2019 security audit results for their two products: Teleport and Gravity.| Doyensec's Blog
We’ve been made aware that the vulnerability discussed in this blog post has been independently discovered and disclosed to the public by a well-known security researcher. Since the security issue is now public and it is over 90 days from our initial disclosure to the maintainer, we have decided to publish the details - even though the fix available in the latest version of Electron-Builder does not fully mitigate the security flaw.| Doyensec's Blog
This blogpost summarizes the result of a cooperation between SoloKeys and Doyensec, and was originally published on SoloKeys blog by Emanuele Cesena.| Doyensec's Blog
F-Secure Internet Gatekeeper heap overflow explained| Doyensec's Blog
“Our moral responsibility is not to stop the future, but to shape it…”| Doyensec's Blog
A few months ago I stumbled upon a 2016 blog post by Mark Murphy, warning about the state of FLAG_SECURE window leaks in Android. This class of vulnerabilities has been around for a while, hence I wasn’t confident that I could still leverage the same weakness in modern Android applications. As it often turns out, I was being too optimistic. After a brief survey, I discovered that the issue still persists today in many password manager applications (and others).| Doyensec's Blog
In the past three years, Doyensec has been providing security testing services for some of the global brands in the cryptocurrency world. We have audited desktop and mobile wallets, exchanges web interfaces, custody systems, and backbone infrastructure components.| Doyensec's Blog
Jackson CVE-2019-12384: anatomy of a vulnerability class| Doyensec's Blog
2-Days Training on How to Build Secure Electron Applications| Doyensec's Blog
After the first public release of Electronegativity, we had a great response from the community and the tool quickly became the baseline for every Electron app’s security review for many professionals and organizations. This pushed us forward, improving Electronegativity and expanding our research in the field. Today we are proud to release version 1.3.0 with many new improvements and security checks for your Electron applications.| Doyensec's Blog
During one of our projects we had the opportunity to audit a Ruby-on-Rails (RoR) web application handling zip files using the Rubyzip gem. Zip files have always been an interesting entry-point to triggering multiple vulnerability types, including path traversals and symlink file overwrite attacks. As the library under testing had symlink processing disabled, we focused on path traversal exploitation.| Doyensec's Blog
We’re back from BlackHat Asia 2019 where we introduced a relatively unexplored class of vulnerabilities affecting Electron-based applications.| Doyensec's Blog
We’re excited to announce the public release of Electronegativity, an opensource tool capable of identifying misconfigurations and security anti-patterns in Electron-based applications.| Doyensec's Blog
Since the first commit back in 2016, burp-rest-api has been the default tool for BurpSuite-powered web scanning automation. Many security professionals and organizations have relied on this extension to orchestrate the work of Burp Spider and Scanner.| Doyensec's Blog
Instrumenting Electron-based applications| Doyensec's Blog
As part of an engagement for one of our clients, we analyzed the patch for the recent Electron Windows Protocol handler RCE bug (CVE-2018-1000006) and identified a bypass.| Doyensec's Blog
GraphQL - Security Overview and Testing Tips| blog.doyensec.com
At Doyensec, we believe that quality is the natural product of passion and care. We love what we do and we routinely take on difficult engineering challenges to help our customers build with security.| Doyensec's Blog
Spotlight is the all pervasive seeing eye of the OSX userland. It drinks from a spout of file events sprayed out of the kernel and neatly indexes such things for later use. It is an amalgamation of binaries and libraries, all neatly fitted together just to give a user oversight of their box. It presents interesting attack surface and this blog post is an explanation of how some of it works.| Doyensec's Blog
TL;DR| Doyensec's Blog
Developing Burp Suite Extensions training| blog.doyensec.com
Windows Installer EOP (CVE-2023-21800)| blog.doyensec.com
Doyensec's Blog :: Doyensec is an independent security research and development company focused on vulnerability discovery and remediation.| blog.doyensec.com