Doyensec

We’re super excited to welcome Yassine Bengana to the Doyensec team! 🎉

He’s bringing serious AppSec skills and great vibes — can’t wait to see the cool stuff we’ll break (and build) together 🔥

#AppSec #infosec #Doyensec

The #Doyensec team is back from another great retreat! This time we toured Ireland 🇮🇪 and even met a working 🐑 sheep dog ! What a great chance for our remote team to connect IRL! Also, a big thank you 🙏 to our tour guide Antonio!
#security #appsec #remote

Going to be near Dublin this Wednesday (10/22)? come join #Doyensec for an evening of drinks ( 🍻/☕ ), networking, and great conversations about all things #appsec & #cybersecurity.

RSVP here: docs.google.com/forms/d/1fa4...

#Infosec #Pwn2Own #BSidesDublin #OWASPIreland #security

SQUID-2025:2 Information Disclosure in Error handling Due to a failure to redact HTTP Authentication credentials Squid is vulnerable to an Information Disclosure attack. __________________________________________________________________ ###...

🚨 Just released - details on a serious vulnerability from our Leonardo Giovannini's research! An Information Disclosure allowing a remote attacker to identify security tokens/credentials when #squid is used for load balancing.🚨

#doyensec #appsec #security #vulnerability

github.com/squid-cache/...

If you want, you can also RSVP via email at dublin@doyensec.com

People chatting about appsec over drinks

Live in or passing through #Dublin enroute to #pwn2own ? If you're in #appsec join #doyensec to talk #security over drinks (🍺 or ☕️) Oct. 22nd! Want to talk about our job openings or upcoming projects, that's great too!

RSVP here: docs.google.com/forms/d/1fa4...

cc: @bsidesdublin.bsky.social

In our final ksmbd research post @73696e65.bsky.social provides a detailed walkthrough for exploiting a local privilege escalation vulnerability. If you're interested in learning more about exploitation on modern systems - check it out!

blog.doyensec.com/2025/10/08/k...

#doyensec #appsec #security

Paged Out! Deeply technical zine. And it's free.

🧞Your wish has been granted - the latest @pagedout.bsky.social edition is out! In it, our Szymon Drosdzol takes a quick look at #vibecoding, walking through the creation of an AI agent 🤖. Check it out today!

#doyensec #appsec #ai #Security

pagedout.institute

📢 Our latest blog post shows why VBScript’s Randomize + Rnd are terrible for cryptographic token generation. See how attackers can easily recover seeds and secrets.
🔗 blog.doyensec.com/2025/09/25/y...

#doyensec #appsec #security #crypto

Incomplete fix for GHSA-p46v-f2x8-qp98 · Issue #937 · prest/prest This is a followup on GHSA-p46v-f2x8-qp98. I spent some time looking into the mitigations introduced. While some of them perform adequate validation of user-controlled input, there are instances wh...

🚨Security Advisory🚨

Systemic SQL Injection vulnerability in pREST.

Details from our Viktor Chuchurski's bypassing the initial fix were also published:
github.com/prest/prest/...

#Doyensec #AppSec #Security #PostgreSQL #SQLInjection

Systemic SQL Injection # Summary pREST provides a simple way for users to expose access their database via a REST-full API. The project is implemented using the Go programming language and is designed to expose access t...

🚨Security Advisory🚨

Systemic SQL Injection vulnerability in pREST!

Initial report details published: github.com/prest/prest/...

#Doyensec #AppSec #Security #PostgreSQL #SQLInjection

We'd like to welcome our newest addition Marcelino "Marce" Siles Rubia! Another success story from our #internship program! The future of #appsec is looking bright 😎 at #doyensec !

Person typing on the keyboard with sparks coming from the screen.

📢 It's here! Part 2 of Norbert Szetei's (@73696e65.bsky.social) research into ksmbd. See how customized fuzzing & the appropriate sanitizers led to discovering 23 Linux kernel CVEs, including use-after-frees & out-of-bounds reads/writes.

blog.doyensec.com/2025/09/02/k...
#doyensec #appsec #security

📖 Read about a real-world C# #cryptography vulnerability we've discovered in the wild, in our latest blog post! No math required (unless you're into that sort of thing)!

blog.doyensec.com/2025/08/19/t...

#doyensec #appsec #security #csharp

Are you located in the US/EU? passionate about #appsec? Maybe you follow #bugbountytips or are an avid #ctf player and are ready to take the next step. If so, we're looking for our next #intern, so consider applying today - hackers.doyensec.com.
#doyensec #security #internship

🚨Security Advisories🚨: multiple vulnerabilities in Retool, including host header injection and CSRF - discovered by Doyensec and the Robinhood Red Team!

docs.retool.com/disclosures/...

docs.retool.com/disclosures/...

#doyensec #appsec #security #retool #robinhood

Our latest 🚨Security Advisory🚨 includes multiple vulnerabilities affecting the immersed platform. The findings include an RCE via Session Overwriting, an RCE via CSRF and a Privilege Escalation flaw. Read the details here:

www.doyensec.com/resources/Do...

#doyensec #appsec #security

Hands typing at a keyboard with sparks coming out of the screen.

Just published - Our new white paper comparing Semgrep's Code and Community editions! We dove into both versions of this popular tool to see what the differences were and how they performed against each other. Check it out!
www.doyensec.com/resources/Co...

#doyensec #appsec #security #semgrep

Several members of the @doyensec.bsky.social team are heading to @tumpicon.org 🇮🇹 for our Norbert Szetei's (@73696e65.bsky.social) presentation on his awesome ksmbd security research. If you're around, make sure to talk to Luca Carettoni & the team!
#doyensec #appsec #TumpiCon

tumpicon.org

🚀 We have just released a new Security Advisory for @NASA's CFITSIO library 🛰️. Click the link for details on the Heap Overflow, Type Confusion, Out-of-Bound Writes & other vulnerabilities discovered by our Adrian Denkiewicz !

www.doyensec.com/resources/Do...

#doyensec #appsec #security

Thanks to inspiration and support from Teleport, Doyensec is proud to release the Security Policy Evaluation Framework, an open source tool for testing security policy engines!

github.com/gravitationa...

#doyensec #appsec #rigo #cedar #openfga #security

🚨Just posted🚨: Learn about real-world API authorization vulnerabilities we frequently see with the slides from Szymon Drosdzol's recent presentation at the CONFidence conference in Krakow.

doyensec.com/resources/CO...

#doyensec #appsec #security

A picture of Marcelino on a background showing "tech worker" items on a desktop.

We'd like to welcome 👋 Marcelino Siles Rubia as our latest Application Security Intern. Welcome aboard! 🎉

#doyensec #appsec #internship

lecture 2025 - CONFidence lecture 2025

Attending CONFidence conference in Krakow 🇵🇱 this weekend? Be sure to check out our Szymon
Drosdzol's presentation - API Authorization Antipatterns: confidence-conference.org/lecture-2025...

#doyensec #appsec #confidencecon

Several members of the #doyensec team are here in Berlin 🇩🇪attending 🎯Offensive Con 🎯 this weekend! Ping us or just say "hallo" in person, if you'd like to talk #appsec or grab a coffee. We're looking forward to some amazing talks!
#offensivecon #security

🚨 Advisory Alert!🚨 We've just published our Aleandro Prudenzano's advisory (in cooperation with Edoardo Geraci) regarding a heap overflow in HAProxy. Read all the details here: www.doyensec.com/research.htm...

#doyensec #appsec #security #haproxy

We'd like to welcome the latest member of our team - Diego Perez, our new Application Security Intern! Welcome aboard! 🎉

#doyensec #appsec #security #internships

Going beyond SSO, our Francesco Lacerenza decided to take a deep dive into SCIM in our latest blog post. Read it today to learn how including this user identity standard in your next test's scope can reap big rewards!

blog.doyensec.com/2025/05/08/s...

#doyensec #appsec #security #scim

Our Norbert Szetei's latest research has resulted in at least 1⃣5⃣ CVEs in ksmbd🤯, including multiple use-after-frees, bounds checks, type confusion and overflows‼️ Check it out today!

www.doyensec.com/research.htm...

#doyensec #appsec #security #linux

Thanks to all the people who make @BSSidesSF happen every year. We're always happy to sponsor such a great conference! All of the #Doyensec team who attended had a great time! See you next year!
#bsides #bsidessf