Lightnews — Scholar-powered news

Doyensec @doyensec.bsky.social · 2d

If you want, you can also RSVP via email at [email protected]

Doyensec @doyensec.bsky.social · 2d

Live in or passing through #Dublin enroute to #pwn2own ? If you're in #appsec join #doyensec to talk #security over drinks (🍺 or ☕️) Oct. 22nd! Want to talk about our job openings or upcoming projects, that's great too!

RSVP here: docs.google.com/forms/d/1fa4...

cc: @bsidesdublin.bsky.social

People chatting about appsec over drinks

1 1

Doyensec @doyensec.bsky.social · 8d

In our final ksmbd research post @73696e65.bsky.social provides a detailed walkthrough for exploiting a local privilege escalation vulnerability. If you're interested in learning more about exploitation on modern systems - check it out!

blog.doyensec.com/2025/10/08/k...

#doyensec #appsec #security

1

Doyensec @doyensec.bsky.social · 10d

🧞Your wish has been granted - the latest @pagedout.bsky.social edition is out! In it, our Szymon Drosdzol takes a quick look at #vibecoding, walking through the creation of an AI agent 🤖. Check it out today!

#doyensec #appsec #ai #Security

pagedout.institute

Paged Out!

Deeply technical zine. And it's free.

pagedout.institute

1

Doyensec @doyensec.bsky.social · 21d

📢 Our latest blog post shows why VBScript’s Randomize + Rnd are terrible for cryptographic token generation. See how attackers can easily recover seeds and secrets.
🔗 blog.doyensec.com/2025/09/25/y...

#doyensec #appsec #security #crypto

Doyensec @doyensec.bsky.social · 27d

🚨Security Advisory🚨

Systemic SQL Injection vulnerability in pREST.

Details from our Viktor Chuchurski's bypassing the initial fix were also published:
github.com/prest/prest/...

#Doyensec #AppSec #Security #PostgreSQL #SQLInjection

Incomplete fix for GHSA-p46v-f2x8-qp98 · Issue #937 · prest/prest

This is a followup on GHSA-p46v-f2x8-qp98. I spent some time looking into the mitigations introduced. While some of them perform adequate validation of user-controlled input, there are instances wh...

github.com

Doyensec @doyensec.bsky.social · 27d

🚨Security Advisory🚨

Systemic SQL Injection vulnerability in pREST!

Initial report details published: github.com/prest/prest/...

#Doyensec #AppSec #Security #PostgreSQL #SQLInjection

Systemic SQL Injection

# Summary pREST provides a simple way for users to expose access their database via a REST-full API. The project is implemented using the Go programming language and is designed to expose access t...

github.com

1

Doyensec @doyensec.bsky.social · Sep 4

We'd like to welcome our newest addition Marcelino "Marce" Siles Rubia! Another success story from our #internship program! The future of #appsec is looking bright 😎 at #doyensec !

Doyensec @doyensec.bsky.social · Sep 2

📢 It's here! Part 2 of Norbert Szetei's (@73696e65.bsky.social) research into ksmbd. See how customized fuzzing & the appropriate sanitizers led to discovering 23 Linux kernel CVEs, including use-after-frees & out-of-bounds reads/writes.

blog.doyensec.com/2025/09/02/k...
#doyensec #appsec #security

Person typing on the keyboard with sparks coming from the screen.

1 1

Doyensec @doyensec.bsky.social · Aug 19

📖 Read about a real-world C# #cryptography vulnerability we've discovered in the wild, in our latest blog post! No math required (unless you're into that sort of thing)!

blog.doyensec.com/2025/08/19/t...

#doyensec #appsec #security #csharp

1

Doyensec @doyensec.bsky.social · Aug 7

Are you located in the US/EU? passionate about #appsec? Maybe you follow #bugbountytips or are an avid #ctf player and are ready to take the next step. If so, we're looking for our next #intern, so consider applying today - hackers.doyensec.com.
#doyensec #security #internship

1

Doyensec @doyensec.bsky.social · Jul 17

🚨Security Advisories🚨: multiple vulnerabilities in Retool, including host header injection and CSRF - discovered by Doyensec and the Robinhood Red Team!

docs.retool.com/disclosures/...

docs.retool.com/disclosures/...

#doyensec #appsec #security #retool #robinhood

Doyensec @doyensec.bsky.social · Jul 10

Our latest 🚨Security Advisory🚨 includes multiple vulnerabilities affecting the immersed platform. The findings include an RCE via Session Overwriting, an RCE via CSRF and a Privilege Escalation flaw. Read the details here:

www.doyensec.com/resources/Do...

#doyensec #appsec #security

1

Doyensec @doyensec.bsky.social · Jun 26

Just published - Our new white paper comparing Semgrep's Code and Community editions! We dove into both versions of this popular tool to see what the differences were and how they performed against each other. Check it out!
www.doyensec.com/resources/Co...

#doyensec #appsec #security #semgrep

Hands typing at a keyboard with sparks coming out of the screen.

Doyensec @doyensec.bsky.social · Jun 25

Several members of the @doyensec.bsky.social team are heading to @tumpicon.org 🇮🇹 for our Norbert Szetei's (@73696e65.bsky.social) presentation on his awesome ksmbd security research. If you're around, make sure to talk to Luca Carettoni & the team!
#doyensec #appsec #TumpiCon

tumpicon.org

TumpiCon 2025

tumpicon.org

3

Doyensec @doyensec.bsky.social · Jun 17

🚀 We have just released a new Security Advisory for @NASA's CFITSIO library 🛰️. Click the link for details on the Heap Overflow, Type Confusion, Out-of-Bound Writes & other vulnerabilities discovered by our Adrian Denkiewicz !

www.doyensec.com/resources/Do...

#doyensec #appsec #security

1

Doyensec @doyensec.bsky.social · Jun 10

Thanks to inspiration and support from Teleport, Doyensec is proud to release the Security Policy Evaluation Framework, an open source tool for testing security policy engines!

github.com/gravitationa...

#doyensec #appsec #rigo #cedar #openfga #security

Doyensec @doyensec.bsky.social · Jun 5

🚨Just posted🚨: Learn about real-world API authorization vulnerabilities we frequently see with the slides from Szymon Drosdzol's recent presentation at the CONFidence conference in Krakow.

doyensec.com/resources/CO...

#doyensec #appsec #security

1 1

Doyensec @doyensec.bsky.social · Jun 2

We'd like to welcome 👋 Marcelino Siles Rubia as our latest Application Security Intern. Welcome aboard! 🎉

#doyensec #appsec #internship

A picture of Marcelino on a background showing "tech worker" items on a desktop.

Doyensec @doyensec.bsky.social · May 30

Attending CONFidence conference in Krakow 🇵🇱 this weekend? Be sure to check out our Szymon
Drosdzol's presentation - API Authorization Antipatterns: confidence-conference.org/lecture-2025...

#doyensec #appsec #confidencecon

lecture 2025 - CONFidence

lecture 2025

confidence-conference.org

Doyensec @doyensec.bsky.social · May 15

Several members of the #doyensec team are here in Berlin 🇩🇪attending 🎯Offensive Con 🎯 this weekend! Ping us or just say "hallo" in person, if you'd like to talk #appsec or grab a coffee. We're looking forward to some amazing talks!
#offensivecon #security

1

Doyensec @doyensec.bsky.social · May 13

🚨 Advisory Alert!🚨 We've just published our Aleandro Prudenzano's advisory (in cooperation with Edoardo Geraci) regarding a heap overflow in HAProxy. Read all the details here: www.doyensec.com/research.htm...

#doyensec #appsec #security #haproxy

Doyensec @doyensec.bsky.social · May 12

We'd like to welcome the latest member of our team - Diego Perez, our new Application Security Intern! Welcome aboard! 🎉

#doyensec #appsec #security #internships

Doyensec @doyensec.bsky.social · May 9

Going beyond SSO, our Francesco Lacerenza decided to take a deep dive into SCIM in our latest blog post. Read it today to learn how including this user identity standard in your next test's scope can reap big rewards!

blog.doyensec.com/2025/05/08/s...

#doyensec #appsec #security #scim

Doyensec @doyensec.bsky.social · May 6

Our Norbert Szetei's latest research has resulted in at least 1⃣5⃣ CVEs in ksmbd🤯, including multiple use-after-frees, bounds checks, type confusion and overflows‼️ Check it out today!

www.doyensec.com/research.htm...

#doyensec #appsec #security #linux

1 1