Doyensec

AuthN/AuthZ has always been a minefield, especially with SSO and transitive trust. MCP adds even more layers (agents, remote servers, pooled access), increasing the risk of subtle but high-impact vulnerabilities. In this Teleport -sponsored deep dive, Doyensec's Francesco Lacerenza examines MCP attack vectors, trust boundaries, and why enterprise deployments must scrutinize every step of the authorization chain - from token issuance and scope enforcement to agent delegation and identity mapping. 🔗 https://lnkd.in/gbZR3PbB #doyensec #appsec #ai #teleport

Check out the latest edition of Paged Out! featuring Doyensec's own Bartłomiej Górkiewicz vibing on reversing Python bytecode, along with plenty of other great articles! https://lnkd.in/eSjuNc-i #appsec #doyensec #security #reversing #pagedout

🔎 Security researchers: stop spending hours guessing what’s running under the hood of the #GraphQL APIs you're testing. With InQL’s Engine Fingerprinter in Burp Suite, you can identify the GraphQL engine in seconds, giving you immediate insight into the stack you’re working with. This way you can focus on uncovering real vulnerabilities, rather than second-guessing technology, and you can streamline assessments from start to finish. Stay efficient. Stay informed. Test smarter. 🚀 Blog: https://lnkd.in/gtKZk7ar Download: https://lnkd.in/dAdvA2e #AppSec #Doyensec #GraphQLSecurity #InQL #BugBounty #BurpSuite

🚀 Introducing SafeUpdater by Michael J. Pastor SafeUpdater is a security-focused update framework for Electron applications, designed with a clear goal: put integrity, authenticity, and attacker-aware design at the center of the update process. Inspired by the update mechanisms used by Signal Desktop, SafeUpdater is implemented as a modular updater that demonstrates how to build update pipelines around explicit threat models and concrete attack mitigations. Importantly, SafeUpdater is a reference design meant to help developers, security engineers, and product teams understand how secure software updates should actually be built - with cryptographic verification, trust boundaries, and adversaries in mind. If you’re building or securing Electron apps and care about security, SafeUpdater is absolutely worth exploring. https://lnkd.in/gDA-XiYB #AppSec #Doyensec #Electron #security

Working with GraphQL and not sure where to start? 🤔 InQL, developed by Doyensec, helps you explore GraphQL APIs by extracting schemas and visualising queries. An extremely effective tool for understanding and hacking GraphQL 👉 https://lnkd.in/dAdvA2e #BugBountyTips

Missed Szymon Drosdzol’s talk on “API Authorization Antipatterns” at CONFidence (@confidenceconf), or just want to revisit it? You’re in luck! The full recording is now live 🎥 : 👉 https://lnkd.in/gVA_Kvgu In this session, Szymon breaks down real-world authorization mistakes that lead to serious API vulnerabilities, and how to avoid them in modern applications. #appsec #doyensec #security #APIs #CONFidence

Humans vs. AI — who really wins in application security? We put both to the test in our latest blog post, where our security researchers went head-to-head with AI-powered tools during a real-world security assessment of the open-source Outline wiki. The results might surprise you 👀 From coverage gaps to human-driven insight, this experiment shows where automation shines — and where expert-led testing still makes the difference. 👉 Read the full breakdown: https://lnkd.in/gm953_rF #appsec #doyensec #opensource #outline #AI #securitytesting

🎯 Make XSS hunting easier and faster In the latest video in our Eval Villain series, Dennis Goodlett demonstrates how the “needles” feature can dramatically speed up your search for DOM-based XSS and other injection points. If you’re doing client-side security testing, this is a great example of how the right tooling can remove friction and help you focus on what matters: finding real vulnerabilities. 👉 Watch here: https://lnkd.in/geuM-jJ6 #AppSec #Doyensec #BugBounty #XSS

We’re proud to announce that Doyensec is sponsoring the UC Davis Cyber Security Club. Supporting student-led security communities is a key part of our mission, and we’re excited to help empower the next generation of cybersecurity professionals. Learn more about the club and our sponsorship: https://lnkd.in/gnWAmqiw #appsec #doyensec #cybersecurity #infosec #UCDavis

In our latest blog post, Szymon Drosdzol provides an in-depth walkthrough of using the #Frida toolkit to demonstrate the right way to intercept OkHTTP traffic. The article covers practical techniques for dynamically instrumenting Android apps, understanding network flows, and avoiding common pitfalls when analyzing encrypted traffic. This is essential reading for anyone involved in #Android security research, mobile pentesting, or reverse engineering. If you work with mobile apps and want to level up your runtime analysis skills, this one’s for you. 🚀 Check it out today: https://lnkd.in/gS5nKthj