Security auditing

Web Applications and APIs

Our team has decades of experience in web application security with a proven track record of vulnerabilities discovered across hundreds of products and web frameworks. We have invented new classes of attacks and co-authored the OWASP Testing Guide. We speak Java, Php, Ruby, Python, Node.Js, JavaScript, Scala, .NET, Lua and many other programming languages on the web.

When auditing web applications and APIs, we build a profile of the assets and methodically attack and track each form of input into the application. We detail how users interact with the system and model potential oversights with use and availability. Combining manual testing and custom tooling, we intercept and inspect each request and response between client and endpoint. We find well-known bug classes including Cross-Site Scripting, SQL injection, Cross-Site Request Forgery, Command Execution, Path Traversal and many more. We seek a deeper understanding of the application in order to find unexpected flaws such as business logic bugs or undisclosed vulnerabilities in the application dependencies. Findings are reported and prioritized by severity with clear remediation steps. We will find bugs, but that is just the first step in the process.

Mobile Applications

Over the course of years, we've analyzed countless mobile applications for Android, iOS and Windows Mobile. Our in-depth understanding of mobile operating system internals, together with our expertise on application-specific issues, allow us to properly evaluate risks and provide practical remediations.

Through a comprehensive process based on static analysis, instrumentation, and dynamic testing we study mobile applications from different angles. Starting at the client, we analyze the integration with the operating system to identify improper usage of resources and deviation from consolidated security designs. In this phase, we identify various problems like open permissions, insecure data storage, exposed RPC and IPC capabilities, misuse of platform's security mechanisms, weak cryptographic providers and others. By inspecting and manipulating the network traffic, we can uncover issues pertaining to authentication and authorization, insecure session management and weak transmission protocols. Lastly, we review each server-side API endpoint with a methodology similar to that used for our web application assessments.

Desktop & Server Applications

Doyensec tears apart all manner of thick clients and server daemons written in a diverse set of languages. We hit the ground running analyzing code written in C, C++, C#, Java and other languages. Our familiarity with operating systems (Windows, Mac OS X, Linux) allows us to quickly evaluate the security posture of the application and identify issues caused by interdependent components.

During review of stand-alone applications and network services, we begin by mapping out the attack surface (IPC/RPC mechanisms, sockets, user-supplied input, etc.) to clearly define the threat model. With static analysis techniques and dynamic testing/instrumentation we can understand the inner workings of the application even if custom file formats or protocols are used. We build custom tools to exercise the application behavior with our inputs, which ultimately leads to the discovery of security vulnerabilities. For fuzzing, we use internally-built tools and well-known frameworks to facilitate our audits. Stack and heap overflows, format strings, use-after-free, integer overflows, path traversal, and local privileges escalation bugs are just few examples of the vulnerabilities classes uncovered during these assessments.

Electron-based Applications

Doyensec has been involved with Electron security since the beginning of 2017. We were the first company to publish a comprehensive and detailed analysis of the Electron framework from a security point of view. Since then, we have continued to focus on Electron and remain very familiar with the codebase and the continually evolving set of weaknesses and pitfalls faced by developers. The results of our work was presented at many top-tier security conferences, including BlackHat USA 2017, OWASP AppSec 2018, BlackHat ASIA 2019 and many private events.

Doyensec is uniquely situated to perform detailed security audits of Electron-based applications. We have discovered and reported vulnerabilities in core Electron and in many applications built using this framework. During our testing, we will find design weaknesses and implementation bugs that can be leveraged to compromise Desktop applications built using web technologies. Our experience and research in this field allows us to quickly evaluate risks and provide pragmatic remediations.

GraphQL-based Applications

With the increasing number of web platforms built on top of data query and manipulation languages, such as GraphQL, Doyensec has developed a unique skill set for reviewing complicated queries and mutations. After having conducted numerous engagements in this realm, our security engineers can efficiently combine dynamic testing with static reviews for schemas and data types.

While the language addresses some of the traditional web application vulnerabilities, it opens the door to information leakage and access control flaws. When reviewing GraphQL powered APIs, we particularly focus on those problems. By leveraging internal framework mechanisms, such as introspection, we ensure both code and attack coverage even in large deployments. We review all application queries and mutations to inspect results and perform extensive authorization testing to highlight insecure direct object reference problems.

Our research-driven approach to GraphQL security is the culmination of our experience. We combine techniques and tooling to improve the efficiency of our security testing efforts.