and APIS

Our team has decades of experience in web application security with a proven track record of vulnerabilities discovered across hundreds of products and web frameworks. We have invented new classes of attacks and co-authored the OWASP Testing Guide. We speak Java, Php, Ruby, Python, Node.Js, JavaScript, Scala, .NET, Lua and many other programming languages on the web.
  • Server and Clientside

    We’ve been manually auditing applications and APIs since before the modern web. The new frontier of security involves logical bugs, prototype pollution, API path traversal, broken state machines, second-order injections, misuse of libraries, inconsistencies between the application and the cloud infrastructure and many other novel techniques.

    The progressive shift to SecDevOps and tech stacks that are secure-by-default have significantly changed the type of vulnerabilities and misconfigurations that affect mainstream web applications. Despite that, Doyensec will understand the goals and needs of the application to find ways of breaking the assumed control flow.

    Our methodology combines source code review with dynamic testing to deliver effective and efficient security auditing. We strongly encourage our clients to provide source code during security testing activities, however we are comfortable with traditional black-box testing. When auditing web applications and APIs, we build a profile of the assets and methodically attack and track each form of input into the application. We detail how users interact with the system and model potential oversights with use and availability.

  • manual testing and
    custom tooling

    We intercept and inspect each request and response between client and endpoint. We find well-known bug classes including Cross-Site Scripting, SQL injection, Cross-Site Request Forgery, Command Execution, Path Traversal and many more.

    We seek a deeper understanding of the application in order to find unexpected flaws such as business logic bugs or undisclosed vulnerabilities in the application dependencies.

    Findings are reported and prioritized by severity with clear remediation steps. We will find bugs, but that is just the first step in the process.

Information Gathering 
and Reconnaissance

  • Mapping Out Application Features and Components
  • Architecture and Threat Mapping
  • Identifying Application Entry Points
  • TLS/SSL Testing
  • Analysis of Error Codes and Stack Traces
  • Mapping the Control Flow
  • Web Code Framework and Library Fingerprinting


  • Configuration Settings
  • HTTP Methods, HTTP Verbs
  • File Extension and URL Handlers
  • Cross Domain Policies
  • Legacy and Dead Code
  • Account Suspension/Resumption Process
  • HTTP Strict Transport Security (HSTS)
  • Auditing the User Registration Process
  • Auditing the Account Provisioning Process
  • Enumerating Application Roles


  • Encrypted Transport of Credentials and Sensitive Data
  • User Enumeration
  • Account Lockout
  • Race Conditions
  • Credential Change and Reset
  • Weak CAPTCHA Implementation
  • Authentication Bypasses
  • Remember Password
  • Browser Caching
  • Credential Policy
  • Credential Handling and Storage
  • Multiple Factor Authentication
  • Alternative Channel for Authentication


  • Directory Traversal/File Inclusion
  • Proper Admin Authorization
  • Authorization Schema Bypass
  • Privilege Escalation
  • Insecure Direct Object References

Session Management

  • Session Management Bypass
  • Cookies without ‘HTTP Only’ and ‘Secure’ Flags
  • Cookie Minting
  • Session Fixation
  • Exposed Session Variables
  • Cross Site Request Forgery (CSRF)
  • Logout Management
  • Session Timeout
  • Session Puzzling

Data Validation

  • Reflected Cross Site Scripting
  • Stored Cross Site Scripting
  • HTTP Verb Tampering
  • HTTP Parameter Pollution
  • XML External Entity (XXE)
  • SQL Injection
  • IMAP/SMTP Injection
  • Second Order Injection Vulnerabilities
  • Code Injection
  • Local and Remote File Inclusion
  • Command Injection
  • HTTP Splitting and Response Smuggling
  • AJAX Weaknesses
  • Format Strings
  • Heap, Stack Buffer Overflows
  • Integer Wrapping


  • Weak SSL/TLS Ciphers
  • Padding Oracle
  • Sensitive information Sent via Unencrypted Channels
  • Entropy Analysis
  • Correct Mode Selection and Application
  • Key Strength
  • Brute Force Attack Resiliency
  • Weaknesses in Integrity, Confidentiality, Authenticity, Availability
  • Various Crypto Attacks (CCA, CPA, COA, KPA, etc.)

Business Logic

  • Business Logic Data Validation
  • File Upload Vulnerabilities
  • Replay Attacks
  • Forging Requests
  • Process Timing
  • Integrity Checks
  • Circumvention of Work Flows
  • Abuse of Functionality

Client Side

  • DOM based Cross Site Scripting
  • Web Sockets
  • Web Messaging
  • Javascript Execution
  • HTML/CSS Injection
  • URL Redirect
  • Resource Manipulation
  • Local Storage/Session Storage with Sensitive Information
  • Cross Origin Resource Sharing
  • Clickjacking/UI Redressing

Denial of Service

  • Locking Customer Accounts
  • SQL Wildcard-item Vulnerability
  • User Input as a Loop Counter
  • Buffer Overflows
  • Failure to Release Resources
  • Storing Too Much Data in Session
  • User Specified Object Allocation
  • Writing User Provided Data to Disk

Web Services

  • WS Information Gathering
  • WS HTTP GET Parameters/REST
  • WS SOAP Attachments
  • WS Replay Testing
  • WSDL Weakness
  • XML Content-Level

our research articles

Research is one of our founding principles and we invest in it heavily. All of our researchers have the privilege to use %25 of their time exclusively for self-directed research.

show more publications