Security writeups from researchers for researchers

We scan, we hack, we write about it. New interesting vulnerabilities, attack techniques, tools and bug bounty tips.

Log in Subscribe

Home
About

Dawid Moczadło

State of Security Automation

State of Security Automation

SAST tools overlook more than 85% of CVEs in real-world scenarios. Outdated security automation can't keep pace with rapid code development. There is the hidden cost of security automation - validating false positives.

Dawid Moczadło

9 Apr 2024 · 3 min read

Security of new features in Next.js 14 - Server Actions, Taints

Security of new features in Next.js 14 - Server Actions, Taints

Next.js 14 (and 13) introduced many attack vectors without providing the tooling necessary for organizations to detect them. It is easier than ever before to expose server secrets, introduce unauthenticated "endpoints" or any other issue that will make you vulnerable

Dawid Moczadło

30 Oct 2023 · 5 min read

Escalating debug mode in Django to RCE, SSRF, SQLi

Escalating debug mode in Django to RCE, SSRF, SQLi

Security implications of DEBUG=true in Django. Learnings from an ethical hacker's perspective

Dawid Moczadło

24 Oct 2023 · 3 min read

Hacking Swagger-UI - from XSS to account takeovers

Hacking Swagger-UI - from XSS to account takeovers

We have reported more than 60 instances of this bug across a wide range of bug bounty programs including companies like Paypal, Atlassian, Microsoft, GitLab, Yahoo, ...

Dawid Moczadło

16 May 2022 · 10 min read

© 2024 Vidoc Security Lab - blog. All rights reserved.