Security writeups from researchers for researchers

We scan, we hack, we write about it. New interesting vulnerabilities, attack techniques, tools and bug bounty tips.

Home
About

API Security: Best Practices for Python Developers - Part II

Part II of the Developer’s Guide for a secure API implementation. Devs are the core of web applications, that's why you should continue learning how to prevent common attacks and secure your endpoints correctly. Avoid deploying vulnerable code by taking into account these Security Best Practices.

Oriana Olivetti

11 Jun 2024 · 7 min read

Why Dependency Security Is Your First Line of Defense Against Cyber Threats

Oriana Olivetti

29 May 2024 · 3 min read

Beginner’s Guide to Client Prototype Pollution vulnerabilities

Oriana Olivetti

15 May 2024 · 5 min read

Pentesting Cross-Origin Resource Sharing (CORS) vulnerabilities

Oriana Olivetti

30 Apr 2024 · 4 min read

State of Security Automation

SAST tools overlook more than 85% of CVEs in real-world scenarios. Outdated security automation can't keep pace with rapid code development. There is the hidden cost of security automation - validating false positives.

Dawid Moczadło

9 Apr 2024 · 3 min read

The Developer's Guide to Effective Secrets Management

Discover how to safeguard your applications with effective secrets management. Learn about the challenges of secrets detection and how Vidoc Security Lab's AI Security Engineer can revolutionize your security measures against AI-generated code threats.

Oriana Olivetti

2 Apr 2024 · 3 min read

API Security: Best Practices for Python Developers - Part I

Developer’s Guide for a secure API implementation. Devs are the core of web applications, however, they are also the ones who end up introducing and deploying vulnerabilities that later get exploited. That's why you should know how to prevent common attacks and secure your endpoints correctly.

Oriana Olivetti

26 Mar 2024 · 7 min read

SAST vs. DAST: Choosing the Right Security Testing for Your Project

Distinguishing between SAST & DAST is crucial for any robust security strategy. Adopting a unified approach, by leveraging both scans, ensures that your software remains secure during its lifecycle, effectively mitigating potential risks and vulnerabilities in today’s fast-paced digital environment.

Oriana Olivetti

14 Mar 2024 · 3 min read

AI Pentesting vs Automated Penetration Testing

In the rapidly evolving cybersecurity landscape, where the emergence of AI-generated code presents unprecedented challenges, the concept of automated penetration testing emerges as a beacon of innovation and efficiency.

Oriana Olivetti

29 Feb 2024 · 4 min read

Why you never get Reflected XSS to execute: Balancing Payloads

Beginners guide to Reflected XSS. Everyone talks about the different XSS cheatsheets, and then you are supposed to try them one by one to see if any of the payloads get executed on your target. We don't like that. It's time-consuming and a mindless task.

Oriana Olivetti

20 Feb 2024 · 4 min read

AWS S3 Bucket Takeover - how to find it and maximize impact?

The impact of an AWS S3 Bucket Takeover can range from none, account takeover, and even up to RCE. In this article, we’ll tell you how to find it and maximize its impact

Greg

10 Jan 2024 · 6 min read

Security of new features in Next.js 14 - Server Actions, Taints

Next.js 14 (and 13) introduced many attack vectors without providing the tooling necessary for organizations to detect them. It is easier than ever before to expose server secrets, introduce unauthenticated "endpoints" or any other issue that will make you vulnerable

Dawid Moczadło

30 Oct 2023 · 5 min read

Escalating debug mode in Django to RCE, SSRF, SQLi

Security implications of DEBUG=true in Django. Learnings from an ethical hacker's perspective

Dawid Moczadło

24 Oct 2023 · 3 min read

Vidoc Secures Funding from bValue!

Vidoc Security Lab has secured an investment from bValue, a leading player in the world of venture capital and technology innovation

Klaudia

27 Sep 2023 · 2 min read