CIRCLE WITH A DOT

Did you know you can use #InQL to recreate #GraphQL schema even when the introspection query is disabled? Our Schema Bruteforcer ensures "hidden" doesn't actually mean "off-limits". Find out more at:https://blog.doyensec.com/2025/12/02/inql-v610.htmlhttps://github.com/doyensec/inql#doyensec #appsec #security

ZAST Agent has identified 14 vulnerabilities in pybbs (tomoya92/pybbs, 2.9k+ GitHub Stars).The attack surface includes 8 XSS vectors, CSRF on admin endpoints, and CAPTCHA reuse. Traditional SAST, which focuses on pattern matching, does not analyze logic flaws like email bypass or multi-stage flows (Stored XSS via /api/settings).Our engine verified every attack path—from payload persistence to triggering admin-level execution—via executable PoCs. This minimizes the triage effort required for these validated findings.Repo: https://github.com/tomoya92/pybbs Full Technical Details: https://blog.zast.ai/security%20research/Security-Advisory-7-Unpatched-Vulnerabilities-in-Prime-(CMS)-GraphQL-Implementation/#AppSec #ZAST #VulnerabilityResearch #Java #XSS

Tickets for BASC are now available on our website!Grab your tickets at www.basconf.org#basconf #owaspbasc #basc2026 #appsec

@floriann Where I disagree is that a threat model is meant to answer the question “did we build what we meant to build.” All the repo has is what we DID build. Generally, what we intended is only implied by what we did.Could we answer the question “is this software complete?” by looking only at artefacts in the repo?We can read and understand it. We can imagine use cases that are implied. We can decide if we think the use cases we imagined are covered by the code we see.I assert that it is not possible to look only at artefacts in the repo and determine whether the software is feature complete.Therefore it is also not possible to determine if the features of the software in the repo are “correct” with respect to what we intended to build. To make a simple example: if there is no authentication visible in the code, is that intentional (it’s a public thing), is it needed but not built yet, or is it needed and is provided elsewhere by other infrastructure (like a proxy)?The artefacts in a repository are unlikely to hold that answer. And while they MIGHT, I don’t think that is so common that it supports a statement like “you can threat model using only the artefacts in the repo.”

Become a vendor at the premier application security conference in New England. Since its inception in 2012, OWASP BASC has consistently attracted at least 150 attendees. By sponsoring us, you will have the opportunity to connect with leading experts in the application security industry and increase your visibility within the OWASP Community in New England and beyond. For more information, please visit our sponsorship kit at www.basconf.org.#appsec #owasp #basc2026 #basc