paupu
@paupu.bsky.social
Penetration Tester
@ShielderSec
| Bachelor's Degree in Computer Engineering | IT and Cyber Security lover!
@ShielderSec
| Bachelor's Degree in Computer Engineering | IT and Cyber Security lover!
Reposted by paupu
Attending #theSAS25? Meet @paupu.bsky.social for his PAM pwnage talk!
It won't be recorded and it might *wink wink* contain a cool drop you don't want to miss 👀
It won't be recorded and it might *wink wink* contain a cool drop you don't want to miss 👀
October 26, 2025 at 3:56 PM
Attending #theSAS25? Meet @paupu.bsky.social for his PAM pwnage talk!
It won't be recorded and it might *wink wink* contain a cool drop you don't want to miss 👀
It won't be recorded and it might *wink wink* contain a cool drop you don't want to miss 👀
Ready for #theSAScon25 in Khao Lak 🇹🇭 🌴 Ping me if u wanna say hi!
October 26, 2025 at 10:31 AM
Ready for #theSAScon25 in Khao Lak 🇹🇭 🌴 Ping me if u wanna say hi!
Reposted by paupu
🚨 New Open Source Audit Alert! 🚨
Shielder, with @ostifofficial.bsky.social & ASWF audited OpenEXR and MaterialX:
🔍 11 issues found (1 critical, 3 still to be published)
✔️ Most fixed, others planned
🗣️ ndaprela @smaury.bsky.social @suidpit.bsky.social @thezero.org
Full details in the blog post ⬇️🧵
Shielder, with @ostifofficial.bsky.social & ASWF audited OpenEXR and MaterialX:
🔍 11 issues found (1 critical, 3 still to be published)
✔️ Most fixed, others planned
🗣️ ndaprela @smaury.bsky.social @suidpit.bsky.social @thezero.org
Full details in the blog post ⬇️🧵
July 31, 2025 at 3:09 PM
🚨 New Open Source Audit Alert! 🚨
Shielder, with @ostifofficial.bsky.social & ASWF audited OpenEXR and MaterialX:
🔍 11 issues found (1 critical, 3 still to be published)
✔️ Most fixed, others planned
🗣️ ndaprela @smaury.bsky.social @suidpit.bsky.social @thezero.org
Full details in the blog post ⬇️🧵
Shielder, with @ostifofficial.bsky.social & ASWF audited OpenEXR and MaterialX:
🔍 11 issues found (1 critical, 3 still to be published)
✔️ Most fixed, others planned
🗣️ ndaprela @smaury.bsky.social @suidpit.bsky.social @thezero.org
Full details in the blog post ⬇️🧵
Reposted by paupu
Just published some talks on tumpicon.org
Wanna join us? Follow the trail 🥾
Wanna join us? Follow the trail 🥾
The second edition of TumpiCon is here!
📅 June 27-28, 2025
📍 Somewhere near Turin, Italy
🔒 Invite-only
No flashy stages. No fluff. Just raw, technical, and unfiltered hacking.
More details? If you know, you know.
Follow the trail: tumpicon.org
📅 June 27-28, 2025
📍 Somewhere near Turin, Italy
🔒 Invite-only
No flashy stages. No fluff. Just raw, technical, and unfiltered hacking.
More details? If you know, you know.
Follow the trail: tumpicon.org
April 9, 2025 at 9:35 AM
Just published some talks on tumpicon.org
Wanna join us? Follow the trail 🥾
Wanna join us? Follow the trail 🥾
Reposted by paupu
Last week Apple released MacOS 13.4 which contains a fix for a vulnerability @suidpit.bsky.social exploited to escape the Sandbox.
Update now and stay tuned for the technical details!
Ref: support.apple.com/en-us/122373
Update now and stay tuned for the technical details!
Ref: support.apple.com/en-us/122373
April 7, 2025 at 8:58 AM
Last week Apple released MacOS 13.4 which contains a fix for a vulnerability @suidpit.bsky.social exploited to escape the Sandbox.
Update now and stay tuned for the technical details!
Ref: support.apple.com/en-us/122373
Update now and stay tuned for the technical details!
Ref: support.apple.com/en-us/122373
Reposted by paupu
In Lausanne for @1ns0mn1h4ck.bsky.social? Don’t miss the chance to meet our very own @not4nhacker.bsky.social! If you're into cursed OAuth hacking techniques or breaking mobile apps, find a comfy spot -- you might be there for a while!
March 13, 2025 at 9:43 AM
In Lausanne for @1ns0mn1h4ck.bsky.social? Don’t miss the chance to meet our very own @not4nhacker.bsky.social! If you're into cursed OAuth hacking techniques or breaking mobile apps, find a comfy spot -- you might be there for a while!
Reposted by paupu
Hey hackers!
We’ve started sending out the first invites — check your inbox! 👀
Didn’t get one? Take the fast track and submit a talk!
We’ve started sending out the first invites — check your inbox! 👀
Didn’t get one? Take the fast track and submit a talk!
February 6, 2025 at 11:32 AM
Hey hackers!
We’ve started sending out the first invites — check your inbox! 👀
Didn’t get one? Take the fast track and submit a talk!
We’ve started sending out the first invites — check your inbox! 👀
Didn’t get one? Take the fast track and submit a talk!
Reposted by paupu
🚨 New Open Source Audit Alert! 🚨
Shielder, with @ostifofficial.bsky.social & @cncf.io, audited karmada-io:
🔍 6 issues found (1 high, 1 medium, 2 low, 2 info)
✔️ Most fixed, others planned.
🗣️ to @suidpit.bsky.social and @thezero.org
Full details in the blog post!
www.shielder.com/blog/2025/01...
Shielder, with @ostifofficial.bsky.social & @cncf.io, audited karmada-io:
🔍 6 issues found (1 high, 1 medium, 2 low, 2 info)
✔️ Most fixed, others planned.
🗣️ to @suidpit.bsky.social and @thezero.org
Full details in the blog post!
www.shielder.com/blog/2025/01...
Shielder - Karmada Security Audit
Karmada Security Audit, sponsored by the CNCF (Cloud Native Computing Foundation), facilitated by Open Source Technology Improvement Fund (OSTIF) and performed by Shielder.
www.shielder.com
January 16, 2025 at 4:01 PM
🚨 New Open Source Audit Alert! 🚨
Shielder, with @ostifofficial.bsky.social & @cncf.io, audited karmada-io:
🔍 6 issues found (1 high, 1 medium, 2 low, 2 info)
✔️ Most fixed, others planned.
🗣️ to @suidpit.bsky.social and @thezero.org
Full details in the blog post!
www.shielder.com/blog/2025/01...
Shielder, with @ostifofficial.bsky.social & @cncf.io, audited karmada-io:
🔍 6 issues found (1 high, 1 medium, 2 low, 2 info)
✔️ Most fixed, others planned.
🗣️ to @suidpit.bsky.social and @thezero.org
Full details in the blog post!
www.shielder.com/blog/2025/01...
Reposted by paupu
I just wrote a new blog post! This is how I (ab)used a jailed file write bug in Tomcat/Spring. Enjoy!
Remote Code Execution with Spring Properties :: srcincite.io/blog/2024/11...
Remote Code Execution with Spring Properties :: srcincite.io/blog/2024/11...
Remote Code Execution with Spring Properties
Recently a past student came to me with a very interesting unauthenticated vulnerability in a Spring application that they were having a hard time exploiting...
srcincite.io
November 26, 2024 at 11:57 PM
I just wrote a new blog post! This is how I (ab)used a jailed file write bug in Tomcat/Spring. Enjoy!
Remote Code Execution with Spring Properties :: srcincite.io/blog/2024/11...
Remote Code Execution with Spring Properties :: srcincite.io/blog/2024/11...
Reposted by paupu
In early 2023 we (@thezero.org & @smaury.bsky.social) collaborated with SecureDrop to start designing and prototyping the #E2EE messaging protocol for a future version of SecureDrop.
📄 blog post: securedrop.org/news/introdu...
💻 poc code: github.com/freedomofpre...
📄 blog post: securedrop.org/news/introdu...
💻 poc code: github.com/freedomofpre...
Introducing SecureDrop Protocol
This blog post is a part of a series about our research toward the next generation of the SecureDrop whistleblowing …
securedrop.org
May 7, 2024 at 10:54 AM
In early 2023 we (@thezero.org & @smaury.bsky.social) collaborated with SecureDrop to start designing and prototyping the #E2EE messaging protocol for a future version of SecureDrop.
📄 blog post: securedrop.org/news/introdu...
💻 poc code: github.com/freedomofpre...
📄 blog post: securedrop.org/news/introdu...
💻 poc code: github.com/freedomofpre...
Reposted by paupu
During a recent Red Team Assessment @thezero.org and @smaury.bsky.social discovered a vulnerability in PostgreSQL's #PgAdmin which in the worst case allows unauthenticated attackers to run arbitrary server-side code.
Check out the #RCE advisory and patch now!
www.shielder.com/advisories/p...
Check out the #RCE advisory and patch now!
www.shielder.com/advisories/p...
Shielder - pgAdmin (<=8.3) Path Traversal in Session Handling Leads to Unsafe Deserialization and Remote Code Execution (RCE)
pgAdmin <= 8.3 is affected by a path-traversal vulnerability while deserializing user's session in the session handling code. If the server is running on Windows, an unauthenticated attacker can load ...
www.shielder.com
March 8, 2024 at 1:55 PM
During a recent Red Team Assessment @thezero.org and @smaury.bsky.social discovered a vulnerability in PostgreSQL's #PgAdmin which in the worst case allows unauthenticated attackers to run arbitrary server-side code.
Check out the #RCE advisory and patch now!
www.shielder.com/advisories/p...
Check out the #RCE advisory and patch now!
www.shielder.com/advisories/p...
Reposted by paupu
We recently partnered with the Open Source Technology Improvement Fund (OSTIF) to perform a security audit sponsored by AWS on Bref. The audit resulted in 5 findings promptly addresses by @mnapoli.bsky.social.
The report is now public, check the details here: www.shielder.com/blog/2024/03...
The report is now public, check the details here: www.shielder.com/blog/2024/03...
Shielder - Bref Security Audit
Bref Security Audit, sponsored by Amazon Web Services (AWS), facilitated by Open Source Technology Improvement Fund (OSTIF) and performed by Shielder.
www.shielder.com
March 29, 2024 at 12:09 PM
We recently partnered with the Open Source Technology Improvement Fund (OSTIF) to perform a security audit sponsored by AWS on Bref. The audit resulted in 5 findings promptly addresses by @mnapoli.bsky.social.
The report is now public, check the details here: www.shielder.com/blog/2024/03...
The report is now public, check the details here: www.shielder.com/blog/2024/03...
Reposted by paupu
Ever wondered how to binary diff router firmwares to write n-day exploits? Learn how @thezero.org and @suidpit.bsky.social combined unblob, binexport, ghidra, Qiling, and an Asus router to write an exploit for CVE-2023-39238. The outcome was unexpected ... 1/7 www.shielder.com/blog/2024/01...
Shielder - Hunting for ~~Un~~authenticated n-days in Asus Routers
Notes on patch diffing, reverse engineering and exploiting CVE-2023-39238, CVE-2023-39239, and CVE-2023-39240.
www.shielder.com
January 30, 2024 at 1:47 PM
Ever wondered how to binary diff router firmwares to write n-day exploits? Learn how @thezero.org and @suidpit.bsky.social combined unblob, binexport, ghidra, Qiling, and an Asus router to write an exploit for CVE-2023-39238. The outcome was unexpected ... 1/7 www.shielder.com/blog/2024/01...