V4uban
@v4uban.bsky.social
AppSec Engineer. Application Security, DevSecOps, Threat Modelling.
OWASP and Open Source enthusiast.
Based in Barcelona.
OWASP and Open Source enthusiast.
Based in Barcelona.
Reposted by V4uban
We released version 1.11.2 of #OWASP #WrongSecrets: it's faster than ever, has now 55 challenges and a lot of fun! Check it out at github.com/OWASP/wrongs... or test it at www.wrongsecrets.com and don't forget to give the repo a 🌟 if you like it!
GitHub - OWASP/wrongsecrets: Vulnerable app with examples showing how to not use secrets
Vulnerable app with examples showing how to not use secrets - OWASP/wrongsecrets
github.com
May 2, 2025 at 10:33 AM
We released version 1.11.2 of #OWASP #WrongSecrets: it's faster than ever, has now 55 challenges and a lot of fun! Check it out at github.com/OWASP/wrongs... or test it at www.wrongsecrets.com and don't forget to give the repo a 🌟 if you like it!
Reposted by V4uban
I just built a custom action to let you test for race conditions with a single click! No tab groups required, and it uses the cutting edge single-packet attack under the hood: gist.github.com/albinowax/10...
For more info check out portswigger.net/research/sma...
For more info check out portswigger.net/research/sma...
April 23, 2025 at 2:31 PM
I just built a custom action to let you test for race conditions with a single click! No tab groups required, and it uses the cutting edge single-packet attack under the hood: gist.github.com/albinowax/10...
For more info check out portswigger.net/research/sma...
For more info check out portswigger.net/research/sma...
Reposted by V4uban
Ever heard of LLM poisoning? 🤔
Recently, Leif Dreizler joined Travis McPeak and William Bengtson on the @404security.bsky.social podcast to discuss how misinformation websites are intentionally spreading fake news to influence AI model responses.
🎧 Listen here: www.resourcely.io/podcast/deal...
Recently, Leif Dreizler joined Travis McPeak and William Bengtson on the @404security.bsky.social podcast to discuss how misinformation websites are intentionally spreading fake news to influence AI model responses.
🎧 Listen here: www.resourcely.io/podcast/deal...
April 4, 2025 at 4:18 PM
Ever heard of LLM poisoning? 🤔
Recently, Leif Dreizler joined Travis McPeak and William Bengtson on the @404security.bsky.social podcast to discuss how misinformation websites are intentionally spreading fake news to influence AI model responses.
🎧 Listen here: www.resourcely.io/podcast/deal...
Recently, Leif Dreizler joined Travis McPeak and William Bengtson on the @404security.bsky.social podcast to discuss how misinformation websites are intentionally spreading fake news to influence AI model responses.
🎧 Listen here: www.resourcely.io/podcast/deal...
Reposted by V4uban
Hello friends. The dreaded and long awaiting blog on WHAT THE FUCK HAPPENED TO THE CYBERSECURITY JOBS MARKET has arrived.
tisiphone.net/2025/04/01/l...
I'm sorry.
tisiphone.net/2025/04/01/l...
I'm sorry.
Lesley, What Happened to the “Cybersecurity Skills Shortage”?
Are you stressed out right now? I’m stressed out. Most Americans are, and cybersecurity job seekers are definitely not an exception. I do a ton of career mentoring and career clinics, and I s…
tisiphone.net
April 2, 2025 at 3:04 AM
Hello friends. The dreaded and long awaiting blog on WHAT THE FUCK HAPPENED TO THE CYBERSECURITY JOBS MARKET has arrived.
tisiphone.net/2025/04/01/l...
I'm sorry.
tisiphone.net/2025/04/01/l...
I'm sorry.
Reposted by V4uban
As a follow up to @maxenceschmitt.bsky.social's amazing #CSPT research, we've published a list of resources to help people interested in this class of vulnerabilities. Check it out today for video, tools, challenges and variety of publications!
blog.doyensec.com/2025/03/27/c...
#Doyensec #appsec
blog.doyensec.com/2025/03/27/c...
#Doyensec #appsec
March 27, 2025 at 4:46 PM
As a follow up to @maxenceschmitt.bsky.social's amazing #CSPT research, we've published a list of resources to help people interested in this class of vulnerabilities. Check it out today for video, tools, challenges and variety of publications!
blog.doyensec.com/2025/03/27/c...
#Doyensec #appsec
blog.doyensec.com/2025/03/27/c...
#Doyensec #appsec
Reposted by V4uban
The Threat Modeling Connect community are launching the first-ever community-driven State of Threat Modeling (SOTM) Report, led by @rewtd.bsky.social
and Dave Soldera, and we’d love your input!
docs.google.com/forms/d/e/1F...
The survey will take 15-20 minutes to complete.
#cybersec #infosec
and Dave Soldera, and we’d love your input!
docs.google.com/forms/d/e/1F...
The survey will take 15-20 minutes to complete.
#cybersec #infosec
State of Threat Modeling (SOTM) 2024 Survey
Welcome to the first-ever State of Threat Modeling (SOTM) Survey!
What is the SOTM Survey?
The SOTM Survey is part of the research for the first community-driven State of Threat Modeling (SOTM) Repor...
docs.google.com
March 14, 2025 at 9:20 AM
The Threat Modeling Connect community are launching the first-ever community-driven State of Threat Modeling (SOTM) Report, led by @rewtd.bsky.social
and Dave Soldera, and we’d love your input!
docs.google.com/forms/d/e/1F...
The survey will take 15-20 minutes to complete.
#cybersec #infosec
and Dave Soldera, and we’d love your input!
docs.google.com/forms/d/e/1F...
The survey will take 15-20 minutes to complete.
#cybersec #infosec
Reposted by V4uban
OWASP Global AppSec EU 2025 Barcelona: full training schedule is out now!
Day 3 is packed with even more hands-on training sessions to enhance your AppSec expertise!
Register now:
owasp.glueup.com/eve...
#AppSecEU2025 #Cybersecurity #DevSecOps #SecureCoding #ThreatModeling #Infosec #Barcelona
Day 3 is packed with even more hands-on training sessions to enhance your AppSec expertise!
Register now:
owasp.glueup.com/eve...
#AppSecEU2025 #Cybersecurity #DevSecOps #SecureCoding #ThreatModeling #Infosec #Barcelona
March 24, 2025 at 7:04 AM
OWASP Global AppSec EU 2025 Barcelona: full training schedule is out now!
Day 3 is packed with even more hands-on training sessions to enhance your AppSec expertise!
Register now:
owasp.glueup.com/eve...
#AppSecEU2025 #Cybersecurity #DevSecOps #SecureCoding #ThreatModeling #Infosec #Barcelona
Day 3 is packed with even more hands-on training sessions to enhance your AppSec expertise!
Register now:
owasp.glueup.com/eve...
#AppSecEU2025 #Cybersecurity #DevSecOps #SecureCoding #ThreatModeling #Infosec #Barcelona
Reposted by V4uban
Exciting news! The #OWASP Global #Appsec SF videos have arrived! 🎥 Get ready to boost your knowledge and skills by checking them out here: www.youtube.com/play...
March 21, 2025 at 4:31 PM
Exciting news! The #OWASP Global #Appsec SF videos have arrived! 🎥 Get ready to boost your knowledge and skills by checking them out here: www.youtube.com/play...
Reposted by V4uban
You might have noticed that the recent SAML writeups omit some crucial details. In "SAML roulette: the hacker always wins", we share everything you need to know for a complete unauthenticated exploit on ruby-saml, using GitLab as a case-study.
portswigger.net/research/sam...
portswigger.net/research/sam...
SAML roulette: the hacker always wins
Introduction In this post, we’ll show precisely how to chain round-trip attacks and namespace confusion to achieve unauthenticated admin access on GitLab Enterprise by exploiting the ruby-saml library
portswigger.net
March 18, 2025 at 2:57 PM
You might have noticed that the recent SAML writeups omit some crucial details. In "SAML roulette: the hacker always wins", we share everything you need to know for a complete unauthenticated exploit on ruby-saml, using GitLab as a case-study.
portswigger.net/research/sam...
portswigger.net/research/sam...
Reposted by V4uban
There's now a ZAP Slack that's open to everyone. You can get an invite to it via zaproxy.org/slack/invite
Slack Invite
zaproxy.org
February 24, 2025 at 1:45 PM
There's now a ZAP Slack that's open to everyone. You can get an invite to it via zaproxy.org/slack/invite
Reposted by V4uban
Reposted by V4uban
🤔 Based on issues that I have seen during recent assessments, I updated my code sharing project with a method related to JWT based tokens:
#appsec #appsecurity #jwt #web
🌍 URL:
github.com/righettod/co...
righettod.github.io/code-snippet...
#appsec #appsecurity #jwt #web
🌍 URL:
github.com/righettod/co...
righettod.github.io/code-snippet...
February 9, 2025 at 4:59 PM
🤔 Based on issues that I have seen during recent assessments, I updated my code sharing project with a method related to JWT based tokens:
#appsec #appsecurity #jwt #web
🌍 URL:
github.com/righettod/co...
righettod.github.io/code-snippet...
#appsec #appsecurity #jwt #web
🌍 URL:
github.com/righettod/co...
righettod.github.io/code-snippet...
Reposted by V4uban
Get ready for an eye-opening session with Kevin Hemmingsen, Director of Trust & Security at Bugcrowd as he explores lessons from bug bounty / offsec to help devs build more securely at the OWASP Security Summit!
OWASP Community Save 25% on tickets: http://www.eventbrit...
OWASP Community Save 25% on tickets: http://www.eventbrit...
February 9, 2025 at 9:40 PM
Get ready for an eye-opening session with Kevin Hemmingsen, Director of Trust & Security at Bugcrowd as he explores lessons from bug bounty / offsec to help devs build more securely at the OWASP Security Summit!
OWASP Community Save 25% on tickets: http://www.eventbrit...
OWASP Community Save 25% on tickets: http://www.eventbrit...
Reposted by V4uban
The results are in! We're proud to announce the Top 10 Web Hacking Techniques of 2024! portswigger.net/research/top...
Top 10 web hacking techniques of 2024
Welcome to the Top 10 Web Hacking Techniques of 2024, the 18th edition of our annual community-powered effort to identify the most innovative must-read web security research published in the last year
portswigger.net
February 4, 2025 at 3:02 PM
The results are in! We're proud to announce the Top 10 Web Hacking Techniques of 2024! portswigger.net/research/top...
Reposted by V4uban
Discover blocklist bypasses via unicode overflows using the latest updates to ActiveScan++, Hackvertor & Shazzer! Thanks to Ryan Barnett and Neh Patel for sharing this technique.
portswigger.net/research/byp...
portswigger.net/research/byp...
January 28, 2025 at 2:01 PM
Discover blocklist bypasses via unicode overflows using the latest updates to ActiveScan++, Hackvertor & Shazzer! Thanks to Ryan Barnett and Neh Patel for sharing this technique.
portswigger.net/research/byp...
portswigger.net/research/byp...
Reposted by V4uban
Sarah-Jane Madden is a keynote speaker at OWASP Global AppSec EU 2025
🎟️ Attention to those in App Sec, Cybersecurity, and Developers: take advantage of the early bird discount!
Don’t wait, register now!
owasp.glueup.com/eve...
#owaspglobalappseceu2025 #AI #threatmodeling #devsecops #infosec
🎟️ Attention to those in App Sec, Cybersecurity, and Developers: take advantage of the early bird discount!
Don’t wait, register now!
owasp.glueup.com/eve...
#owaspglobalappseceu2025 #AI #threatmodeling #devsecops #infosec
January 29, 2025 at 8:05 AM
Sarah-Jane Madden is a keynote speaker at OWASP Global AppSec EU 2025
🎟️ Attention to those in App Sec, Cybersecurity, and Developers: take advantage of the early bird discount!
Don’t wait, register now!
owasp.glueup.com/eve...
#owaspglobalappseceu2025 #AI #threatmodeling #devsecops #infosec
🎟️ Attention to those in App Sec, Cybersecurity, and Developers: take advantage of the early bird discount!
Don’t wait, register now!
owasp.glueup.com/eve...
#owaspglobalappseceu2025 #AI #threatmodeling #devsecops #infosec
Reposted by V4uban
I've just released HTTP Request Smuggler 2.17 which fixes a nasty Client-Side Desync false-negative. Big thanks to @t0xodile.com for reporting it! Hope you all find some nice CSDs in 2025 :)
January 7, 2025 at 10:45 AM
I've just released HTTP Request Smuggler 2.17 which fixes a nasty Client-Side Desync false-negative. Big thanks to @t0xodile.com for reporting it! Hope you all find some nice CSDs in 2025 :)
Reposted by V4uban
The article: www.invicti.com/blog/securit...
First Tokens: The Achilles’ Heel of LLMs
The Assistant Prefill feature available in many LLMs can open up models to jailbreaking, including the possibility of persistent prefills to bypass LLM safety alignments.
www.invicti.com
January 13, 2025 at 8:46 AM
The article: www.invicti.com/blog/securit...
Reposted by V4uban
Nominations are now open for the Top 10 Web Hacking Techniques of 2024! Browse the contestants and submit your own here:
portswigger.net/research/top...
portswigger.net/research/top...
Top ten web hacking techniques of 2024: nominations open
Nominations are now open for the top 10 new web hacking techniques of 2024! Every year, security researchers from all over the world share their latest findings via blog posts, presentations, PoCs, an
portswigger.net
January 8, 2025 at 2:09 PM
Nominations are now open for the Top 10 Web Hacking Techniques of 2024! Browse the contestants and submit your own here:
portswigger.net/research/top...
portswigger.net/research/top...
Reposted by V4uban
🚨 Attention all developers and code enthusiasts! Get ready to elevate your skills with "Alice and Bob Learn Secure Coding." Secure your copy now and embark on a transformative learning experience.
shehackspurple.ca/bo...
shehackspurple.ca/bo...
December 31, 2024 at 4:19 PM
🚨 Attention all developers and code enthusiasts! Get ready to elevate your skills with "Alice and Bob Learn Secure Coding." Secure your copy now and embark on a transformative learning experience.
shehackspurple.ca/bo...
shehackspurple.ca/bo...
Reposted by V4uban
Somebody uploaded to SlideShare the slides of my talk at @northsec.bsky.social 2023 🌐
It’s the sequel of the first @burpsuite.bsky.social talk I ever gave, exactly 10 years before 🛠️
Enjoy these 50 slides of Burp tips 🎁🎅
It’s the sequel of the first @burpsuite.bsky.social talk I ever gave, exactly 10 years before 🛠️
Enjoy these 50 slides of Burp tips 🎁🎅
Burp suite pro tips and tricks for hacking
Burp suite pro tips and tricks for hacking - Download as a PDF or view online for free
slideshare.net
December 23, 2024 at 10:00 PM
Somebody uploaded to SlideShare the slides of my talk at @northsec.bsky.social 2023 🌐
It’s the sequel of the first @burpsuite.bsky.social talk I ever gave, exactly 10 years before 🛠️
Enjoy these 50 slides of Burp tips 🎁🎅
It’s the sequel of the first @burpsuite.bsky.social talk I ever gave, exactly 10 years before 🛠️
Enjoy these 50 slides of Burp tips 🎁🎅
Reposted by V4uban
Extended the starter with shy writers! 😀 If you're not on the list but write about web security, then feel free to reply with the article you're most proud of, and I will add you to the pack!
Make sure to resubscribe to not not miss on the amazing 🌐research!
go.bsky.app/9JXnB17
Make sure to resubscribe to not not miss on the amazing 🌐research!
go.bsky.app/9JXnB17
December 10, 2024 at 10:29 PM
Extended the starter with shy writers! 😀 If you're not on the list but write about web security, then feel free to reply with the article you're most proud of, and I will add you to the pack!
Make sure to resubscribe to not not miss on the amazing 🌐research!
go.bsky.app/9JXnB17
Make sure to resubscribe to not not miss on the amazing 🌐research!
go.bsky.app/9JXnB17
Reposted by V4uban
Ever wondered why you NEVER see chunked responses in Burp? 🤔
The answer is simple, default settings hide them! 🫣
Go to "Settings > Network > HTTP > Streaming responses" to make them appear 🔍
The answer is simple, default settings hide them! 🫣
Go to "Settings > Network > HTTP > Streaming responses" to make them appear 🔍
December 20, 2024 at 7:23 AM
Ever wondered why you NEVER see chunked responses in Burp? 🤔
The answer is simple, default settings hide them! 🫣
Go to "Settings > Network > HTTP > Streaming responses" to make them appear 🔍
The answer is simple, default settings hide them! 🫣
Go to "Settings > Network > HTTP > Streaming responses" to make them appear 🔍
Reposted by V4uban
Check out the tools I've been working on this year:
🔐 Hackvertor: Web app: hackvertor.co.uk
🔒 Hackvertor BApp: portswigger.net/bappstore/65...
⚡ Shazzer: shazzer.co.uk
🛠️ Recorder: Chrome extension: chromewebstore.google.com/detail/burp-...
🕵️ DOM Invader: portswigger.net/burp/documen...
🔐 Hackvertor: Web app: hackvertor.co.uk
🔒 Hackvertor BApp: portswigger.net/bappstore/65...
⚡ Shazzer: shazzer.co.uk
🛠️ Recorder: Chrome extension: chromewebstore.google.com/detail/burp-...
🕵️ DOM Invader: portswigger.net/burp/documen...
December 20, 2024 at 1:27 PM
Check out the tools I've been working on this year:
🔐 Hackvertor: Web app: hackvertor.co.uk
🔒 Hackvertor BApp: portswigger.net/bappstore/65...
⚡ Shazzer: shazzer.co.uk
🛠️ Recorder: Chrome extension: chromewebstore.google.com/detail/burp-...
🕵️ DOM Invader: portswigger.net/burp/documen...
🔐 Hackvertor: Web app: hackvertor.co.uk
🔒 Hackvertor BApp: portswigger.net/bappstore/65...
⚡ Shazzer: shazzer.co.uk
🛠️ Recorder: Chrome extension: chromewebstore.google.com/detail/burp-...
🕵️ DOM Invader: portswigger.net/burp/documen...
Reposted by V4uban
New research: We've been monitoring a threat actor publishing dozens of trojanized GitHub repositories targeting threat actors, leaking hundreds of thousands of credentials along the way
securitylabs.datadoghq.com/articles/mut...
securitylabs.datadoghq.com/articles/mut...
December 16, 2024 at 1:09 PM
New research: We've been monitoring a threat actor publishing dozens of trojanized GitHub repositories targeting threat actors, leaking hundreds of thousands of credentials along the way
securitylabs.datadoghq.com/articles/mut...
securitylabs.datadoghq.com/articles/mut...