paupu's Avatar

paupu

@paupu.bsky.social

Penetration Tester @ShielderSec | Bachelor's Degree in Computer Engineering | IT and Cyber Security lover!

43 Followers  |  158 Following  |  2 Posts  |  Joined: 18.08.2023
Posts Following

Posts by paupu (@paupu.bsky.social)

Post image

Love breaking things just to see how they work? πŸ›πŸ”¨

​A @shielder.com delegation is on the ground at @fosdem.org, and we're looking for fellow hackers and security researchers.

​If you are passionate about securing the Open Source world, we definitely need to talk!

31.01.2026 08:29 β€” πŸ‘ 3    πŸ” 3    πŸ’¬ 0    πŸ“Œ 1

Want to learn more about our approach into auditing complex libraries and writing cool exploits?

πŸ—“οΈ: Dec 02

πŸ•—: 20:00 CET

RSVP: luma.com/ostif-meetup...

25.11.2025 09:15 β€” πŸ‘ 2    πŸ” 3    πŸ’¬ 0    πŸ“Œ 1
Post image

Huge thanks to #theSAS25 organization and ppl who voted for this amazing prize! It's been a real pleasure!

27.10.2025 18:35 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

Attending #theSAS25? Meet @paupu.bsky.social for his PAM pwnage talk!
It won't be recorded and it might *wink wink* contain a cool drop you don't want to miss πŸ‘€

26.10.2025 15:56 β€” πŸ‘ 1    πŸ” 3    πŸ’¬ 0    πŸ“Œ 0
Post image Post image Post image

Ready for #theSAScon25 in Khao Lak πŸ‡ΉπŸ‡­ 🌴 Ping me if u wanna say hi!

26.10.2025 10:31 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 0    πŸ“Œ 1

🚨 New Open Source Audit Alert! 🚨

Shielder, with @ostifofficial.bsky.social & ASWF audited OpenEXR and MaterialX:
πŸ” 11 issues found (1 critical, 3 still to be published)
βœ”οΈ Most fixed, others planned
πŸ—£οΈ ndaprela @smaury.bsky.social @suidpit.bsky.social @thezero.org

Full details in the blog post β¬‡οΈπŸ§΅

31.07.2025 15:09 β€” πŸ‘ 4    πŸ” 4    πŸ’¬ 1    πŸ“Œ 1

Just published some talks on tumpicon.org
Wanna join us? Follow the trail πŸ₯Ύ

09.04.2025 09:35 β€” πŸ‘ 6    πŸ” 3    πŸ’¬ 0    πŸ“Œ 1
Post image

Last week Apple released MacOS 13.4 which contains a fix for a vulnerability @suidpit.bsky.social exploited to escape the Sandbox.
Update now and stay tuned for the technical details!
Ref: support.apple.com/en-us/122373

07.04.2025 08:58 β€” πŸ‘ 9    πŸ” 5    πŸ’¬ 0    πŸ“Œ 0
Post image

In Lausanne for @1ns0mn1h4ck.bsky.social? Don’t miss the chance to meet our very own @not4nhacker.bsky.social! If you're into cursed OAuth hacking techniques or breaking mobile apps, find a comfy spot -- you might be there for a while!

13.03.2025 09:43 β€” πŸ‘ 7    πŸ” 5    πŸ’¬ 0    πŸ“Œ 0

Hey hackers!
We’ve started sending out the first invites β€” check your inbox! πŸ‘€
Didn’t get one? Take the fast track and submit a talk!

06.02.2025 11:32 β€” πŸ‘ 11    πŸ” 7    πŸ’¬ 1    πŸ“Œ 1
Shielder - Karmada Security Audit Karmada Security Audit, sponsored by the CNCF (Cloud Native Computing Foundation), facilitated by Open Source Technology Improvement Fund (OSTIF) and performed by Shielder.

🚨 New Open Source Audit Alert! 🚨

Shielder, with @ostifofficial.bsky.social & @cncf.io, audited karmada-io:
πŸ” 6 issues found (1 high, 1 medium, 2 low, 2 info)
βœ”οΈ Most fixed, others planned.
πŸ—£οΈ to @suidpit.bsky.social and @thezero.org

Full details in the blog post!

www.shielder.com/blog/2025/01...

16.01.2025 16:01 β€” πŸ‘ 6    πŸ” 5    πŸ’¬ 0    πŸ“Œ 2
Remote Code Execution with Spring Properties Recently a past student came to me with a very interesting unauthenticated vulnerability in a Spring application that they were having a hard time exploiting...

I just wrote a new blog post! This is how I (ab)used a jailed file write bug in Tomcat/Spring. Enjoy!

Remote Code Execution with Spring Properties :: srcincite.io/blog/2024/11...

26.11.2024 23:57 β€” πŸ‘ 76    πŸ” 36    πŸ’¬ 1    πŸ“Œ 2
Preview
Introducing SecureDrop Protocol This blog post is a part of a series about our research toward the next generation of the SecureDrop whistleblowing …

In early 2023 we (@thezero.org & @smaury.bsky.social) collaborated with SecureDrop to start designing and prototyping the #E2EE messaging protocol for a future version of SecureDrop.

πŸ“„ blog post: securedrop.org/news/introdu...
πŸ’» poc code: github.com/freedomofpre...

07.05.2024 10:54 β€” πŸ‘ 5    πŸ” 3    πŸ’¬ 0    πŸ“Œ 0
Preview
Shielder - pgAdmin (<=8.3) Path Traversal in Session Handling Leads to Unsafe Deserialization and Remote Code Execution (RCE) pgAdmin <= 8.3 is affected by a path-traversal vulnerability while deserializing user's session in the session handling code. If the server is running on Windows, an unauthenticated attacker can load ...

During a recent Red Team Assessment @thezero.org and @smaury.bsky.social discovered a vulnerability in PostgreSQL's #PgAdmin which in the worst case allows unauthenticated attackers to run arbitrary server-side code.

Check out the #RCE advisory and patch now!
www.shielder.com/advisories/p...

08.03.2024 13:55 β€” πŸ‘ 5    πŸ” 3    πŸ’¬ 0    πŸ“Œ 0
Preview
Shielder - Bref Security Audit Bref Security Audit, sponsored by Amazon Web Services (AWS), facilitated by Open Source Technology Improvement Fund (OSTIF) and performed by Shielder.

We recently partnered with the Open Source Technology Improvement Fund (OSTIF) to perform a security audit sponsored by AWS on Bref. The audit resulted in 5 findings promptly addresses by @mnapoli.bsky.social.
The report is now public, check the details here: www.shielder.com/blog/2024/03...

29.03.2024 12:09 β€” πŸ‘ 2    πŸ” 2    πŸ’¬ 0    πŸ“Œ 0
Preview
Shielder - Hunting for ~~Un~~authenticated n-days in Asus Routers Notes on patch diffing, reverse engineering and exploiting CVE-2023-39238, CVE-2023-39239, and CVE-2023-39240.

Ever wondered how to binary diff router firmwares to write n-day exploits? Learn how @thezero.org and @suidpit.bsky.social combined unblob, binexport, ghidra, Qiling, and an Asus router to write an exploit for CVE-2023-39238. The outcome was unexpected ... 1/7 www.shielder.com/blog/2024/01...

30.01.2024 13:47 β€” πŸ‘ 6    πŸ” 5    πŸ’¬ 1    πŸ“Œ 0