Posts

Introduction Sometime ago, I faced a challenge in deploying a service on a cloud that was not exposed to the internet, using secrets and automatic deployments from GitHub. The original service already had a deployment in a production Kubernetes cluster made manually using YAMLs. Everybody knows that I like to automate everything, I like challenges, and I like to engineer, and when I saw that, I saw a challenge. In this blog post, I will define a devsecops framework based only on open source tools and as flexible as it can be, so it does not matter where you deploy and where the code is, it will be deployed automatically in a Kubernetes cluster with secrets! Let’s dive into the world of devsecops and let’s learn something together. ...

In this blog post, I will explain a vulnerability that I found that allows low privileged users to take ownership of published dashboards, charts, or datasets via the application’s export and import functionalities, which lack a validation process during import. This flaw in the system enables lower privileged users to view, edit and dismiss original owners of these resources. The post details my research journey, findings, and the potential implications of the vulnerability.

In late September, I found a bypass to a strange captcha system in a website that belongs to a well-known telecommunications company in Portugal. I hope you like it!

In the 0xL4ugh CTF 2024, there was a web challenge with a peculiar programming language used for web development called Clojure. My team solved the challenge but information on the web is almost nonexistent. In today’s blog post, I will explain my thought process and depict how we solved the challenge.