Dominique Righetto
@righettod.eu
👨💻 AppSec enthusiast | 🐶 Addicted to Shetland Sheepdogs | 🌏 Open Source/AppSec/OWASP junkie | 🐝 OWASP Secure Headers Project Leader.
🚩 Opinions mentioned are mine.
🚩 Opinions mentioned are mine.
Pinned
🧑💻 Since I often search for CWEs corresponding to a problem I have encountered and have not found a tool suited to my needs, I decided to create a small script that allows me to search for CWE records using a CWE identifier or a term.
#appsec #appsecurity #cwe
#appsec #appsecurity #cwe
🧑💻 Since I often search for CWEs corresponding to a problem I have encountered and have not found a tool suited to my needs, I decided to create a small script that allows me to search for CWE records using a CWE identifier or a term.
#appsec #appsecurity #cwe
#appsec #appsecurity #cwe
November 14, 2025 at 6:59 AM
🧑💻 Since I often search for CWEs corresponding to a problem I have encountered and have not found a tool suited to my needs, I decided to create a small script that allows me to search for CWE records using a CWE identifier or a term.
#appsec #appsecurity #cwe
#appsec #appsecurity #cwe
Reposted by Dominique Righetto
Le projet NTP lance un appel au don pour atteindre un objectif de 11000$, nécessaire à la poursuite de ses activités.
NTP développe et maintient une implémentation Open Source essentielle pour synchroniser les horloges des systèmes connectés.
👉 https://www.ntp.org/
NTP développe et maintient une implémentation Open Source essentielle pour synchroniser les horloges des systèmes connectés.
👉 https://www.ntp.org/
November 13, 2025 at 5:40 PM
Le projet NTP lance un appel au don pour atteindre un objectif de 11000$, nécessaire à la poursuite de ses activités.
NTP développe et maintient une implémentation Open Source essentielle pour synchroniser les horloges des systèmes connectés.
👉 https://www.ntp.org/
NTP développe et maintient une implémentation Open Source essentielle pour synchroniser les horloges des systèmes connectés.
👉 https://www.ntp.org/
Reposted by Dominique Righetto
Alireza Liaghat walks us through the nmap formula! This cheat sheet is designed to make network mapping a breeze!
download nmap here -- nmap.org
download nmap here -- nmap.org
November 12, 2025 at 8:40 PM
Alireza Liaghat walks us through the nmap formula! This cheat sheet is designed to make network mapping a breeze!
download nmap here -- nmap.org
download nmap here -- nmap.org
🧑💻 During the secure code reviews I perform, I quite often find that sensitive information is included in messages intended to be written to event logs or error messages. I added a utility method to my "code-snippets-security-utils" project to help detection.
#appsec #appsecurity
#appsec #appsecurity
November 9, 2025 at 10:01 AM
🧑💻 During the secure code reviews I perform, I quite often find that sensitive information is included in messages intended to be written to event logs or error messages. I added a utility method to my "code-snippets-security-utils" project to help detection.
#appsec #appsecurity
#appsec #appsecurity
📡 OWASP Secure Headers Project:
- We added information about the HTTP response header "X-DNS-Prefetch-Control".
- We added the tool "shcheck" to the list of analysis tools.
#appsec #appsecurity #owasp_shp
- We added information about the HTTP response header "X-DNS-Prefetch-Control".
- We added the tool "shcheck" to the list of analysis tools.
#appsec #appsecurity #owasp_shp
November 5, 2025 at 5:28 AM
📡 OWASP Secure Headers Project:
- We added information about the HTTP response header "X-DNS-Prefetch-Control".
- We added the tool "shcheck" to the list of analysis tools.
#appsec #appsecurity #owasp_shp
- We added information about the HTTP response header "X-DNS-Prefetch-Control".
- We added the tool "shcheck" to the list of analysis tools.
#appsec #appsecurity #owasp_shp
Reposted by Dominique Righetto
Articles worth reading discovered last week: Passports, WIFI and AI-SAST!
🛂 blog.trailofbits.com/2025/10/31/t...
🛜 pulsesecurity.co.nz/articles/byp...
🧠 parsiya.net/blog/wtf-is-...
🛂 blog.trailofbits.com/2025/10/31/t...
🛜 pulsesecurity.co.nz/articles/byp...
🧠 parsiya.net/blog/wtf-is-...
The cryptography behind electronic passports
This blog post describes how electronic passports work, the threats within their threat model, and how they protect against those threats using cryptography. It also discusses the implications of usin...
blog.trailofbits.com
November 2, 2025 at 10:51 PM
Articles worth reading discovered last week: Passports, WIFI and AI-SAST!
🛂 blog.trailofbits.com/2025/10/31/t...
🛜 pulsesecurity.co.nz/articles/byp...
🧠 parsiya.net/blog/wtf-is-...
🛂 blog.trailofbits.com/2025/10/31/t...
🛜 pulsesecurity.co.nz/articles/byp...
🧠 parsiya.net/blog/wtf-is-...
Reposted by Dominique Righetto
Postgresus is a free, open source and self-hosted tool to backup PostgreSQL. Make backups with different storages and notifications about progress. It has a UI and easy to configure options. Give it a try github.com/RostislavDug...
GitHub - RostislavDugin/postgresus: PostgreSQL monitoring and backups (with UI and self hosted)
PostgreSQL monitoring and backups (with UI and self hosted) - RostislavDugin/postgresus
github.com
October 30, 2025 at 6:51 AM
Postgresus is a free, open source and self-hosted tool to backup PostgreSQL. Make backups with different storages and notifications about progress. It has a UI and easy to configure options. Give it a try github.com/RostislavDug...
Reposted by Dominique Righetto
X-Request-Purpose: Identifying "research" and bug bounty related scans? https://isc.sans.edu/diary/32436
October 30, 2025 at 1:26 PM
X-Request-Purpose: Identifying "research" and bug bounty related scans? https://isc.sans.edu/diary/32436
Reposted by Dominique Righetto
EuroLLM : une initiative Open Source portée par un consortium de chercheurs européens pour créer un LLM capable de comprendre et de traiter correctement les 24 langues officielles de l'UE.
👉 https://eurollm.io/
👉 https://eurollm.io/
October 29, 2025 at 7:43 PM
EuroLLM : une initiative Open Source portée par un consortium de chercheurs européens pour créer un LLM capable de comprendre et de traiter correctement les 24 langues officielles de l'UE.
👉 https://eurollm.io/
👉 https://eurollm.io/
Reposted by Dominique Righetto
🚨 New labs just dropped!
3 new Python Code Review labs are now live on PentesterLab 🐍
Learn to spot subtle bugs and insecure patterns by reading real Python code.
🎯 pentesterlab.com/badges/python-code-review
#Python #AppSec #CodeReview #PentesterLab
3 new Python Code Review labs are now live on PentesterLab 🐍
Learn to spot subtle bugs and insecure patterns by reading real Python code.
🎯 pentesterlab.com/badges/python-code-review
#Python #AppSec #CodeReview #PentesterLab
PentesterLab: Learn with our Python Code Review Badge
The Python Code Review Badge is our badge dedicated to code review in Python. It covers the discovery of weaknesses and vulnerabilities using source code review.
pentesterlab.com
October 28, 2025 at 3:37 AM
🚨 New labs just dropped!
3 new Python Code Review labs are now live on PentesterLab 🐍
Learn to spot subtle bugs and insecure patterns by reading real Python code.
🎯 pentesterlab.com/badges/python-code-review
#Python #AppSec #CodeReview #PentesterLab
3 new Python Code Review labs are now live on PentesterLab 🐍
Learn to spot subtle bugs and insecure patterns by reading real Python code.
🎯 pentesterlab.com/badges/python-code-review
#Python #AppSec #CodeReview #PentesterLab
Reposted by Dominique Righetto
Blogged: Use swiyu, the Swiss E-ID to authenticate users with Duende and .NET Aspire
damienbod.com/2025/10/27/u...
#swiyu #eid #identity #duende #aspnetcore #dotnet #aspire #openid #openidconnect #oauth #vdc #iam
damienbod.com/2025/10/27/u...
#swiyu #eid #identity #duende #aspnetcore #dotnet #aspire #openid #openidconnect #oauth #vdc #iam
Use swiyu, the Swiss E-ID to authenticate users with Duende and .NET Aspire
This post shows how to authenticate users using Duende IdentityServer and ASP.NET Core Identity which verifies identities (verifiable digital credentials) using the Swiss Digital identity and trust…
damienbod.com
October 27, 2025 at 6:35 AM
Blogged: Use swiyu, the Swiss E-ID to authenticate users with Duende and .NET Aspire
damienbod.com/2025/10/27/u...
#swiyu #eid #identity #duende #aspnetcore #dotnet #aspire #openid #openidconnect #oauth #vdc #iam
damienbod.com/2025/10/27/u...
#swiyu #eid #identity #duende #aspnetcore #dotnet #aspire #openid #openidconnect #oauth #vdc #iam
🧑🎓 To continue my homework on AI, I decided to work on a POC concerning another common situation I face every time I perform a secure code review:
"The presence of false positives for secrets detected during the security analysis of a code base using GitLeaks with a custom set of rules."
"The presence of false positives for secrets detected during the security analysis of a code base using GitLeaks with a custom set of rules."
October 19, 2025 at 7:13 AM
🧑🎓 To continue my homework on AI, I decided to work on a POC concerning another common situation I face every time I perform a secure code review:
"The presence of false positives for secrets detected during the security analysis of a code base using GitLeaks with a custom set of rules."
"The presence of false positives for secrets detected during the security analysis of a code base using GitLeaks with a custom set of rules."
Reposted by Dominique Righetto
Do you want to end one or more processes at a time using a regular expression (regex) on your Linux, FreeBSD, macOS or Unix-like system? Try:
pkill regex
pkill -9 pattern
The regex/pattern will match the process names or command lines that you see using ps/top/htop. Pretty useful for CLI users.
pkill regex
pkill -9 pattern
The regex/pattern will match the process names or command lines that you see using ps/top/htop. Pretty useful for CLI users.
September 19, 2025 at 8:33 PM
Do you want to end one or more processes at a time using a regular expression (regex) on your Linux, FreeBSD, macOS or Unix-like system? Try:
pkill regex
pkill -9 pattern
The regex/pattern will match the process names or command lines that you see using ps/top/htop. Pretty useful for CLI users.
pkill regex
pkill -9 pattern
The regex/pattern will match the process names or command lines that you see using ps/top/htop. Pretty useful for CLI users.
Reposted by Dominique Righetto
Shai‑Halud : Supply Chain Attack qui cible des paquets npm sous les comptes CrowdStrike.
Il télécharge et exécute des outils comme TruffleHog puis cherche des tokens, crée des workflows GitHub Actions non autorisés et exfiltre des données.
👉 socket.dev/blog/ongo...
Il télécharge et exécute des outils comme TruffleHog puis cherche des tokens, crée des workflows GitHub Actions non autorisés et exfiltre des données.
👉 socket.dev/blog/ongo...
September 17, 2025 at 11:30 AM
Shai‑Halud : Supply Chain Attack qui cible des paquets npm sous les comptes CrowdStrike.
Il télécharge et exécute des outils comme TruffleHog puis cherche des tokens, crée des workflows GitHub Actions non autorisés et exfiltre des données.
👉 socket.dev/blog/ongo...
Il télécharge et exécute des outils comme TruffleHog puis cherche des tokens, crée des workflows GitHub Actions non autorisés et exfiltre des données.
👉 socket.dev/blog/ongo...
🧑🎓 Learning of the day for me: During my technical survey, I found a GitHub project offering a POC for CVE-2025-54988. I therefore decided to add a new check for this attack vector to my code snippet project for validating PDF files.
github.com/righettod/co...
#appsec #appsecurity
github.com/righettod/co...
#appsec #appsecurity
September 15, 2025 at 1:14 PM
🧑🎓 Learning of the day for me: During my technical survey, I found a GitHub project offering a POC for CVE-2025-54988. I therefore decided to add a new check for this attack vector to my code snippet project for validating PDF files.
github.com/righettod/co...
#appsec #appsecurity
github.com/righettod/co...
#appsec #appsecurity
Reposted by Dominique Righetto
You can configure it any way you want or need, but the extension comes with a bundled configuration files you can use out of the box. One of them disallows dangerous functions like var_dump() or put_env(), while another one blocks insecure functions like hash() with MD5 github.com/spaze/phpsta...
September 14, 2025 at 10:11 PM
You can configure it any way you want or need, but the extension comes with a bundled configuration files you can use out of the box. One of them disallows dangerous functions like var_dump() or put_env(), while another one blocks insecure functions like hash() with MD5 github.com/spaze/phpsta...
📡 OWASP Secure Headers Project: We added information about the response header "X-DNS-Prefetch-Control" based on technical tests we performed.
#appsec #appsecurity #owasp_shp
📖 owasp.org/www-project-...
#appsec #appsecurity #owasp_shp
📖 owasp.org/www-project-...
August 17, 2025 at 6:52 AM
📡 OWASP Secure Headers Project: We added information about the response header "X-DNS-Prefetch-Control" based on technical tests we performed.
#appsec #appsecurity #owasp_shp
📖 owasp.org/www-project-...
#appsec #appsecurity #owasp_shp
📖 owasp.org/www-project-...
Reposted by Dominique Righetto
The AD CS security landscape keeps evolving, and so does our tooling. 🛠️
Valdemar Carøe drops info on Certify 2.0, including a suite of new capabilities and refined usability improvements. ghst.ly/45IrBxI
Valdemar Carøe drops info on Certify 2.0, including a suite of new capabilities and refined usability improvements. ghst.ly/45IrBxI
Certify 2.0 - SpecterOps
Certify 2.0 features a suite of new capabilities and usability enhancements. This blogpost introduces changes and features additions.
ghst.ly
August 11, 2025 at 8:38 PM
The AD CS security landscape keeps evolving, and so does our tooling. 🛠️
Valdemar Carøe drops info on Certify 2.0, including a suite of new capabilities and refined usability improvements. ghst.ly/45IrBxI
Valdemar Carøe drops info on Certify 2.0, including a suite of new capabilities and refined usability improvements. ghst.ly/45IrBxI
@nolimitsecu.bsky.social Hi, it is normal that the link to this episode led to a 404 ?
www.nolimitsecu.fr/owasp-secure...
Did I missed a migration? Thanks a lot for your help 😊
www.nolimitsecu.fr/owasp-secure...
Did I missed a migration? Thanks a lot for your help 😊
August 12, 2025 at 5:04 AM
@nolimitsecu.bsky.social Hi, it is normal that the link to this episode led to a 404 ?
www.nolimitsecu.fr/owasp-secure...
Did I missed a migration? Thanks a lot for your help 😊
www.nolimitsecu.fr/owasp-secure...
Did I missed a migration? Thanks a lot for your help 😊
Reposted by Dominique Righetto
The whitepaper is live! Learn how to win the HTTP desync endgame... and why HTTP/1.1 needs to die: http1mustdie.com
HTTP/1.1 Must Die
Upstream HTTP/1.1 is inherently insecure, and routinely exposes millions of websites to hostile takeover. Join the mission to kill HTTP/1.1 now
http1mustdie.com
August 6, 2025 at 11:43 PM
The whitepaper is live! Learn how to win the HTTP desync endgame... and why HTTP/1.1 needs to die: http1mustdie.com
💡 Discovery of the week for me:
While reviewing code on a .Net project (CSharp language), I noticed that SemGrep, with its set of community rules, was not effective on this technology.
So I looked for a complement and found Microsoft's DevSkim tool...
While reviewing code on a .Net project (CSharp language), I noticed that SemGrep, with its set of community rules, was not effective on this technology.
So I looked for a complement and found Microsoft's DevSkim tool...
August 6, 2025 at 6:07 AM
💡 Discovery of the week for me:
While reviewing code on a .Net project (CSharp language), I noticed that SemGrep, with its set of community rules, was not effective on this technology.
So I looked for a complement and found Microsoft's DevSkim tool...
While reviewing code on a .Net project (CSharp language), I noticed that SemGrep, with its set of community rules, was not effective on this technology.
So I looked for a complement and found Microsoft's DevSkim tool...
Reposted by Dominique Righetto
🏖️🐻 Les Logiciels Libres de l'été, jour 46
D2 : Un outil de scripting Open Source pour générer vos diagrammes. (p)
D2 : Un outil de scripting Open Source pour générer vos diagrammes. (p)
August 5, 2025 at 5:32 PM
🏖️🐻 Les Logiciels Libres de l'été, jour 46
D2 : Un outil de scripting Open Source pour générer vos diagrammes. (p)
D2 : Un outil de scripting Open Source pour générer vos diagrammes. (p)
Reposted by Dominique Righetto
Un tableau listant des alternatives gratuites et/ou Open Source aux applications Adobe.
August 5, 2025 at 11:30 AM
Un tableau listant des alternatives gratuites et/ou Open Source aux applications Adobe.
Reposted by Dominique Righetto
📚 L'ANSSI publie un nouvel Essentiel relatif à la mise en œuvre sécurisée d’une infrastructure de gestion de #clés (IGC) hiérarchique gérant les certificats à usage interne à une entité.
Découvrez les recommandations de l'ANSSI sur :
🔗 cyber.gouv.fr/publications...
Découvrez les recommandations de l'ANSSI sur :
🔗 cyber.gouv.fr/publications...
August 1, 2025 at 12:25 PM
📚 L'ANSSI publie un nouvel Essentiel relatif à la mise en œuvre sécurisée d’une infrastructure de gestion de #clés (IGC) hiérarchique gérant les certificats à usage interne à une entité.
Découvrez les recommandations de l'ANSSI sur :
🔗 cyber.gouv.fr/publications...
Découvrez les recommandations de l'ANSSI sur :
🔗 cyber.gouv.fr/publications...
Reposted by Dominique Righetto
Des améliorations du plugin DIMA pour détecter et sensibiliser sur les techniques de manipulation en ligne sont disponibles ! : m82-project.org/articles/dim...
August 1, 2025 at 5:45 PM
Des améliorations du plugin DIMA pour détecter et sensibiliser sur les techniques de manipulation en ligne sont disponibles ! : m82-project.org/articles/dim...