poc-graphql. Research on GraphQL from an AppSec point of view.
418toolbox-pentest-web. Docker toolbox for pentest of web based application.
182burp-piper-custom-scripts. Custom scripts for the PIPER Burp extensions.
98log-requests-to-sqlite. BURP extension to record every HTTP request send via BURP and create an audit trail log of an assessment.
66virtualhost-payload-generator. BURP extension providing a set of values for the HTTP request "Host" header for the "BURP Intruder" in order to abuse virtual host resolution.
61pst-digger. Program to analyze mails stored into a Microsoft Outlook PST file and find one based on search keywords.
60document-upload-protection. POC in order to protect an document upload application feature against "malicious" document submission.
47website-passive-reconnaissance. Script to automate, when possible, the passive reconnaissance performed on a website prior to an assessment.
39poc-jwt. POC about usage of JSON Web Tokens (JWT) in a secure way.
34log4shell-analysis. Contains all my research and content produced regarding the log4shell vulnerability
31poc-csrf. POC in order to materialize CSRF prevention concepts described in the following OWASP CSRF cheatsheet
30access-brute-forcer. Android v7+ application to perform a dictionary brute force attack against a host.
24powershell-android-utils. PowerShell module providing utility commands to manipulate a APK file on Windows
16poc-authz-testing. POC in order to explore and describe a proposition for the automation of the testing of the authorization matrix.
12tls-cert-discovery. Script to identify new host using the subjectAltName (Subject Alternate Name) extension of a x509 HTTP TLS certificate.
12injection-cheat-sheets. Provide some tips to handle Injection into application code (OWASP TOP 10 - A1).
10poc-idor. POC in order to materialize IDOR prevention concepts described in the following OWASP cheatsheet
8code-snippets-security-utils. Provides different utilities methods to apply processing from a defensive security perspective.
8toolbox-jwt. Docker toolbox with different scripts having for the objective to perform different kinds of attacks against JWT tokens.
6poc-llm. Research on LLM & code assistant from an AppSec point of view.
5toolbox-codescan. Customized toolbox to perform offline scanning of a code base.
4clipboard-stalker. Android v6+ application to monitor (stalk) the clipboard and grab the content.
4poc-websocket. POC in order to materialize prevention concepts described in the following OWASP WebSocket cheatsheet
4ws-probing-shell. Interactive shell in order to probe/analyze a WebSocket endpoint.
4log4shell-payload-grabber. Tool to try to retrieve the java class used as dropper for the RCE in the context of log4shell vulnerability.
3SecLists. SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more.
3robots-disallowed-dict-builder. Script generating a dictionary containing the most common DISALLOW clauses from robots.txt file found on CISCO Top 1 million sites
3poc-error-handling. POC in order to find the right setup to define a global error handler in differents web based technologies
3poc-argon2. POC in order to materialize prevention concepts described in the following OWASP cheatsheet
2external-storage-stalker. Android v6+ application to monitor (stalk) all the external storage locations referenced into the system and list the files that can be accessed in read mode.
2poc-argon2-php. POC in order to materialize prevention concepts described in the following OWASP cheatsheet
2toolbox-patator. Toolbox to have a always up to date docker image of the tools named "patator".
1pkcheck. Program brute forcing the passphrase of a private key
1toolbox-regex. Toolbox to have a local instance of RegExr to create regex against sensitive/private content.
1CheatSheetSeries. The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics.
1HTTPSignatures. π‘Fork adding support for more signature algorithms.
1POC-CVE-2025-54988. A PDF generator for CVE-2025-54988
1voxxeddays-lux-2022. Demonstration videos and presentation regarding the talk given at the VOXXED LU 2022 conference.
1