#13 Baker's Dozen
Details
Are “Just-in-Time” event announcements a thing? Well, it is now! 📢
This is our 13th event, another auspicious number. It wasn’t easy getting all of our ravens in a row, we have a shorter agenda this time, but we made it happen 🐦⬛
Don’t worry, we’re not superstitious. Panis et securitas for all 🥖
This OWASP Lisboa chapter meetup will be held on June 2nd, 2026, at 18:30 and is supported by Microsoft Portugal and AP2SI 🤝🏻
The meetup will take place at the Microsoft Portugal office. Big building, Microsoft logo, can’t miss it 🧭
Our tentative schedule:
18:50 - Quick intro by the OWASP Lisboa chapter leadership team
19:00 - “HTTP/1.1 Must Die” by Marília Rocha (⚡🗣️)
19:20 - “How to Ben10 Your Way In - Social Engineering Meets Red Team” by David Marques
Although the activities start later, please try to arrive by 18:30 to allow ample time to settle in ⌚
--------------------------
Talks:
--------------------------
Title: Http 1.1 must die
Speaker: Marília Rocha
Abstract:
HTTP Request Smuggling (HRS) remains one of the most dangerous and underestimated classes of web vulnerabilities, affecting major cloud providers, CDNs, APIs, and large-scale applications worldwide. Even though the industry has been progressively adopting newer standards, a significant portion of critical infrastructure still relies on HTTP/1.1 parsing behavior, and that legacy design is exactly what makes modern systems exploitable.
In this talk, HTTP/1.1 Must Die, we explore how inconsistencies between front-end and back-end servers (such as proxies, load balancers, CDNs, and application servers) allow attackers to craft desynchronized requests that bypass authentication controls, poison caches, leak sensitive data, or even gain full access to internal endpoints.
The session will cover:
• How HTTP/1.1 parsing ambiguities enable request smuggling
• Real-world attack scenarios using CL.TE and TE.CL techniques
• Why modern infrastructures remain vulnerable even behind WAFs
• The impact of HRS in microservices, serverless APIs, and reverse proxies
• How HTTP/2 and HTTP/3 mitigate many of these legacy issues
• Practical guidance for detection, testing, and mitigation
• Why organizations should accelerate their migration away from HTTP/1.1
The session includes hands-on examples, exploit demonstrations, and references to well-known research from PortSwigger, Cure53, and industry reports that shaped today’s understanding of HRS.
This talk aims to help security engineers, developers, and architects understand why maintaining HTTP/1.1 in production environments creates long-term systemic risk and why, for modern security, HTTP/1.1 really must die.
Bio:
Marília Rocha is an Application Security Specialist with experience securing large-scale systems at Mercado Livre and BNP Paribas. Her work focuses on vulnerability management, secure development practices, and modern web security threats. She is also active in the security community, sharing research and training developers to build more secure applications.
👉🏻 https://www.linkedin.com/in/mar%C3%ADliadarocha/
--------------------------
Title: How to Ben10 your way in - Social Engineering meets Red Team
Speaker: David Marques
Abstract:
Every Red Team engagement shares a common objective: to emulate realistic attack scenarios performed by real-world adversaries, with the goal of demonstrating critical business impact rather than simply identifying vulnerabilities, as is typical in traditional penetration testing.
However, technological vulnerabilities are not always the primary path to compromise. In many cases, attackers achieve initial access by targeting the weakest link in corporate environments — people.
This presentation will showcase real-world attack scenarios that resulted in full organizational compromise, with the help of some social engineering techniques.
Bio:
Been working on pentesting for about 10 years and, for the last 5, specialized on Red Team engagements with some emphasis on Social Engineering. From stealing computer equipment to pose as a doctor, I’ve successfully conducted engagements on various companies and entities.