What we’re about
About the OWASP® Foundation: The Open Web Application Security Project (OWASP®) is a 501(c)(3) worldwide not-for-profit charitable organization focused on improving the security of software. Our mission is to make software security visible so that individuals and organizations worldwide can make informed decisions about actual software security risks. Everyone is free to participate in OWASP, and all of our materials are available under a free and open software license. You’ll find everything about OWASP linked from our website and current information on our OWASP Blog. OWASP does not endorse or recommend any product or service. This allows our community to remain vendor neutral with the collective wisdom of the best minds in software security worldwide. We do offer and encourage joining as an individual member for additional benefits offered.
Upcoming events
1
#8 - 524554524F4C4F5645
Instituto Superior de Engenharia do Porto (ISEP), Auditório H, Rua de São Tomé, Porto, PTOWASP Porto Chapter meetup: October 28th, 2025, at 18:00. With support from Instituto Superior de Engenharia do Porto (ISEP) and NOS.
As always, we look forward to seeing you at our next meetup!
How to get there: The event will be at ISEP. See the event location below for the full address.
Agenda:
18:00 - Intro and Welcome by the OWASP Porto chapter leadership
18:15 - FiberGateway GR241AG - Full Exploit Chain by João Domingos
19:00 - Vesta Admin Takeover - Exploiting reduced seed entropy in bash $RANDOM by
Adrian Tiron
20:00 - Dinner and Drinks sponsored by NOSTalks:
FiberGateway GR241AG - Full Exploit Chain
By João DomingosAbstract:
During the year of 2023 it was identified that it was possible to obtain full control of the FiberGateway GR241AG router (root access), provided by a Portuguese ISP (Meo), via the public wifi network “MEO WiFi”. This wifi network is enabled by default and can only be disabled by contacting the ISP support. More than 1.600.000 households were affected by the identified vulnerabilities.Blogpost:
https://r0ny.net/FiberGateway-GR241AG-Full-Exploit-Chain/Bio:
João Domingos is a penetration Tester with over 8 years of experience in offensive security, specialized in the assessment of web applications and thick client environments. In his free time, Joao is a passionate researcher who enjoys exploring any topic that piques his curiosity. Also, he holds several offensive security certifications along with the CISSPLinkedin: https://www.linkedin.com/in/joao-domingos-pt/
-----
Vesta Admin Takeover - Exploiting reduced seed entropy in bash $RANDOM
By Adrian TironAbstract:
Vesta is a lightweight, web-based control panel that simplifies Linux server management, appealing to users seeking an intuitive alternative to traditional platforms like cPanel and Plesk. This presentation will examine a critical flaw in Vesta: an admin takeover exploit resulting from reduced seed entropy in the
Bash $RANDOM variable. By transforming what was once a theoretical attack into a practical one, we successfully reduced the brute force domain of the seed by over 98%. This allows attackers to generate predictable random values, compromising the security of passwords and tokens. We will discuss the implications of this vulnerability and highlight best practices for enhancing server security in real-world
applications.Bio:
Adrian Tiron is a Co-Founder and Principal Pentester/Red Teamer at FORTBRIDGE with 20 years of experience in cybersecurity. He has a proven track record of success working with top companies in the UK, US, and Europe. As a dedicated researcher and pentester, Adrian has uncovered multiple critical vulnerabilities in open-source and commercial software, contributing significantly to improving online
security.Linkedin: https://www.linkedin.com/in/tironadrian/
116 attendees
Past events
10
Group links
Organizers
Members
728
