Philippe De Ryck
@philippederyck.bsky.social
I help developers protect companies through better web security
Join me for another OAuth & OIDC masterclass. We will cover use cases, complexities, latest best practices, and high-security configuration options for OAuth in 4 live 3-hour sessions.
Early bird discount available for 10 more days buff.ly/wLedqA2 #appsec
Early bird discount available for 10 more days buff.ly/wLedqA2 #appsec
April 9, 2025 at 9:18 AM
Join me for another OAuth & OIDC masterclass. We will cover use cases, complexities, latest best practices, and high-security configuration options for OAuth in 4 live 3-hour sessions.
Early bird discount available for 10 more days buff.ly/wLedqA2 #appsec
Early bird discount available for 10 more days buff.ly/wLedqA2 #appsec
SecAppDev is now on Bluesky. If you want to stay up to date, make sure you follow us!
Since 2005, SecAppDev offers an annual week-long course on secure application development. We bring an immersive experience with expert-led lectures, hands-on workshops, and real-world security insights.
Follow us to stay up to date on the next edition and on relevant appsec content!
Follow us to stay up to date on the next edition and on relevant appsec content!
February 14, 2025 at 5:37 PM
SecAppDev is now on Bluesky. If you want to stay up to date, make sure you follow us!
This cheat sheet gives you an overview of current best practices for using OAuth 2.0. Grab a PDF copy here (buff.ly/4jCred1). If you want to learn more about these topics, this masterclass covers it all! buff.ly/3PnrZJ6 The early-bird rate has been extended for a few more days, so grab a ticket now!
January 29, 2025 at 3:16 PM
This cheat sheet gives you an overview of current best practices for using OAuth 2.0. Grab a PDF copy here (buff.ly/4jCred1). If you want to learn more about these topics, this masterclass covers it all! buff.ly/3PnrZJ6 The early-bird rate has been extended for a few more days, so grab a ticket now!
Today, I'm doing back-to-back talks at NDC Security 2025. In this second talk, I'm discussing how a previous talk at NDC resulted in me joining as a co-author of the OAuth spec for browser-based apps. Grab the slides here: https://buff.ly/4fMgG8Z #appsec #infosec
Breaking and securing OAuth 2.0 in frontends
Discover the underestimated threat of Cross-Site Scripting (XSS) in OAuth 2.0 Single Page Applications. Learn about hacks on frontend OAuth clients and explore solutions like the Backend-for-Frontend…
buff.ly
January 23, 2025 at 9:21 AM
Today, I'm doing back-to-back talks at NDC Security 2025. In this second talk, I'm discussing how a previous talk at NDC resulted in me joining as a co-author of the OAuth spec for browser-based apps. Grab the slides here: https://buff.ly/4fMgG8Z #appsec #infosec
I am talking about API security at NDC Security 2025. Using real-world cases, we discuss a couple of do's and don'ts that can help you secure your APIs. You can grab a copy of the slides here: https://buff.ly/46TtghZ #appsec #infosec
SEVEN things about API security
In this talk, we delve into key vulnerabilities from the OWASP API Security top 10, demonstrate a practical exploitation example, and discuss two real-world case studies to guide you in enhancing…
buff.ly
January 23, 2025 at 8:02 AM
I am talking about API security at NDC Security 2025. Using real-world cases, we discuss a couple of do's and don'ts that can help you secure your APIs. You can grab a copy of the slides here: https://buff.ly/46TtghZ #appsec #infosec
I am kicking off 2025 with a new live interactive training on OAuth 2.0 and OIDC. This course covers the latest best practices for browser-based apps, API security, and high-security OAuth configurations.
Early bird and group (3+) discounts available! Info & registration: https://buff.ly/3PnrZJ6
Early bird and group (3+) discounts available! Info & registration: https://buff.ly/3PnrZJ6
January 6, 2025 at 1:05 PM
I am kicking off 2025 with a new live interactive training on OAuth 2.0 and OIDC. This course covers the latest best practices for browser-based apps, API security, and high-security OAuth configurations.
Early bird and group (3+) discounts available! Info & registration: https://buff.ly/3PnrZJ6
Early bird and group (3+) discounts available! Info & registration: https://buff.ly/3PnrZJ6
Last week, I taught two 2-day classes, which is always insanely intense and really requires an enormous amount of energy. Fortunately, the feedback makes it worth it!
Now two weeks of doing some research and consulting. And of course, prepping the menu and trying out some dishes for the holidays!
Now two weeks of doing some research and consulting. And of course, prepping the menu and trying out some dishes for the holidays!
December 10, 2024 at 10:18 AM
Last week, I taught two 2-day classes, which is always insanely intense and really requires an enormous amount of energy. Fortunately, the feedback makes it worth it!
Now two weeks of doing some research and consulting. And of course, prepping the menu and trying out some dishes for the holidays!
Now two weeks of doing some research and consulting. And of course, prepping the menu and trying out some dishes for the holidays!
Reposted by Philippe De Ryck
Awesome research! It's always crazy how many vulnerabilities you can still find by just reading RFCs 🔥
Did you know you can use an ancient magic cookie to downgrade parsers and bypass WAFs?! Hope you enjoy this quality bit of RFC-diving from @d4d89704243.bsky.social!
portswigger.net/research/byp...
portswigger.net/research/byp...
Bypassing WAFs with the phantom $Version cookie
HTTP cookies often control critical website features, but their long and convoluted history exposes them to parser discrepancy vulnerabilities. In this post, I'll explore some dangerous, lesser-known
portswigger.net
December 5, 2024 at 6:59 AM
Awesome research! It's always crazy how many vulnerabilities you can still find by just reading RFCs 🔥
Reposted by Philippe De Ryck
Excited to be at the OWASP BeNeLux Days, with the wonderful security community. I will be speaking about Supercharging OAuth security slides here: https://buff.ly/4ikT64W), and doing a 1-day API security workshop. #appsec #infosec
Supercharging OAuth 2.0 security
Discover how to apply OAuth 2.0 in high-security scenarios, exploring its latest security enhancements. Learn about advanced features like Resource Indicators, JAR, PAR, and DPoP, gaining the…
buff.ly
November 28, 2024 at 10:53 AM
Excited to be at the OWASP BeNeLux Days, with the wonderful security community. I will be speaking about Supercharging OAuth security slides here: https://buff.ly/4ikT64W), and doing a 1-day API security workshop. #appsec #infosec
Hey @webappsec.dev , any idea if there’s a way to make import() (developer.mozilla.org/en-US/docs/W...) work with nonce propagation? It works with ‘strict-dynamic’, but having explicit nonce propagation would also be nice …
import() - JavaScript | MDN
The import() syntax, commonly called dynamic import, is a function-like expression that allows loading an ECMAScript module asynchronously and dynamically into a potentially non-module environment.
developer.mozilla.org
November 26, 2024 at 12:16 PM
Hey @webappsec.dev , any idea if there’s a way to make import() (developer.mozilla.org/en-US/docs/W...) work with nonce propagation? It works with ‘strict-dynamic’, but having explicit nonce propagation would also be nice …
Reposted by Philippe De Ryck
I'm in the process of creating a *web security* starter pack and need your help finding more webbies here. Please share and recommend folks passionate about web security in comments below so we can get this community started here 🙂
go.bsky.app/Uf8dZhz
go.bsky.app/Uf8dZhz
November 17, 2024 at 10:12 AM
I'm in the process of creating a *web security* starter pack and need your help finding more webbies here. Please share and recommend folks passionate about web security in comments below so we can get this community started here 🙂
go.bsky.app/Uf8dZhz
go.bsky.app/Uf8dZhz
In a couple of weeks, I'm teaching two live online workshops, both consisting of a mix between lectures, demos, quizzes, and hands-on lab sessions:
- Securing Angular apps on Dec 2-3 (https://buff.ly/3uX8Rv1)
- Bulletproof APIs on Dec 5-6 (https://buff.ly/48JQM2Y)
Hope to see you there! #appsec
- Securing Angular apps on Dec 2-3 (https://buff.ly/3uX8Rv1)
- Bulletproof APIs on Dec 5-6 (https://buff.ly/48JQM2Y)
Hope to see you there! #appsec
November 12, 2024 at 10:18 AM
In a couple of weeks, I'm teaching two live online workshops, both consisting of a mix between lectures, demos, quizzes, and hands-on lab sessions:
- Securing Angular apps on Dec 2-3 (https://buff.ly/3uX8Rv1)
- Bulletproof APIs on Dec 5-6 (https://buff.ly/48JQM2Y)
Hope to see you there! #appsec
- Securing Angular apps on Dec 2-3 (https://buff.ly/3uX8Rv1)
- Bulletproof APIs on Dec 5-6 (https://buff.ly/48JQM2Y)
Hope to see you there! #appsec