k11h DevOps

SLAC conference workshop

2026-03-02T20:15:00+01:00

conference workshop

I will give a workshop on Web App Security & Bug Bounty Lessons Learned on the SLAC Conference 2026 (May 13, 2026)

The topics covered are:

Real-world vulnerabilities (SQLi, XSS, RCE, Path Traversal) based on actual Bug Bounty reports
Attacker's perspective: how external researchers think and what internal teams miss
Practical defense strategies at code, server & browser level
Bug Bounty operations: triaging, researcher communication, false positives vs. real findings
Live demos with industry-standard hacking tools (ffuf, nuclei, BeEF, Juice Shop)
Actionable takeaways for Admins, DevOps & Security Engineers

more details and registration

the details page can be found here

bbot-ui - a terminal gui for bbot

2025-12-05T08:00:00+01:00

what is it

A self-contained terminal UI for browsing and analyzing bbot scan results. bbot is an awesome tool made by blacklanternSecurity.

source

the sources, documentation and releases are located here

bug bounty

2021-12-31T23:59:00+01:00

Motivation

Ich investiere gern einen Teil meiner Freizeit in die Suche und das Melden von Schwachstellen. Selbstverständlich erwarte ich hierfür keinerlei Gegenleistung.

Dennoch möchten sich die meisten Betreiber gern erkenntlich zeigen und meine Arbeit unterstützen.

Unterstützung

Wenn Sie meine Arbeit unterstützen möchten können Sie dies auf folgende Weise:

1) Eine Spende für

Servermiete / Laborumgebung (ca. 50€/Monat)
Software Lizenzen (z.B. Burp Suite: 350€/Jahr)
die geplante Schulung und Zertifizierung als Ethical Hacker (ca. 2500€)

https://paypal.me/KarBerlin

2) Amazon-Wunschliste

https://www.amazon.de/hz/wishlist/ls/16BKUO7S8QAYB

3) Eine Empfehlung

via LinkedIn

4) Karma

oder ganz klassisch mit einem "Danke sehr" oder einem originellen T-Shirt (in Größe L).

bug bounty

2021-12-31T23:59:00+01:00

motivation

I invest some of my spare time in security research and responsible disclosure.
Of course, I do not expect any compensation for this.

However, most website owners want to express their gratitude for reporting a vulnerability.

support my work

you can support my work in different ways:

1) a donation for

server costs / lab environment (ca. 50€/month)
software licence (e.g. Burp Suite: 350€/year)
a planned training and certification as ethical hacker (ca. 2500€)

https://paypal.me/KarBerlin

2) Amazon wishlist

https://www.amazon.de/hz/wishlist/ls/16BKUO7S8QAYB

3) kudos

via LinkedIn

4) karma

or simply by saying "thank you" or a funny t-shirt (in size L).

big vpn providers are owned by one company

2021-11-29T20:15:00+01:00

vpn providers

according to a well-investigated article these four vpn providers are now owned by one company alongside with vpn review sites.

make sure to read the original article before choosing a vpn service of trust:

ExpressVPN
CyberGhost
Private Internet Access
Zenmate

source

the referred article can be found here

zabbix http/s checks from yaml dict

2021-04-11T14:12:00+02:00

motivation

to maintain the principle of configuration-as-code this tools helps to bulk create and update http/s checks from your zabbix server

imagine you need to monitor many different http/s microservice endpoints
you can create them using the zabbix gui, or note them down in a simple yaml dict. this automation uses ansible to utilize the zabbix api to create zabbix http/s checks with graphs and alert trigger

health_checks:
    - check_url:              "https://www.example.com/blog/"
    - check_url:              "https://api.example.com/endpoint/search?query=token"
      check_searchstring:     "Results for: token"
    - check_url:              "https://api.example.com/long/running/api"
      check_timeout:          "10s"
    - check_url:              "https://api.example.com/special/returncode"
      check_returncode:       "200,206"
    - check_url:              "https://static.example.com/images/"

source

the sources, documentation and examples are located here

AWS Shared ALB by EC2 instance tag

2021-02-15T08:00:00+01:00

motivation

in AWS setups, loadbalancers can be are quite cost-intensive.
If you are in a non-production environment, you probably do not need one LB for each (micro-)service.
This lambda function automatically adds ec2 instances to a targetgroup & adds a host-header-based rule to a single shared ALB

source

the sources, documentation and examples are located here

Simple Jinja2 templating script

2021-01-14T08:12:00+01:00

motivation

What I really love about Ansible is it's powerful templating capabilities.
It all boils down to the jinja2 templating engine, so I wrote a small script for just that part.

In this example I am using Jinja2 templating to generate a .ssh/config file from a yaml dict

#!/usr/bin/python3 

# run.py example/vars.yaml example/ssh_config.j2 [out.txt]

from jinja2 import Template
import yaml, sys
# load yaml vars file
yaml = yaml.safe_load(open(str(sys.argv[1]), 'r'))
# load jinja2 template file
template = Template(open(str(sys.argv[2])).read())
# if no out file was provided
if len(sys.argv) == 3:
    # print to stdout
    print(template.render(yaml))
# if outfile was provided
elif len(sys.argv) == 4:
    # write result to output file
    with open(str(sys.argv[3]), 'w') as f:
        print(template.render(yaml), file=f)

source

the sources, documentation and examples are located here

Running Ansible inside Docker

2020-12-22T08:12:00+01:00

why

Sometimes it is important to be independent from your local dev machines setup.
I wrote a small wrapper script to run ansible tasks inside a docker container.

wrapper

#!/bin/bash
vault=~/.ansible-vault-pass
# check if argument was supplied
if [ $# -eq 0 ]
  then
    echo "No arguments supplied; usage: $0 'ansible-playbook playbook.yaml' # The QUOTES are important here! "
    exit 1
fi

if [ -f "$vault" ]; then
    docker container run -it --rm \
    -v $(pwd)/../:/data \
    -v $vault:/root/.ansible-vault-pass \
    -e ANSIBLE_VAULT_PASSWORD_FILE=/root/.ansible-vault-pass \
    cytopia/ansible:latest $1
else
    echo "$vault file does not exist."
fi