#13 Baker's Dozen

Are “Just-in-Time” event announcements a thing? Well, it is now! 📢

This is our 13th event, another auspicious number. It wasn’t easy getting all of our ravens in a row, we have a shorter agenda this time, but we made it happen 🐦‍⬛

Don’t worry, we’re not superstitious. Panis et securitas for all 🥖

This OWASP Lisboa chapter meetup will be held on June 2nd, 2026, at 18:30 and is supported by Microsoft Portugal and AP2SI 🤝🏻

The meetup will take place at the Microsoft Portugal office. Big building, Microsoft logo, can’t miss it 🧭

Our tentative schedule:
18:40 - Quick intro by the OWASP Lisboa chapter leadership team
18:50 - “HTTP/1.1 Must Die” by Marília Rocha (⚡🗣️)
19:05 - "We Tried to Containerize Hosting — It Didn’t Work" by Uliana Stiagailo
19:35 - “How to Ben10 Your Way In - Social Engineering Meets Red Team” by David Marques

Although the activities start later, please try to arrive by 18:30 to allow ample time to settle in ⌚
--------------------------
Talks:
--------------------------
Title: Http 1.1 must die

Speaker: Marília Rocha

Abstract:
HTTP Request Smuggling (HRS) remains one of the most dangerous and underestimated classes of web vulnerabilities, affecting major cloud providers, CDNs, APIs, and large-scale applications worldwide. Even though the industry has been progressively adopting newer standards, a significant portion of critical infrastructure still relies on HTTP/1.1 parsing behavior, and that legacy design is exactly what makes modern systems exploitable.

In this talk, HTTP/1.1 Must Die, we explore how inconsistencies between front-end and back-end servers (such as proxies, load balancers, CDNs, and application servers) allow attackers to craft desynchronized requests that bypass authentication controls, poison caches, leak sensitive data, or even gain full access to internal endpoints.

The session will cover:
• How HTTP/1.1 parsing ambiguities enable request smuggling
• Real-wor