In this Write-Up I tell a little bit about a vulnerability I found while venturing out testing a financial institution and ended up getting an account takeover heitorgouvea.me/2020/01/03/Fro…

Nipe is an engine, that aims to make the Tor network your default network gateway: we can directly route traffic from our computer to the Tor network through which you can surf the Internet having a more formidable stance on privacy and anonymity: github.com/GouveaHeitor/n…

Today I won a small bounty that came through a fuzzer that I am writing from scratch and although it is something small it makes me very happy 😆

Finally I found a security bug in Tor Browser, but unfortunately (or fortunately?) they were already aware of the bug, It is a technique for fingerprint the platform of a user using Tor, through the use of "exclusive" fonts of an O.S heitorgouvea.me/2020/09/23/Det…

My first contribution to MISP: CVE-2020-28043, a case of SSRF in the REST client via the "use_full_path" parameter with an arbitrary URL. heitorgouvea.me/2020/11/03/CVE…

You can use this tip from Sam Anttila 🐛🔍👀 and mix it with the payload from أنس/Brute Logic to get a functional CloudFlare XSS bypass: <svg onx=() onload=window.alert?.()> waf.cumulusfire.net/?globalHtml=%3… #bugbountytip #bugbountytips

lights and shadows

If I finish another post, I delete this PoC I made about Differential Fuzzing in Perl Libs, I just don't want to let this year go by without any posts heitorgouvea.me/2021/12/08/Dif…

Another year, another learning experience with fintech apps! This content was made in 2020 but was not intended to be published heitorgouvea.me/2022/12/21/Cha…

I didn’t know modern Perl apps were a thing, but cool A lightweight #static #security #analysis tool for modern #Perl Apps // by ؘ heitorgouvea.me/2023/03/19/sta…

Presente fenomenal da BSidesRJ mastersofpwnage

Tem dias em que a motivação não vem. Mas ainda assim, a gente começa. Escrevi sobre isso — sobre ação, criatividade e o espaço entre o vazio e a criação: heitorgouvea.me/2025/06/11/cre…

Stay tuned

Zarn is a lightweight static security analysis tool for modern Perl applications. It leverages Perl's AST for analysis and supports SARIF output for integration with security platforms: github.com/htrgouvea/zarn

I rarely talk about bug bounties programs exp, but Apple - a company I deeply admire for its engineering, brand, and products - just implemented a fix from a report I made last year. The whole process was great. Excited to keep researching and reporting

Aproveitei o horário de almoço e gravei um vídeo (freestyle e sem cortes — desculpem os gaguejos) contando como foi meu processo de aprendizado de espanhol no primeiro ano, o que funcionou e o que eu faria diferente: youtu.be/GDD74gd7vn4?si…

This is my first post on the LESIS blog: blog.lesis.lat/2025/10/04/roc…