Bob van der Staak
Ethical hacker / Red teamer @ Nederlandse Spoorwegen
Rotterdam, The Netherlands
Actions
Bob van der Staak is a Ethical hacker and red teamer at the Dutch Railways. Sharing knowledge is his passion, and with his background in software development and technical informatics, he implements code to assist with his daily assessments.
From web penetration testing to malware development and cloud technologies, he is eager to learn and share his expertise.
Links
Area of Expertise
Topics
HTTP Headers, there secrets and how they help find bots
Ever noticed that when you host a new website, it almost immediately starts receiving a surprising number of requests from all over the world? Most of these aren’t real users; they're automated bots probing your application to learn more about your system.
Every request contains hidden clues: technical details that can reveal what (or who) is actually calling your service. In this talk, we’ll dissect those requests and explore how we can determine, on the server side, whether we’re dealing with a bot or a genuine user.
We can use these techniques to guard our Red teaming infrastructures, to limit detection and block the prying eyes of Soc Analyst and other security vendors. But ofcourse it can be used for any type of application.
Want to see what the bots couldn’t? Watch my talk!
Protecting Your AiTM Infrastructure from Nosy Bots
Red teaming can be challenging, especially when simulating realistic social engineering attacks. You build an entire infrastructure carefully crafted to lure in your potential targets. Then, the moment it goes live, it's immediately discovered and taken down. All your hard work, gone in mere minutes.
But not to worry! In this talk, we will shed some light on how you can protect your AiTM infrastructure from prying eyes. We'll share techniques to detect automated bots and safeguard your systems. You'll learn how we dynamically swap content based on our scoring system and modify visual elements to outsmart detections of AiTM attacks.
This session provides a behind-the-scenes look at how our team successfully confronted these automated threats.
Want to see what the bots couldn’t? Join us for our talk!
Getting your scope in control during a Quishing Red Teaming Assessment
Red teaming can be challenging especially when simulating real-world attacks like QR code phishing (“quishing”) within a tightly defined scope. How do you credibly launch a phishing campaign without wanting to know the specific targets, exposing sensitive information, or putting unintended users at risk?
This session offers a behind-the-scenes look at how our team tackled these constraints. We will dig into some opensource tools that can be used and some custom tweaks that we made to make it more secure / believable and the pitfalls you can hopefully avoid.
We will walk you through the attack chain from the phishing poster ==> using a customized EvilGinx to perform in scope determination ==> Generate a believable ending for our "users" and as a closure some automated attacks that can be performed as a follow up.
> Based on if it is a lightning talk or a main stage talk we can go deeper in the technical details (how to modifying evilginx, poster OPSEC setup) or a more general explanation of the attack and the lessons learned.
BSides Den Haag 2026 Sessionize Event Upcoming
hek.si 2026
Quishing Without Compromise: Scoping, Tools, Tricks, and Lessons Learned
Red teaming can be challenging especially when simulating real-world attacks like QR code phishing (“quishing”) within a tightly defined scope. How do you credibly launch a phishing campaign without wanting to know the specific targets, exposing sensitive information, or putting unintended users at risk? This session offers a behind-the-scenes look at how our team tackled these constraints. We will dig into some opensource tools that can be used and some custom tweaks that we made to make it more secure / believable and the pitfalls you can hopefully avoid. We will walk you through our attack chain:
(1) Redirector and how to filter the bots away
(1) Using a customized EvilGinx instance to verify the scope
(2) Creating a believable landing page for our targets,
(3) Lessons learned and possible automated attacks.
BSides Amsterdam 2025 Sessionize Event
Hek.si 2025
Enumerating Kubernetes for exploitation
Imagine you have access to kubectl with a valid kubeconfig, or you exploited a pod inside a Kubernetes cluster. What steps should you take to validate and exploit the node? And what information can and should be retrieved that is valuable? By making use of kubectl, we can identify mis implementations and what the correct security implementations are; this you will learn from this talk.
At last, we share a self-created PowerShell module to assist you in these endeavors in the future by automating the process.
Hek.si 2024
What are syscalls and how they help bypass EDRs?
In the world of antivirus and EDRs, there is a constant effort to validate the use of suspicious Windows API calls. These checks help mitigate attacks from malware and adversaries that utilize these APIs. In this talk, presenter will share insights on malware attempts to bypass these checks by utilizing direct syscalls.
Through direct syscalls, we can circumvent the Windows API and communicate directly with the kernel. By the end of this talk, you will gain additional knowledge about EDRs, the nature of syscalls, and how they are employed in malware to evade security checks from antivirus and EDR systems. You will also gain insights into how you could develop these techniques yourself.
Bob van der Staak
Ethical hacker / Red teamer @ Nederlandse Spoorwegen
Rotterdam, The Netherlands
Links
Actions
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top