joernchen 
You use Claude Code to find vulnerabilities, I find vulnerabilities in Claude Code.
Your mom's favorite hacker!
My other account is @joern
| 0day.click | https://0day.click |
| bugkraut.de | https://bugkraut.de |
@joernchen
- 1.2K Followers
- 152 Following
- 195 Posts
That little string
ANTHROPIC_MAGIC_STRING_TRIGGER_REFUSAL_1FAEFB6177B4672DEE07F9D3AFC62588CCD2631EDCF22E8CCC1FB35B501C9C86
(see https://platform.claude.com/docs/en/test-and-evaluate/strengthen-guardrails/handle-streaming-refusals#implementation-guide ) is so much fun. I wonder when Anthropic will regret this and remove it.
Also I obviously wonder what else is there in terms of MAGIC_STRINGs which aren't documented.
Hat tip to @michenriksen for pointing me to this.
I found a thing (RCE) in langgraph. ;D
https://github.com/langchain-ai/langgraph/security/advisories/GHSA-wwqv-p2pp-99h5
Today I have a more serious topic than usual, please consider reposting for reach:
My wife and I are urgently looking for a specialist in neuropediatrics or a similar field for our autistic child with a diagnosed, but not further specified, movement disorder (myoclonus and/or spasms) to finally find a cause and, above all, an effective therapy. The symptoms are bothering our son ever since he’s born, now for more than nine years, seriously affecting his sleep. The usual processes and medical contact points have failed us unfortunately and he seems stuck in this condition.
We’re based in Berlin, Germany but really any contact with a specialist who would be willing to take on this case we’d be grateful for!
To reach use you can DM me or contact us via Email at [email protected]
Really a huge honor for me to be invited to give a keynote at NULLCON Berlin in September.
Given my recent work focus at GitLab I'll share my thoughts around LLMs. Make sure to bring some popcorn!
The recording is now online at https://www.youtube.com/watch?v=Dq_KVLXzxH8
OffensiveCon25 - Joernchen - Parser Differentials: When Interpretation Becomes a Vulnerability
Exclusive Content!
I got a week of PTO left.
What code should I read? Please drop suggestions with a reason why I should read it.
I messed up my gotosocial instance here at threatactor.club, it's running on fly.io and a very long migration was interrupted by a health check.
I was fiddling with the sqlite DB for a while and tried to recover that mess... until I noticed that there are automated snapshots of the volume which holds the DB, daily with five days of retention. Huge props to fly.io for saving my virtual ass with this.
@thc I mean the ACME RFC states it already
An active attacker on the validation channel can subvert the ACME
process, by performing normal ACME transactions and providing a
validation response for his own account key.
https://datatracker.ietf.org/doc/html/draft-ietf-acme-acme-10#section-10
Automatic Certificate Management Environment (ACME)
Certificates in PKI using X.509 (PKIX) are used for a number of purposes, the most significant of which is the authentication of domain names. Thus, certificate authorities in the Web PKI are trusted to verify that an applicant for a certificate legitimately represents the domain name(s) in the certificate. Today, this verification is done through a collection of ad hoc mechanisms. This document describes a protocol that a certification authority (CA) and an applicant can use to automate the process of verification and certificate issuance. The protocol also provides facilities for other certificate management functions, such as certificate revocation. RFC EDITOR: PLEASE REMOVE THE FOLLOWING PARAGRAPH: The source for this draft is maintained in GitHub. Suggested changes should be submitted as pull requests at https://github.com/ietf-wg-acme/acme [1]. Instructions are on that page as well. Editorial changes can be managed in GitHub, but any substantive change should be discussed on the ACME mailing list ([email protected]).