Mastodawn

My jet-lagged side project: I hacked a MIFARE card and turned it into a smart business card that actually does something when you tap it + It lit-up 😎

Here is my write-up: https://pedramhayati.com/blog/hack-mifare-card-into-business-card/

Pi3cH May 28, 2025

🔥 Cooking up something fresh for @firstdotorg!
New challenge formats dropping at #FIRSTCON25 🇩🇰:
👨‍💻 Incident Response for Developers
👨‍💻Defensive CI/CD + Secure Cloud Native Apps
⚔️ Attack & Defence (Battle-Mode) Challenge
Catch us in Copenhagen 👉 https://www.first.org/conference/2025/

Pi3cH May 13, 2025

We have not even got a solution for Prompt Injection meanwhile whole new classes of AI vulnerabilities have emerged. The same new tech cycle: build, ship, profit, maybe sometime later think how to secure it https://vulnerablemcp.info #ai #security

The Vulnerable MCP Project

A community-maintained database of known vulnerabilities, limitations, and security concerns with the Model Context Protocol (MCP)

Pi3cH Mar 18, 2025

Github Actions secure learning challenge based on the tj-action/reviewdog security incidents. It is free. Can you fix it?
🎓 https://play.secdim.com/game/cicd/challenge/pingithub

#cicd #github #actions #security

Play - SecDim

Learn AppSec & DevSecOps via git-based challenges

Pi3cH Feb 17, 2025

Insecure (de)serialization in Go (encoding/gob) by overwriting a field that cause encoder to confuse, use a lot of CPU and result into stack overflow (fatal crash). This one took me a while to make as Go has many secure-by-default features that makes it complex to introduce some vulnerabilities. If you develop a backend service, you must choose Go, when you care about security. #securecoding #challenge #go

Pi3cH Jan 30, 2025

New GPT4o prompt injection technique. Time bandit jailbreak https://www.kb.cert.org/vuls/id/733789 . Each jailbreak is a proof of underlying issue. LLM is non-deterministic and complex. Our current remediation approaches are "black listing". There will be more jailbreak until we address the root cause . #gpt #promptinjection #jailbreak

CERT/CC Vulnerability Note VU#472136

Information Leak and DoS Vulnerabilities in Redmi Buds 3 Pro through 6 Pro

Pi3cH Sep 13, 2024

Baking some Android secure coding challenges inspired by latest changes to Android and OWASP MASVS. It was quite a bit of challenge for me to get the android testing streamlined in CI. I feel you #androiddev #securecoding #challenge

Pi3cH Jul 18, 2024

1... 2... 3... (1. 😱) (2. 😈) (3. 🤯) (4. #wtf) Your choice is? #securecoding

Pi3cH May 29, 2024

Lately, I've noticed "../" stripping being used to patch Path Traversal in our Attack & Defense AppSec challenges. While it might seem like a quick fix, it doesn't tackle the root cause of this vulnerability. Plus, there are clever ways to bypass it as I demo it here. #appsec #python #securecoding

Pi3cH Apr 23, 2024

Lots of articles about prompt injection, but so few on secure prompt engineering. Here is results based on real data: top 8 defensive technique to secure LLM apps again prompt injection. Screenshots from my #BlackHat Asia #AI wargame https://discuss.secdim.com/t/eight-defensive-techniques-to-secure-llm-apps-against-prompt-injection/2512

Eight Defensive Techniques to Secure LLM Apps Against Prompt Injection

This is excerpt from our experiment titled: Lessons Learned from a Public Experiment: Securing and Attacking LLM-Based Apps The following defensive techniques were used by players to secure their app against prompt injection. 1. Output Filtering In this technique, the LLM output is scrutinised for any violation of its rules using string matching. Players employed two techniques for output filtering: Performing pattern matching for specific keywords like “secret,” “SecDim,” “secret phrase,” et...

Discuss