Login
Full context: I built SecureBank AI Assistant, a deliberately vulnerable AI banking chatbot powered by Groq's Llama 3 70B.
5 exploitation techniques. 100% success rate against standard protections.
Flags cover:
System prompt extraction
Content filter bypass
Function calling abuse
Persistent backdoor injection
RAG document poisoning
CTF challenge to practice: github.com/oussamaafnakkar/AccessDenied
Try it, break it, learn from it.
Over $1100 worth of prizes:
Prizes
Top performers will earn no-cost access to SANS training for further cyber skills development, including four prize categories:
| Prize Category | Prize |
|---|---|
| Overall top finishers 1-3 | A license to SEC401, Security Essentials |
| Overall top finishers 4-6 | A license to SEC480, AWS Secure Builder |
| Overall top finishers 7-9 | A license to SEC495, Leveraging LLMs |
| Regional top 20 finishers (per country) | 6-month access to SANS SkillQuests by NetWars |
The event is open to all students from participating AWS Skills to Jobs Tech Alliance institutions across the US, Latin America, Europe and Asia-Pacific regions.
Lately I've been using Al tools (Cursor / Anti gravity/ etc.) to prototype faster.
It's amazing for speed, but I noticed something
uncomfortable, a lot of the generated code had subtle security problems.
Examples I kept seeing:
Hardcoded secrets
Risky API routes
Potential IDOR patterns
So I built a small tool called CodeArmor Al that scans repos and PRs and classifies issues as:
Definite Vulnerabilities
Potential Risks (context required)
It also calculates a simple security score and PR risk delta. Not trying to replace real audits - more like a "sanity layer" for fast-moving / Al-heavy projects.
If anyone's curious or wants to roast it
Would genuinely love feedback from real devs
In an attempt to sharpen my hardware hacking skills, I took on the challenge of extracting firmware off a flip phone 📱.
But... I kind of underestimated my opponent:
- No trace of the firmware online
- No OTA updates
- Debug interface nowhere to be found
- The chip holding the firmware has no legs
Quite the challenge.
I ended up dead-bugging the chip and wiring it to the Xgecu T48 Flash programmer.
Enjoy!
Sharing an IAM-focused knowledge check covering identity lifecycle, access governance, authentication, and privilege management.
It’s intended as a short fundamentals self-check for security practitioners.
Disclosure: This is from ETCISO. Sharing purely as an educational resource.
Microsoft today released updates to fix more than 50 security holes in its Windows operating systems and other software, including patches for a whopping six “zero-day” vulnerabilities that attackers are already exploiting in the wild.
Zero-day #1 this month is CVE-2026-21510, a security feature bypass vulnerability in Windows Shell wherein a single click on a malicious link can quietly bypass Windows protections and run attacker-controlled content without warning or consent dialogs. CVE-2026-21510 affects all currently supported versions of Windows.
The zero-day flaw CVE-2026-21513 is a security bypass bug targeting MSHTML, the proprietary engine of the default Web browser in Windows. CVE-2026-21514 is a related security feature bypass in Microsoft Word.
The zero-day CVE-2026-21533 allows local attackers to elevate their user privileges to “SYSTEM” level access in Windows Remote Desktop Services. CVE-2026-21519 is a zero-day elevation of privilege flaw in the Desktop Window Manager (DWM), a key component of Windows that organizes windows on a user’s screen. Microsoft fixed a different zero-day in DWM just last month.
The sixth zero-day is CVE-2026-21525, a potentially disruptive denial-of-service vulnerability in the Windows Remote Access Connection Manager, the service responsible for maintaining VPN connections to corporate networks.
Chris Goettl at Ivanti reminds us Microsoft has issued several out-of-band security updates since January’s Patch Tuesday. On January 17, Microsoft pushed a fix that resolved a credential prompt failure when attempting remote desktop or remote application connections. On January 26, Microsoft patched a zero-day security feature bypass vulnerability (CVE-2026-21509) in Microsoft Office.
Kev Breen at Immersive notes that this month’s Patch Tuesday includes several fixes for remote code execution vulnerabilities affecting GitHub Copilot and multiple integrated development environments (IDEs), including VS Code, Visual Studio, and JetBrains products. The relevant CVEs are CVE-2026-21516, CVE-2026-21523, and CVE-2026-21256.
Breen said the AI vulnerabilities Microsoft patched this month stem from a command injection flaw that can be triggered through prompt injection, or tricking the AI agent into doing something it shouldn’t — like executing malicious code or commands.
“Developers are high-value targets for threat actors, as they often have access to sensitive data such as API keys and secrets that function as keys to critical infrastructure, including privileged AWS or Azure API keys,” Breen said. “When organizations enable developers and automation pipelines to use LLMs and agentic AI, a malicious prompt can have significant impact. This does not mean organizations should stop using AI. It does mean developers should understand the risks, teams should clearly identify which systems and workflows have access to AI agents, and least-privilege principles should be applied to limit the blast radius if developer secrets are compromised.”
The SANS Internet Storm Center has a clickable breakdown of each individual fix this month from Microsoft, indexed by severity and CVSS score. Enterprise Windows admins involved in testing patches before rolling them out should keep an eye on askwoody.com, which often has the skinny on wonky updates. Please don’t neglect to back up your data if it has been a while since you’ve done that, and feel free to sound off in the comments if you experience problems installing any of these fixes.
A C# CLI tool to probe a webserver for Http 1.1 compliance.
I frequently see performance(throughput) benchmarks for webservers but never about strictness or compliance, since I work on building webserver frameworks and needed a tool like this, I made this a weekend project. Will keep adding on more tests and any contribution on those, new frameworks and test revision are very welcome.
To make it a little more interesting, I made it sort of a platform with leaderboards for comparison between webservers. Given the not too clear nature of many RFCs, I wouldn't take these results too seriously but can be an interesting comparison between different implementations' behavior.
In my day job I often need to send logs to vendors, tickets or support chats, but they contain emails, IPs and tokens.
I built a small API that redacts sensitive data before sharing.
No storage, no retention, just input → sanitized output.
Currently using it myself, curious if this solves a real pain for others.
Over the past few months we’ve been running the MCP Trust Registry, an open scanning project looking at security posture across publicly available MCP server builds.
We’ve analyzed 8,000+ servers so far using 22 rules mapped to the OWASP MCP Top 10.
Some findings:
We just added private repo scanning for teams running internal MCP servers. Same analysis, same evidence depth. Most enterprise MCP adoption is internal, so this was the #1 request.
Interested to know what security review processes others have for MCP servers, if any. The gap we keep seeing isn’t intent, it’s that MCP is new enough that standard security gates haven’t caught up.
Happy to share methodology details or specific vuln patterns if useful.
We've been quietly rebuilding Open Security Architecture (opensecurityarchitecture.org) -- a project that's been dormant for about a decade. This week we published 15 new security patterns covering areas that didn't exist when the original patterns were written:
- Zero Trust Architecture (51 mapped controls)
- API Security (OWASP API Top 10 mapped to NIST 800-53)
- Secure AI Integration (prompt injection, delegation chain exploitation, shadow AI)
- Secure DevOps Pipeline (supply chain, pipeline poisoning, SLSA provenance)
- Passkey Authentication (WebAuthn/FIDO2)
- Cyber Resilience (DORA, BoE/PRA operational resilience)
- Offensive Security Testing (CBEST/TIBER-EU)
- Privileged User Management (JIT/ZSP)
- Vulnerability Management
- Incident Response
- Security Monitoring and Response
- Modern Authentication (OIDC/JWT/OAuth)
- Secure SDLC
- Secure Remote Working
- Secure Network Zone Module
Each pattern maps specific NIST 800-53 Rev 5 controls to documented threat scenarios, with interactive SVG diagrams where every control badge links to the full control description. 39 patterns total now, with 191 controls and 5,500+ compliance mappings across ISO 27001/27002, COBIT, CIS v8, NIST CSF 2.0, SOC 2, and PCI DSS v4.
There's also a free self-assessment tool -- pick a pattern, score yourself against each control area, get gap analysis and radar charts with benchmark comparison against cross-industry averages.
Everything is CC BY-SA 4.0, structured data in JSON on GitHub. No paywalls.
https://www.opensecurityarchitecture.org
Happy to answer questions about the control mappings or pattern design.
Russ
Hey,
A couple of years ago I wrote solutions for the OverTheWire Bandit wargame. Recently, while reorganizing my documentation, I revisited that material and decided to properly clean it up and restructure it into a single, coherent walkthrough. This isn’t a formal course, it’s a complete Bandit walkthrough with in-depth explanations, written to extract as much understanding as possible from each level, not just to get the flag.
For every level, I included:
The intent was to make this usable by someone starting from zero, but also detailed enough that you can finish Bandit feeling like you’ve actually milked it for all the knowledge it has to offer. Commands, patterns, and underlying UNIX concepts.
This is probably most useful if you:
And to be fair, I think that even people that are more used to working with UNIX might actually learn a thing or two from these
You can exploit the Service Failure Recovery feature of Windows Service to execute a payload without ever touching the ImagePath. The biggest issue when exploiting Service Failure Recovery to execute a payload is figuring out how to trigger a "crash".
Hi folks, I wanted to share a project of mine and get some feedback from the community.
Coalmine is a canary management platform I've built to let security admins deploy canary tokens (and objects) easily in there cloud environments.
Currently its early alpha and supports S3, GCS, AWS IAM, and GCP Service accounts.
The tool provides a webui, CLI and API, allowing you to integrate it with your custom tooling (when its production ready)
Example use for API: have your CICD pipelines request an canary token to embed in code, so you can Identify when the source has been exposed and attacks are testing credentials
Disclosure: I’m the author/maintainer of Kingfisher.
Kingfisher is an Apache-2.0 OSS secret scanner built in Rust that combines Hyperscan (SIMD regex) with tree-sitter parsing to improve context/accuracy, and it can validate detected creds in real time against provider APIs so you can prioritize active leaks. It’s designed to run entirely on-prem so secrets don’t get shipped to a third-party service.
FreshRSS kingfisher revoke --rule github "ghp_..."
kingfisher scan /tmp --view-report
kingfisher scan /tmp --access-map --view-report
brew install kingfisher or uv tool install kingfisher-bin
Apache 2 Open-Source
I've just released trappsec v0.1 - an experimental open-source framework that helps developers detect attackers who probe API business logic. By embedding realistic decoy routes and honey fields that are difficult to distinguish from real API constructs, attackers are nudged to authenticate — converting reconnaissance into actionable security telemetry.
Hey r/netsec,
I built an open-source tool called crypto-scanner that scans codebases for cryptographic usage and flags algorithms vulnerable to quantum computing attacks.
What it does:
Why I built it:
NIST finalized post-quantum cryptography standards in 2024, and organizations need to start inventorying their cryptographic assets before migrating. Most teams have no idea what algorithms are actually running in their codebases. This tool gives you that visibility.
Install:
pip install crypto-scanner crypto-scanner scan /path/to/project --html --output report.html GitHub: https://github.com/mbennett-labs/crypto-scanner PyPI: https://pypi.org/project/crypto-scanner/
MIT licensed. Python 3.10+. Feedback and contributions welcome.
Would love to hear what you find when you run it on your projects.
Released an open-source security scanner designed for AI coding agent workflows.
Problem: AI assistants generate code with OWASP Top 10 vulnerabilities at alarming rates. They also "hallucinate" package names that could be registered by attackers.
Solution: MCP server that integrates with AI coding tools (Claude, Cursor, etc.) for real-time scanning.
Technical details:
- tree-sitter AST parsing for accurate detection (not just regex)
- Taint analysis for tracking user input to dangerous sinks
- 275+ rules covering: SQLi, XSS, command injection, SSRF, XXE, insecure deserialization, hardcoded secrets, weak crypto
- Package verification via bloom filters (4.3M packages, 7 ecosystems)
- Prompt injection detection for AI agent security
- CWE/OWASP metadata for compliance
Languages: Python, JavaScript/TypeScript, Java, Go, Ruby, PHP, C/C++, Rust, C#, Terraform, Kubernetes
No cloud dependencies - runs entirely local.
npx agent-security-scanner-mcp init
Feedback welcome, especially on rule coverage gaps.
