Chaos Engineering and General Mischief

The blog post examines methods for hacking AI-native applications by detailing vulnerabilities discovered while building KachraCraft, a 3D design generation tool, including techniques for revealing system prompts, executing server-side request forgery (SSRF), and novel ways to exfiltrate data through AI-generated artifacts like STL files.

This blog discusses the security risks of S3 bucket namesquatting in AWS, where attackers could potentially exploit predictable bucket naming patterns that include region names, and documents the author's research finding buckets pre-created for non-existent regions (up to "us-east-15") while searching for potential vulnerabilities in AWS service-managed buckets.

This blog post explores how agentic AI systems, specifically the "Computer Use" feature, can be manipulated through prompt injections and phishing techniques to execute arbitrary commands.

In this article we went over how to use embeddings in AWS Bedrock, scraping AWS documentation, leveraging ripgrep for fast searches on local disk, and some interesting security research along the way.

Explore the limitations and effectiveness of AWS IAM Access Analyzer in detecting publicly exposed resources across various AWS services. Learn about common misconceptions, deployment tips, and critical observability gaps in AWS native security tooling.