harisec
@har1sec
Interested in web security, bug bounties, machine learning and investing. SolidGoldMagikarp. Orson Kovacs.
Here are the slides from my @TumpiConIT talk: Teaching LLMs how to XSS - An introduction to fine-tuning and reinforcement learning (using your own GPU) docs.google.com/presentation/d…
Cloudflare CEO @eastdakota is having the most honest conversations I've come across about the current & future of content creation "6 months ago, 75% of queries to Google get answered on Google. Which means if you're an original content creator, your content is getting…
If you’re in media, this is worth a watch. Cloudflare handles ≈20% of global traffic, so when CEO Matthew Prince warns at Cannes that AI bots are reshaping the web, publishers need to adapt or risk being left behind.
Ok, so I can finally talk about this! We spent the last year (actually a bit longer) training an LLM with recurrent depth at scale. The model has an internal latent space in which it can adaptively spend more compute to think longer. I think the tech report ...🐦⬛
This is a fun example of how we detect SQLi – and how the agent can think to check places that might normally be overlooked, like the basic auth header!
When standard SQL injection vectors fail, dig deeper. ⚡️New XBOW discovery: Z-Push vulnerability hidden in Basic Authentication username field. Response timing differences revealed PostgreSQL time-based injection where obvious targets were clean. Full analysis:…
ChatGPT o3-pro identifies a 1965 quote by I. J. Good hand-written in a mix of print and cursive on a note ripped into four strips in reverse order rotated 90° in alternating directions:
this appears to block common crawl too. congrats everyone we've burned the commons to the ground. we can all go home now. there will never be a public archive of the internet again technologyreview.com/2025/07/01/111…
Excited to give a keynote at the LLMSEC 2025 workshop. The workshop is part of the 63rd Annual Meeting of the Association for Computational Linguistics (ACL) Looking forward to connect more with the academic research community And it's gonna be in Vienna! 🙂
For our first Christmas in July research post: How we managed to get persistent XSS on every Adobe Experience Manager Cloud instance three times! slcyber.io/assetnote-secu…
Another one from XBOW’s autonomous research: CVE-2025-49493 — a critical XXE in Akamai CloudTest, affecting multiple legacy SOAP endpoints. Full file read via XML payloads, clean exploit chain, responsibly disclosed. Check out the full technical breakdown I wrote👇
Even mature products hide critical flaws – and @XBOW just found another one. CVE-2025-49493: XXE in Akamai CloudTest discovered during our climb to #1 on HackerOne. A complete technical breakdown from an error-based detection to a full exfiltration by @djurado9…
🚨 We got RCE on Solana 🚨 Finally revealing FULL details about the RCE vulnerability we found 2 years ago. Found it. Lost it. Exploited it anyway. 🔬 Here’s what real-world bug hunting looks like: anatomi.st/blog/2025_06_2…
Since it's summer, and more or less internship and tech interview season, I made all 30 chapters of my Machine Learning Q and AI book freely available for the summer: sebastianraschka.com/books/ml-q-and… Hope it’s helpful! Happy reading, and good luck if you are interviewing!
Really enjoyed listening to @Steph3nSims sharing his perspective about AI for vuln research
An Introduction to using Artificial Intelligence (AI) for Vulnerability Research x.com/i/broadcasts/1…
I'm very happy to finally share the second part of my DOMPurify security research 🔥 This article mostly focuses on DOMPurify misconfigurations, especially hooks, that downgrade the sanitizer's protection (even in the latest version)! Link 👇 mizu.re/post/exploring… 1/2
📜 really excited to share our work with @AnthropicAI on Constitutional Classifiers! tldr: adding lightweight, tailored, input/output classifiers on top of an underlying LLM creates an AI system that's much more robust to universal jailbreaks
New Anthropic research: Constitutional Classifiers to defend against universal jailbreaks. We’re releasing a paper along with a demo where we challenge you to jailbreak the system.
In 2018, @mgianarakis and I set off to build a platform that would provide enterprises with a realistic attacker perspective of their entire network. At the time, we had just begun to try the phrase "attack surface management" in peer conversations. But the vision was always…
here's my long list of best ai thing for each category (stuff im confident is best): - coding 1 shot: o1 - need some good info on how to do something, i use msty[.]app where i have 4o/sonnet/flash2 all loaded in a single synced pane - processing videos or audio to get summaries:…
We reproduced DeepSeek R1-Zero in the CountDown game, and it just works Through RL, the 3B base LM develops self-verification and search abilities all on its own You can experience the Ahah moment yourself for < $30 Code: github.com/Jiayi-Pan/Tiny… Here's what we learned 🧵
Did you know that Operator has 20 years of experience!?! 😀 // # Computer-mode: REMOTE_COWORKER // # Description: In remote coworker mode, use a remote computer to help the user with asks that require a computer // # Years of experience: 20 Put the initial system prompt here…
As suspected there is more @rez0__ curious if you get the same. will need to dig a little more during weekend to cross-check. I think it's the first time OpenAI put some effort in attempting to prevent extraction... But check this out: Operator is a remote co-worker with 20…