Exfil Security participates in DEF CON, the annual security conference that brings together security professionals, hackers, researchers, and enthusiasts from around the globe. Our attendance is driven by a commitment to staying at the forefront of cybersecurity knowledge and innovation. By being part of DEF CON, we gain valuable insights into the latest cybersecurity trends, vulnerabilities, and defense strategies. Our dedication to DEF CON reflects our desire to deliver top-tier cybersecurity services to our clients and continually improve our expertise in the field.

In this paper, we analyze new or upgraded threats to web applications that arose from 2021-2023, and offer some insight into mitigating these threats. With this, our goal is to strengthen the conversation regarding security of web properties belonging to your organization. Although the focus of this paper is web application security, it is impossible to address this without touching upon API and Cloud security as well. Given the prevalence of these technologies across the web, their vulnerabilities are closely related to the security of web applications.

If you were about to embark on an adventurous trek into some unfamiliar territory, wouldn't you want to have a seasoned guide at your side, someone who knows the terrain and can help you avoid threats on the way to your destination?

Since the release of ChatGPT in November of 2022, a major focus for its users has been jailbreak prompts that allow users to use ChatGPT freely without constraints. From a security perspective, jailbreak prompts have allowed penetration testers to bypass restrictions and receive valuable advice from ChatGPT on various security topics. That is why when OpenAI released the GPT-4 model of ChatGPT in March of 2023, many hoped it would be as easy to jailbreak as the GPT-3.5 model was. Unfortunately, it does not appear that this was the case.

How do you learn to hack? How can this be done legally? These are the questions I asked myself growing up knowing I wanted to go into Computer Science and more specifically, cybersecurity. Going into college, there were some basic cybersecurity courses that weren’t available until Junior or Senior year, but I wanted to get started right away.

On November 30, 2022 OpenAI released the beta version of their advanced language model software, ChatGPT (Generative Pre-Trained Transformer). Since its release, I’ve personally had the pleasure of experimenting with ChatGPT and seeing how it may work as a tool for penetration testing. What I found has been pleasantly surprising and points towards ChatGPT becoming a valuable resource in the field of cyber security as a whole.