Dropsafe

by Alec Muffett

ChatGPT apparently worked out that somebody was typing with their hand shifted-right by one set of keys – see picture – this has security impact because…

Seriously: if you are working on glueware between a web application & an LLM, and you’re expecting to “detect and filter-out bad stuff” using a blocklist, you need to stop right now and re-architect everything to work only on an allowlist basis, plus think really really hard about what you’re trying to achieve and how perhaps to sandbox the LLMs as well as sanitise their input:

Any number of folk are building *WAF-like block-filters with an LLM on the backend, in an attempt to sanitise inputs; this was complicated by some HTTP servers not merely accepting %-encoded & UTF8-encoded quotes, but even non-standard «European quotes» as valid in database queries.

But the server wasn’t actively trying to work around your typos:

holy crap
byu/mimic751 inChatGPT

[*] web application firewalls

Fediverse reactions

Comments

One response to “ChatGPT apparently worked out that somebody was typing with their hand shifted-right by one set of keys – see picture – this has security impact because…”

  1. Mark Gardner

    @alecm ++ for the Bobby Tables #xkcd reference

    Speaking of which, I've found this a useful resource to hand to #SQLinjection newbies: https://bobby-tables.com

    #SQL #infosec #security #cybersecurity #programming #coding #SoftwareDevelopment #SoftwareEngineering

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts