Hack, Fix, Discuss! AI Security Edition
Welcome to the AI security edition of GroningenPHP workshops! Today, we're auditing code generated by AI. While LLMs are great for productivity, they often "hallucinate" security measures or suggest outdated, vulnerable patterns.
We test Team Red's payloads against Team Blue's fixed code. Then we discuss why the AI failed and how the fix works.
Move to the next challenge, switch roles between Team Red and Team Blue, and start the next round!
1. Your Sandbox
We'll use OneCompiler to run our code. It's a free online PHP evaluator that supports common extensions like PDO (SQLite).
OneCompiler
Open onecompiler.com/php. Copy the snippets below and paste them into the editor. Use the "Input" area at the top of the challenge to simulate different user inputs.
Workshop Challenges
Work through these challenges with your team. Good luck!
-
Start Challenge
Challenge 1: The Copilot's Query
Bypass an AI-suggested SQL filter using UNION injection.
-
Start Challenge
Challenge 2: The Insecure AI Agent
Exploit an eval() vulnerability via prompt injection.
-
Start Challenge
Challenge 3: The AI's "Smart" Sanitizer
Bypass a weak path traversal filter using nested sequences.
-
Start Challenge
Challenge 4: The AI-Recommended Library
Exploit insecure deserialization in AI-recommended code.