Exploiting AI application to gain RCE and full DB access
Abstract
This talk dives into the intriguing results of a security assessment performed by Deloitte Belgium on an application using a large language model (LLM) for document analysis. Combining code review and application penetration testing, we uncovered surprising and impactful vulnerabilities that exposed the application to critical risks.
We will explore how interactions between the LLM and backend systems can create unexpected attack vectors, including weaknesses that allow us to manipulate application behavior and access sensitive data. Attendees will learn how subtle flaws in input handling and integration design can lead to significant security breaches, with real-world examples from our findings.
Join us to uncover the hidden dangers of integrating LLMs into applications and discover best practices for building resilient, secure systems in the age of advanced AI.
Speakers: Paula Moutafian
Company: Deloitte
Function: Senior Cyber Security consultant
Function: Senior Cyber Security consultant
Paula Moutafian, a Web/Mobile Application Penetration Tester, has been with Deloitte for two years. She has primarily worked alongside Loïc, contributing to multiple pentesting projects.
She also is the owner of a technical blogpost where she writes articles about work that she has done or penetration testing techniques, resources, and more.
Speakers: Loïc Siquet
Company: Deloitte
Function: Senior Cyber Security Consultant
Function: Senior Cyber Security Consultant
Loïc Siquet is a specialist in Web/Mobile Application Penetration Testing, with five years of experience at Deloitte Belgium.
He has led and participated in numerous penetration tests, gaining expertise in identifying and exploiting vulnerabilities in various applications. He also contributes to the Phishing tests for Deloitte's clients.
Want to see Paula & Loïc in action?