OWASP 2025 Global AppSec EU

The question “What is AI security?” followed by “No, not image classification, LLMs!” has become a frequent conversation for us at conferences around the world. So, we decided to answer the real question.

Having spent the last year actively trying to break LLMs as attackers and defenders, as external entities, and as insider threats, we have gathered and created many techniques to jailbreak, trick, and control LLMs, and have distilled previously complex techniques in a way everyone can understand. We will teach you how to exploit control tokens, much like when we hacked Google’s Gemini for Workspace. You will see how to get an LLM to pop a shell with an image of a seashell, and we’ll even provide the tools to automatically extract pop-culture exploits for your very own KROP gadgets. We will reveal how an insider threat could implant hidden logic or backdoors into your LLM, enabling an attacker to control outputs, change inputs, or even make the LLM refuse to say the word “OWASP”. We will enable you to take full control over their local LLMs, even demonstrating how an LLM can be fully and permanently jailbroken in minutes with a CPU rather than with dozens of hours on multiple GPUs. By the end, our audience will be able to make any LLM say whatever they want.

Through novel research our team uncovered a critical vulnerability in Azure's guest user model, revealing that guest users can create and own subscriptions in external tenants they've joined—even without explicit privileges. This capability, which is often overlooked by Azure administrators, allows attackers to exploit these subscriptions to expand their access, move laterally within resource tenants, and create stealthy backdoor identities in the Entra directory. Alarmingly, Microsoft has confirmed real-world attacks using this method, highlighting a significant gap in many Azure threat models. This talk will share the findings from this first of its kind research into this exploit found in the wild.

We'll dive into how subscriptions, intended to act as security boundaries, make it possible for any guest to create and control a subscription undermines this premise. We'll provide examples of attackers leveraging this pathway to exploit known attack vectors to escalate privileges and establish persistent access, a threat most Azure admins do not anticipate when inviting guest users. While Microsoft plans to introduce preventative options in the future, this gap leaves organizations exposed to risks they may not even realize exist––but should definitely know about!

Writing and maintaining secure applications is hard enough, and in today's paradigm with DevOps and CI/CD developers are often tasked with integrating and automating a full code-to-cloud pipeline. This introduces new control plane to application risks. Some of these instances can lead to full compromise if exploited by a threat actor.

In this talk we will break down the core components of a modern CI/CD-workflow such as OIDC, GitHub Actions and Workload Identities. Then we will describe the security properties of these components, and present a threat model for the code-to-cloud flow. Based on this we will showcase and demonstrate common flaws that could lead to full application and cloud compromise.

To increase the capacity of organizations to detect such flaws we will release an open source tool, developed by the presenters, to discover and triage these issues. In the session the tool will be demonstrated and discussed. Attendees will get actionable knowledge and tooling that can be applied when leaving the room. The talk and tool is based on findings and experiences from cloud and application security assessment conducted by the presenters.

Step into the shadowy world of AI tools and ask yourself: How secure are they? This session dives deep into the architecture of AI models, exposing their most vulnerable points. Moreover, you will learn how malicious actors can weaponize AI, turning powerful tools into threats based on an example of a ‘Malicious Copilot’ IDE plugin. It will reveal how a code-completion model can be trained to embed harmful behavior, target victims, and execute attacks. Finally, you will take home actionable strategies for organizations leveraging generative AI and LLMs, ensuring security isn’t left to chance.

What began as a simple WAF bypass challenge on a single website turned into the discovery of a vulnerability affecting thousands of organizations. Join us in the journey of how an accessibility plugin, mandated by regulation, became the perfect vehicle for a widespread XSS vulnerability. We’ll explore the real-world impact of compromised sensitive systems, from government and military to healthcare and finance, showing how a single regulatory requirement led to an ecosystem-wide security breach.

We’ll also analyze the plugin’s source code to understand how and why this XSS vulnerability occurs, along with a behavior analysis that suggests the plugin may also be tracking users without consent, indicating potential malicious intent. Additionally, we’ll share the methodology and tools used to uncover and validate these vulnerabilities at scale.