サーバーレスのセキュリティリスク - AWS Lambdaにおける脆弱性攻撃と対策 - GMO Flatt Security Blog
はじめに こんにちは、株式会社Flatt Security セキュリティエンジニアの森岡(@scgajge12)です。 本稿では、AWS Lambda で起こりうる脆弱性攻撃やリスク、セキュリティ対策を解説し、サーバーレスにおけるセキュリティリスクについて紹介します。 はじめに AWS Lambda について サーバーレスにおけるセキュリティリスク AWS Lambda で起こりうる脆弱性攻撃 Lambda での脆弱性攻撃によるリスク 脆弱性攻撃による更なるリスク OS Command Injection XML External Entity (XXE) Insecure Deserialization Server Side Request Forgery (SSRF) Remote Code Execution (RCE) AWS Lambda におけるセキュリティ対策 セキュリティ
はじめに 対象イベント 読み方、使い方 Remote Code Execution(RCE) 親ディレクトリ指定によるopen_basedirのバイパス PHP-FPMのTCPソケット接続によるopen_basedirとdisable_functionsのバイパス JavaのRuntime.execでシェルを実行 Cross-Site Scripting(XSS) nginx環境でHTTPステータスコードが操作できる場合にCSPヘッダーを無効化 GoogleのClosureLibraryサニタイザーのXSS脆弱性 WebのProxy機能を介したService Workerの登録 括弧を使わないXSS /記号を使用せずに遷移先URLを指定 SOME(Same Origin Method Execution)を利用してdocument.writeを順次実行 SQL Injection MySQ
プロンプトインジェクション対策: 様々な攻撃パターンから学ぶセキュリティのリスク - GMO Flatt Security Blog
はじめに こんにちは、GMO Flatt Security株式会社セキュリティエンジニアの石川(@ryusei_ishika)です。 近年、ChatGPT や Gemini などの大規模言語モデル(LLM)をはじめとする生成 AI の活用が急速に進んでいます。その一方で、これらの AI モデルに対する新たな攻撃手法である「プロンプトインジェクション」が注目を集めており、そのセキュリティリスクが問題視されています。 この記事では、プロンプトインジェクションが実際にどのような脅威となり得るのか、具体的な事例を交えながらそのリアルなセキュリティリスクを解説します。さらに、開発者や経営者が取るべき具体的な対策についても、分かりやすくご紹介します。 また、GMO Flatt Securityは日本初のセキュリティ診断AIエージェント「Takumi」や、LLMを活用したアプリケーションに対する脆弱性診
API シナリオテストツール Postman・Tavern・runn 徹底比較 – 私が runn を選んだ理由 - TechDoctor開発者Blog
はじめに はじめまして、テックドクターでバックエンドエンジニアをしている筧と申します。 最近、弊社では API の品質を担保するために「API シナリオテスト」をプロダクトに導入しました。今回は、この API シナリオテストのツールである Postman(+Newman)、Tavern そして runn を比較し、最終的に runn を選んだ理由をご紹介します。 API シナリオテストとは? API シナリオテストとはなんでしょうか? 開発におけるテストといえば、ユニットテストや結合テスト、API テストや E2E テストなどをよく耳にします。しかしAPI シナリオテストという言葉はあまり聞き馴染みがないという方も多いかもしれません。 API シナリオテストは API テストの一種で、複数の API を連鎖的に呼び出して実行するテストです。以下の特徴を持っています。 複数の API を順序
Another year passes. I was hoping to write more articles instead of just these end-of-the-year screeds, but I almost died in the spring semester, and it sucked up my time. Nevertheless, I will go through what I think are the major trends and happenings in databases over the last year. There were many exciting and unprecedented developments in the world of databases. Vibe coding entered the vernacu
Agent running... (Press Ctrl-P to pause) /Users/username/.cache/uv/archive-v0/8UNE-QZmsj_fwI7VgPxJz/lib/python3.12/site-packages/pydantic/main.py:463: UserWarning: Pydantic serializer warnings: PydanticSerializationUnexpectedValue(Expected 9 fields but got 5: Expected `Message` - serialized value may not be as expected [input_value=Message(content='Excellen...thinking_blocks': None}), input_type=M
アソビュー! Advent Calendar 2022の2日目(裏面)の記事です。 アソビューでQAをしている渡辺です。 前職ではエンジニア、およびQAをしておりましたが、10月よりアソビューにQAとして入社しました。 今回は、API呼び出しを含むE2Eテストの自動化を、他社ウェブサイトに仕様記載の無料公開APIで試してみた話となります。 アソビューのQAでは、開発スピードと品質向上の両立を図ることを重視しています。 そのためにも、シフトレフトやテスト自動化推進の取り組みは重要です。 現在QAとして参画中のプロジェクトでAPIの外部公開があり、E2EテストとしてAPIを含むテストの自動化はこれまでしていないので、APIを含むテストについて、Seleniumで簡単に自動化できないか試してみました。 なぜSeleniumか? なぜPythonか? 試してみるテストケース 天気予報APIの仕様
GitHub - modelcontextprotocol/servers: Model Context Protocol Servers
Official integrations are maintained by companies building production ready MCP servers for their platforms. 21st.dev Magic - Create crafted UI components inspired by the best 21st.dev design engineers. 2slides - An MCP server that provides tools to convert content into slides/PPT/presentation or generate slides/PPT/presentation with user intention. ActionKit by Paragon - Connect to 130+ SaaS inte
copilot-explorer
Copilot Internals | thakkarparth007.github.io Github Copilot has been incredibly useful to me. It can often magically read my mind and make useful suggestions. The thing that surprised me the most was its ability to correctly “guess” functions/variables from surrounding code – including from other files. This can only happen, if the copilot extension sends valuable information from surrounding cod
the peculiar case of japanese web design a project that should not have taken 8 weeks how is japanese web design different? in this 2013 Randomwire blog post, the author (David) highlighted an intriguing discrepancy in Japanese design. While the nation is known abroad for minimalist lifestyles, their websites are oddly maximalist. The pages feature a variety of bright colours (breaking the 3 colou
This all started with a blog post back in 2020, from a tech curiosity: what's the fastest way to scale containers on AWS? Is ECS faster than EKS? What about Fargate? Is there a difference between ECS on Fargate and EKS on Fargate? I had to know this to build better architectures for my clients. In 2021, containers got even better, and I was lucky enough to get a preview and present just how fast t
Skills are custom instructions that extend Claude's capabilities for specific tasks or domains. When you create a skill via a SKILL.md file, you're teaching Claude how to handle specific scenarios more effectively. The power of skills lies in their ability to encode institutional knowledge, standardize outputs, and handle complex multi-step workflows that would otherwise require repeated explanati
Today, we are excited to announce the launch of .NET 10, the most productive, modern, secure, intelligent, and performant release of .NET yet. It’s the result of another year of effort from thousands of developers around the world. This release includes thousands of performance, security, and functional improvements across the entire .NET stack-from languages and developer tools to workloads-enabl
We have discovered a critical vulnerability in the Model Context Protocol (MCP) that allows for "Tool Poisoning Attacks." Many major providers such as Anthropic and OpenAI, workflow automation systems like Zapier and MCP clients like Cursor are susceptible to this attack. Concerned about MCP and agent security? Sign up for early access to Invariant Guardrails, our security platform for agentic AI
Assessing Claude Mythos Preview’s cybersecurity capabilities April 7, 2026 Nicholas Carlini, Newton Cheng, Keane Lucas, Michael Moore, Milad Nasr, Vinay Prabhushankar, Winnie Xiao Hakeem Angulu, Evyatar Ben Asher, Jackie Bow, Keir Bradwell, Ben Buchanan, David Forsythe, Daniel Freeman, Alex Gaynor, Xinyang Ge, Logan Graham, Kyla Guru, Hasnain Lakhani, Matt McNiece, Mojtaba Mehrara, Renee Nichol, A
What We Learned from a Year of Building with LLMs (Part I)
It’s an exciting time to build with large language models (LLMs). Over the past year, LLMs have become “good enough” for real-world applications. The pace of improvements in LLMs, coupled with a parade of demos on social media, will fuel an estimated $200B investment in AI by 2025. LLMs are also broadly accessible, allowing everyone, not just ML engineers and scientists, to build intelligence into
【Pythonでスクレイピング】Mattermost BOT投稿機能 作り方 - RAKUS Developers Blog | ラクス エンジニアブログ
はじめに はじめまして。aqli_kuk120と申します。 ラクスの片隅でひっそりとインフラエンジニアをしています。 「エンジニアは常日頃の情報収集が肝要」とよく聞きますが、中々実践できない自分がいました。 技術系のニュースアプリをスマホに入れてみるも、三日坊主でついつい他の興味あることをネットサーフィンする日々…。 これではいかんと思い、対策を考えた結果、 「人気記事のリンクをスクレイピングして社内のチャットツール(Mattermost)にBOT投稿するようにしたら、昼休みにご飯食べながらみれるんじゃない?」と思い至りました。 ということで、インフラエンジニアと名乗ったものの、今回はPythonを使ったスクレイピングとMattermostへのBOT投稿についてブログを書いていきたいと思います。 はじめに スクレイピングとは Mattermostとは Pythonで今回作るもの 開発環境構
Introducing AWS Lambda response streaming | Amazon Web Services
AWS Compute Blog Introducing AWS Lambda response streaming Today, AWS Lambda is announcing support for response payload streaming. Response streaming is a new invocation pattern that lets functions progressively stream response payloads back to clients. You can use Lambda response payload streaming to send response data to callers as it becomes available. This can improve performance for web and m
31st December 2024 A lot has happened in the world of Large Language Models over the course of 2024. Here’s a review of things we figured out about the field in the past twelve months, plus my attempt at identifying key themes and pivotal moments. This is a sequel to my review of 2023. In this article: The GPT-4 barrier was comprehensively broken Some of those GPT-4 models run on my laptop LLM pri
Note: This blog post is also available as a documentation page on Transformers. Large Language Models (LLMs) such as GPT3/4, Falcon, and LLama are rapidly advancing in their ability to tackle human-centric tasks, establishing themselves as essential tools in modern knowledge-based industries. Deploying these models in real-world tasks remains challenging, however: To exhibit near-human text unders
API Tokens: A Tedious Survey Author Name Thomas Ptacek @tqbf @tqbf Image by Annie Ruygt We’re Fly.io. This post isn’t about Fly.io, but you have to hear about us anyways, because my blog, my rules. Our users ship us Docker containers and we transmute them into Firecracker microvms, which we host on our own hardware around the world. With a working Dockerfile, getting up and running will take you l
Gamedev in Lisp. Part 1: ECS and Metalinguistic Abstraction - cl-fast-ecs by Andrew
Gamedev in Lisp. Part 1: ECS and Metalinguistic Abstraction In this series of tutorials, we will delve into creating simple 2D games in Common Lisp. The result of the first part will be a development environment setup and a basic simulation displaying a 2D scene with a large number of physical objects. It is assumed that the reader is familiar with some high-level programming language, has a gener
Prompt Engineering
Date: March 15, 2023 | Estimated Reading Time: 21 min | Author: Lilian Weng Prompt Engineering, also known as In-Context Prompting, refers to methods for how to communicate with LLM to steer its behavior for desired outcomes without updating the model weights. It is an empirical science and the effect of prompt engineering methods can vary a lot among models, thus requiring heavy experimentation a
Agents
Intelligent agents are considered by many to be the ultimate goal of AI. The classic book by Stuart Russell and Peter Norvig, Artificial Intelligence: A Modern Approach (Prentice Hall, 1995), defines the field of AI research as “the study and design of rational agents.” The unprecedented capabilities of foundation models have opened the door to agentic applications that were previously unimaginabl
Vjeux » Birth of Prettier
React Conf is around the corner and it's been almost 10 years since Prettier was released. I figured it would be a good time to recount the journey from its early days to now. This is the story of how the "Space vs Tabs Holy War" ended, not through one side winning over the other but instead a technological invention making it the underlying source of tensions no longer being a thing. Back Story S
How to Bypass Cloudflare in 2023: The 8 Best Methods - ZenRows
About 1/5 of websites you need to scrape use Cloudflare, a hardcore anti-bot protection system that gets you blocked easily. So what can you do? 😥 We spent a million dollars figuring out how to bypass Cloudflare in 2023 so that you don't have to and wrote the most complete guide (you're reading it!). These are some of the techniques you'll get home today: Method 1: Get around Cloudflare CDN. Meth
Why Elixir Is the Best Language for Building a Bootstrapped, B2B SaaS in 2024 | SleepEasy Website Monitor
Why Elixir Is the Best Language for Building a Bootstrapped, B2B SaaS in 2024 [This article is the companion to my presentation for CodeBEAM America 2024, Elixir is the One-Person Stack for Building a Software Startup. You can download the slides as a PDF or view them in Google Slides.] I’d like to share why I chose Elixir as the programming language (and really, as we’ll discuss, the full stack)
Over the course of my Spring 2020 semester at Harvey Mudd College, I developed a self-hosting compiler entirely from scratch. This article walks through many interesting parts of the project. It’s laid out so you can just read from beginning to end, but if you’re more interested in a particular topic, feel free to jump there. Or, take a look at the project on GitHub. Table of contents What the pro
There are many different ways to build with LLMs, including training models from scratch, fine-tuning open-source models, or using hosted APIs. The stack we’re showing here is based on in-context learning, which is the design pattern we’ve seen the majority of developers start with (and is only possible now with foundation models). The next section gives a brief explanation of this pattern; experi
Patterns for Building LLM-based Systems & Products [ llm engineering production 🔥 ] · 66 min read Discussions on HackerNews, Twitter, and LinkedIn “There is a large class of problems that are easy to imagine and build demos for, but extremely hard to make products out of. For example, self-driving: It’s easy to demo a car self-driving around a block, but making it into a product takes a decade.”
Meta’s Systematic Code and Asset Removal Framework (SCARF) has a subsystem for identifying and removing dead code. SCARF combines static and dynamic analysis of programs to detect dead code from both a business and programming language perspective. SCARF automatically creates change requests that delete the dead code identified from the program analysis, minimizing developer costs. In our last blo
ローカルマルチモーダルを簡単に使えるAPIを公開。LLaVA-Next(旧1.6)でAPIサーバを構築|めぐチャンネル
簡単に使えるAPIサーバがほしい前述のように、時間も無いということで、画像アップロードとチャット機能だけに縛った簡単なAPIサーバを実装しています。LLaVAのオリジナルコードにはChatの過去ログ機能もあるので有効に活用します。 LLaVA-NEXTの導入GiyHubからクローンします。 git clone https://github.com/haotian-liu/LLaVA.git cd LLaVA環境に合わせて構築Install Packageに従えば簡単に環境は構築できるはずです。トレーニングはしないのでadditional packagesは不要です。 conda create -n llava python=3.10 -y conda activate llava pip install --upgrade pip # enable PEP 660 support pip
Azure OpenAI Service 「on your data」 構成でのセキュリティ性を向上させる - Taste of Tech Topics
こんにちは、igaです。 先日、久しぶりにライブで声を出したらのどが枯れてしまいました。 前回に引き続き、Azure OpenAIのセキュリティを向上させるため、ネットワークのアクセス制限について確認します。 今回は、以前検証した独自データを使用する場合のネットワークのアクセス制限について確認します。 acro-engineer.hatenablog.com Azure OpenAIの構成 前回の構成で、Azure OpenAIに対してインターネットからのアクセス制限を行いました。 独自データ(原文の表記はon your data)を使用する場合、構築した直後はデータを保持するCognitive Searchがインターネット上のどこからでもREST APIによるリクエストが受信可能な状態になっています。 Cognitive Searchを利用するためには、通常、APIキーが必要になります。
Published Sep 29, 2025 The Claude Agent SDK is a collection of tools that helps developers build powerful agents on top of Claude Code. In this article, we walk through how to get started and share our best practices. Last year, we shared lessons in building effective agents alongside our customers. Since then, we've released Claude Code, an agentic coding solution that we originally built to supp
SemVer in Rust: Tooling, Breakage, and Edge Cases — FOSDEM 2024 Last month, I gave a talk titled "SemVer in Rust: Breakage, Tooling, and Edge Cases" at the FOSDEM 2024 conference. The talk is a practical look at what semantic versioning (SemVer) buys us, why SemVer goes wrong in practice, and how the cargo-semver-checks linter can help prevent the damage caused by SemVer breakage. TL;DR: SemVer is
Real-world gen AI use cases from the world's leading organizations | Google Cloud Blog
AI is here, AI is everywhere: Top companies, governments, researchers, and startups are already enhancing their work with Google's AI solutions. Published April 12, 2024; last updated October 9, 2025. Automotive & Logistics Business & Professional Services Financial Services Healthcare & Life Sciences Hospitality & Travel Manufacturing, Industrial & Electronics Media, Marketing & Gaming Public Sec
How a simple Linux kernel memory corruption bug can lead to complete system compromise
In this case, reallocating the object as one of those three types didn't seem to me like a nice way forward (although it should be possible to exploit this somehow with some effort, e.g. by using count.counter to corrupt the buf field of seq_file). Also, some systems might be using the slab_nomerge kernel command line flag, which disables this merging behavior. Another approach that I didn't look
The Go Programming Language and Environment – Communications of the ACM
Go is a programming language created at Google in late 2007 and released as open source in November 2009. Since then, it has operated as a public project, with contributions from thousands of individuals and dozens of companies. Go has become a popular language for building cloud infrastructure: Docker, a Linux container manager, and Kubernetes, a container deployment system, are core cloud techno
Date: June 23, 2023 | Estimated Reading Time: 31 min | Author: Lilian Weng Building agents with LLM (large language model) as its core controller is a cool concept. Several proof-of-concepts demos, such as AutoGPT, GPT-Engineer and BabyAGI, serve as inspiring examples. The potentiality of LLM extends beyond generating well-written copies, stories, essays and programs; it can be framed as a powerfu
Join a VS Code Dev Days event near you to learn about AI-assisted development in VS Code. Update 1.66.1: The update addresses these issues. Update 1.66.2: The update addresses these security issues. Downloads: Windows: x64 Arm64 | Mac: Universal Intel silicon | Linux: deb rpm tarball Arm snap Welcome to the March 2022 release of Visual Studio Code. There are many updates in this version that we ho
j次のブックマーク
k前のブックマーク
lあとで読む
eコメント一覧を開く
oページを開く
【2020年】CTF Web問題の攻撃手法まとめ - こんとろーるしーこんとろーるぶい
Databases in 2025: A Year in Review
Claude Codeを超えたかも!?OpenHands CLIで抽象的な指示から完動するコードを一発生成
SeleniumによるAPI呼び出しを含むE2Eテスト自動化 - asoview! Tech Blog
the peculiar case of japanese web design - sabrinas.space
Scaling containers on AWS in 2022
How to create Skills for Claude: steps and examples | Claude
Announcing .NET 10 - .NET Blog
MCP Security Notification: Tool Poisoning Attacks
Claude Mythos Preview \ red.anthropic.com
Things we learned about LLMs in 2024
Optimizing your LLM in production
API Tokens: A Tedious Survey
Kalyn: a self-hosting compiler for x86-64
Emerging Architectures for LLM Applications | Andreessen Horowitz
Patterns for Building LLM-based Systems & Products
Automating dead code cleanup
Building agents with the Claude Agent SDK
SemVer in Rust: Tooling, Breakage, and Edge Cases — FOSDEM 2024
LLM Powered Autonomous Agents
March 2022 (version 1.66)