Positive Security
Holistic IT security research & consulting
Positive Security
Holistic IT security research & consulting
Quick -  Proper - Thorough
Our work is thorough - we are driven by curiosity to explore the whole picture.

Who we are

We're a team of highly skilled IT security professionals dedicated to tackling the most diverse and complex problems in the industry.

Learn More

What we do

With a holistic mindset, we provide a wide range of offensive and defensive IT security services. From hacking your website, company or IoT device, to implementing security features in your app, we help you drive positive change in your organization.

Learn More
Hacking Auto-GPT and escaping its docker container
June 29, 2023

We leverage indirect prompt injection to trick Auto-GPT (GPT-4) into executing arbitrary code when it is asked to perform a seemingly harmless task such as text summarization on a malicious website, and discovered vulnerabilities that allow escaping its sandboxed execution environment.

Ransacking your password reset tokens
January 26, 2023

We demonstrate how the popular "Ransack" library (Ruby on Rails) can be abused to exfiltrate sensitive data via character by character brute-force, allowing for a full application compromise in some cases. An internet wide search identifies several hundred potentially vulnerable applications.

urlscan.io's SOAR spot: Chatty security tools leaking private data
November 2, 2022

We explore the security service urlscan.io and showcase through various "dorks" that their searchable scan database is a treasure trove of URLs pointing to sensitive user information, allowing account takeover, and much more. Part of the data has been leaked in an automated way by other security tools (SOARs) that accidentally made their scans public.

More posts

Contact Us

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Or send an email to hi@positive.security