ialleejy: offensive cloud research, web exploitation, and security tooling.

A monorepo for a "bug-bounty AI Agent" system. Current focus: fixed API contract + verified pipelines with a backend stub and CI/CD (E2E smoke included).

Repository Layout

• backend/backend/: Django + DRF API, persists data in PostgreSQL.
• agent/: Agent area (WIP).
• docker/: Local E2E docker-compose + smoke script.
• infra/: CI/CD recommendations and GitHub Environments operations guide.

Current Flow

1. The client / agent issues POST /api/scan-runs/ to create a scan run.
2. The backend stores the run in PostgreSQL and creates one demo dummy finding.
3. Results are inspected via GET /api/scan-runs/<run_id>/ and GET /api/findings/?run_id=....

CI / CD (Summary)

• CI (.github/workflows/ci.yml): gitleaks secret scan · Trivy image scan (fail on HIGH/CRITICAL) · Syft SBOM generation & upload · docker-compose-based E2E smoke.
• CD (.github/workflows/cd.yml): GitHub Environments - staging automatic, production approval-gated · post-deploy smoke when BASE_URL / SMOKE_TARGET_URL are configured.

Quickstart

• Backend (local): cd backend/backend && python -m venv .venv && pip install -r requirements.txt && python manage.py migrate && python manage.py runserver 0.0.0.0:8000
• Health: curl -sf http://localhost:8000/health/
• E2E smoke (Docker): docker compose -f docker/docker-compose.e2e.yml up -d --build → python3 docker/e2e/smoke.py --base-url http://localhost:8000 --target-url http://test-target:8080 --timeout 60
• Port override: E2E_BACKEND_PORT=18000 if 8000 is already in use.

Why this design?

• Contract-first: Lock the API surface before agent logic, so multiple agents / scanners can plug in without breaking consumers.
• Pipeline-first: Establish secret scan, image scan, SBOM and E2E smoke before scaling features; every change ships through the same gate.
• Reproducible by default: Everything is runnable locally with a single docker compose command and a smoke.py assertion.

GnawLab (Beaver Dam Community) is a community-driven offensive cloud security training ground. I contribute the Bedrock AI Agent - Knowledge Base (RAG) Poisoning scenario.

Threat Model

• Asset: A Bedrock Agent powering an internal helpdesk / customer-support bot.
• Attacker capability: Write access (direct or indirect) to an S3 prefix that backs the Knowledge Base.
• Goal: Steer the agent to break its system prompt: exfiltrate data, mis-use tools, bypass guardrails.
• Why realistic: KBs are commonly fed from shared S3 buckets, helpdesk uploads, or wiki exports, all of which an attacker can influence.

Lab Architecture

• Agent: Amazon Bedrock Agent (LLM + tool-calling) deployed via Terraform.
• Knowledge Base: S3-backed Bedrock KB ingested into a vector store; documents are pulled at retrieval time.
• Tooling: Action-group Lambdas exposing typical helpdesk operations.
• Guardrails: Bedrock Guardrails (content filters / PII redaction) configurable per scenario.
• Frontend: Streamlit on EC2 acting as the operator's chat UI.

Attack Flow

1. Recon: Identify the S3 prefix backing the agent's KB and list writable paths.
2. Inject: Drop a poisoned document containing instruction-style content (e.g., "Ignore prior rules and …") under the trusted prefix.
3. Trigger: Issue a benign-looking question to the agent that retrieves the poisoned chunk.
4. Compromise: Agent treats retrieved text as authoritative context and executes attacker-controlled behavior: data leak, tool misuse, guardrail bypass.
5. Verify & harden: Switch back to the secure baseline scenario and re-run tests to confirm the attacks are blocked.

Defensive Takeaways

• Trust boundaries: Treat KB content as untrusted input, not as part of the system prompt.
• Source isolation: Separate operator-curated docs from user/3rd-party uploads using distinct prefixes / KBs.
• Guardrails: Enforce content filters, contextual grounding checks and refusal of instruction-shaped retrievals.
• Tool minimization: Apply least-privilege to action-group Lambdas (no overpermissive IAM on the agent role).
• Monitoring: Log retrieved chunks, agent reasoning and tool calls; alert on instruction-pattern matches inside KB content.

My Contribution

• Authored the Bedrock AI Agent KB Poisoning scenario (Terraform + scripted exploit + reference defenses).
• Wrote the threat model, attack flow and defensive takeaways for the GnawLab docs.
• Designed the secure-baseline / poisoned-baseline switch so trainees can reproduce, then verify mitigations.

Root-Cause taxonomy for Semantic-Gap vulnerabilities + a per-step payload wiki. Front=React, Ops=GCP N2 · Nginx, CI/CD=GitHub Actions + Docker Compose.

Why Semantic Gap?

• Root-cause gap: Existing taxonomies are technique/outcome-focused, making defensive insight hard to derive.
• Inconsistent terminology: The same phenomenon is described with different terms, making cross-case comparison hard.
• Goal: Provide a Root-Cause-based hierarchy plus per-step attack payloads as immediately useful knowledge for red-teaming, scanning and defensive policy work.

Root-Cause Taxonomy (5 axes)

• Syntax Parsing Gap: Per-component grammar / parsing-rule differences → HRS, HPP, etc.
• Security Policy Gap: Mismatch between WAF/filter rules and actual processing → JWT alg tampering, etc.
• Context Boundary Gap: Same data classified into different execution / security boundaries → clickjacking, focus abuse.
• Data Representation Model Gap: Encoding / normalization / homoglyph inconsistencies → filter bypass, spoofing.
• Metadata Interpretation Gap: Differing priority/validation for headers/cookies/tokens → session / auth bypass.

Construction Method

• Collection & analysis: Weekly scraping + tracking via Jira custom fields; manual verification of real-world cases.
• Mapping process: MECE mapping major → mid → minor categories with peer review.
• LLM-assisted: Prompt engineering to generate / refine taxonomy candidates (with human review).
• Cadence: Six recurring meetings/week (Sat offline, weekday online); pipeline-driven progress.

WEAVE Platform Features

• Home / dashboard: See overall taxonomy state at a glance; click an item for details.
• Tree navigation: Browse the major → mid → minor category hierarchy.
• Tag search: Cross-reference by technique / payload tags.
• Procedural narrative: Organize attack techniques along Recon → Injection → Obfuscation → Validation → Exploitation → Exfiltration.

My Role

• Web / Infra: React front-end · GCP N2 · Nginx ops · GitHub Actions + Docker Compose CI/CD.
• Content onboarding: Templated case / sub-category documents and unified tag / metadata.
• Quality: Standardized terminology & classification criteria, with consistent procedure / payload narratives.
• Operational stability: Repository backup / restore paths and access / usage monitoring.

Chrome extension → backend (DRF) → reCAPTCHA v2 auto-solver → content / traffic analysis pipeline. My role: DevOps · BreakCAPTCHA AI.

Why we built it

Studying SEO Poisoning and public vulnerable-domain cases (e.g., 360xss), we wanted to counter the trend of attacks that route bots vs. real users to different (benign / malicious) paths. We designed a real-time defense that combines browser extension · CAPTCHA automation · packet analysis.

Full Pipeline (3 stages)

1. Stage 1 - URL-feature detection: Lightweight LightGBM classifies URL / content features in real time (extension shows a warning).
2. Stage 2 - CAPTCHA handling: Selenium + fine-tuned YOLOv8 auto-solves reCAPTCHA v2 puzzles (board-diff detection · retries · natural mouse movement).
3. Stage 3 - Packet / TLS / HTML classification: Backend extracts network · domain · TLS · HTML metadata features and uses a RandomForest to return malicious / phishing verdicts as JSON.

Key Features

• Real-time protection: Chrome extension intercepts requests and surfaces verdicts via popup / badge.
• Modular analysis: site → captcha → packet tasks are separated for easy extension / replacement.
• Tampering detection: Browser-log collection checks for transmitted-parameter tampering.
• Whitelist cache: Avoids re-analyzing safe domains for speed.

My Role

• DevOps: Built CI/CD with GitHub Actions; images built & pushed to Docker Hub (ialleejy/reagan-backend) and deployed via docker-compose.
• Security & Infra: Applied Nginx reverse proxy and HTTPS (443), GCP instance monitoring/alerting, firewall (only 80/8000/443 open).
• BreakCAPTCHA AI: Fine-tuned YOLOv8, board-diff detection, human-like mouse movement, retry logic.

Design Notes

• Front-end / AI: Lightweight model and minimal features for low latency; message-based comms to navigate MV3 constraints.
• Backend: When DRF creates an AnalysisRequest, three tasks are auto-derived and state-managed; CORS / BasicAuth, Gunicorn.
• Data: Fine-tuned YOLOv8 on a reCAPTCHA dataset (e.g. Mandourah); the packet AI uses TLS / domain / HTML / network logs for features.

GCP N2 (Ubuntu) · Nginx · Docker Compose · GitHub Actions. Front=React+Vite, Back=Spring Boot, Discord Bot=Python.

Design Summary

• 3-tier: React+Vite (front) ↔ Spring Boot API ↔ MySQL (data) + Redis (session/cache).
• Nginx reverse proxy + Docker Compose multi-service stack for simple deploys / rollbacks.
• GitHub Actions CI/CD (image build → Docker Hub push → remote Compose update).
• Operational automation: Discord bot integration for announcements / hints / FirstBlood notifications and ops commands.
• Stability: Pre-event load tests, health checks and log collection for zero-downtime contest ops.

Key Modules

• Web: Challenge list / detail, submission form, real-time scoreboard, team / individual support.
• Back (API): Flag validation, submission logging / ranking aggregation, admin CRUD for challenges, teams and users.
• Discord Bot: Announcement / hint broadcasting, ops commands, FirstBlood event notifications.

React + Vite. Ubuntu host with port-forwarding · Nginx reverse proxy · automated deploy via GitHub Actions.

CI Pipeline (Summary)

• Trigger: pull_request, feature/** branch push
• Build & Run: docker compose -f docker-compose.ci.yml up -d brings up the container (host 8080 → container 80)
• Smoke Test: Up-to-60s retry loop checking curl --head http://localhost:8080 for HTTP 200
• Cleanup: Always docker compose ... down -v to tear down / clean volumes (clean previews)

CD Pipeline (Summary)

• Trigger: main branch push
• Build / Push: Build front-end image with buildx, push to GHCR (ghcr.io/owner/repo) with latest / sha tags
• Remote prep: SSH to server → set up directory / .env → GHCR login
• HTTP boot: Upload templates → start nginx / app via docker compose → HTTP health check
• SSL issuance: certbot webroot issues / renews certs → produce TLS helper files
• HTTPS switch: Apply HTTPS templates and nginx -s reload → pull latest images → zero-downtime stack restart
• Verify / Cleanup: HTTPS health check · prune stale images · success / failure notifications

Baekjoon contest platform powered by the Solved.ac API. Server = GCP E2, Docker / Compose, Nginx + Gunicorn, Django.

Key Features

• Dynamic scoring: Latest submission results are reflected immediately for real-time feedback.
• AJAX leaderboard: fetch-based polling / refresh for ranking updates without page reload.
• Submission & validation: Uses requests against solved.ac; logs accept / reject and assigns points.
• User / team management (admin): Operational tooling for participants, teams, problem points and event timing.

Validation Pipeline

1. Run management command: python manage.py update_solved_problems --user_id <handle> --problem_id <pid>
2. Lookup target: match Participant · ContestProblem (exit if none).
3. Dedup: if an accepted record already exists, exit (block duplicate updates).
4. Query solved.ac: GET https://solved.ac/api/v3/search/problem with query=solved_by:{handle} id:{pid} to verify the participant solved the problem.
5. Persist to DB:
   • Accepted: delete prior submissions, then create a single accepted submission (score = problem.points).
   • Rejected: accumulate rejected submissions for penalty / statistics.

A Windows local utility. Disable / enable browser DevTools via registry & settings; ships as a single PyInstaller exe.

A DevTools-blocking utility I built during my military service for Chrome / Edge / Internet Explorer / Firefox. disable.py writes policy registry keys and user settings to disable DevTools; enable.py deletes those values to re-enable it. Distributed as a single EXE built with PyInstaller (admin required).
Registry policies take effect on reboot.

Registry policy Admin privileges

• Build: pyinstaller --onefile --noconsole disable.py (admin required)
• Revert: enable.py deletes the added keys / settings