Press "Enter" to skip to content

Javan Rasokat Posts

From Firefighting to Prevention: Taking Browser-Native Defences to Hacker Summer Camp

Over the past few years, I’ve spent more time than I’d like to admit in the weeds — reviewing reports, fixing recurring bugs, writing guidance that never scales. Like many in AppSec, I’ve asked myself: Why are we still fixing the same bug classes in 2025 that we were in 2015? This frustration was the starting point for something more…

Leave a Comment

AI Tools in the Classroom: What I Learned from 12 Student Projects on Secure Coding

This week, the students in my Security Hackathon class at DHBW presented their final projects. The format was simple: each group selected one of the OWASP Top 10 Proactive Controls and explored it in depth. The results were more than I had hoped for. While it wasn’t required to build a working project, many groups chose to go beyond expectations,…

Leave a Comment

How to send HTTP-Requests from Cloudflare’s IP Range

This is Part 3 of a series of multiple Cloudflare-related blog posts. Now that we have Cursor and vibe coding simple ideas into a working MVP is fun and gives you fast results, I gave it a try, one of the projects I created is: https://cf-relay.javan.de Advanced HTTP proxy using Cloudflare’s IP range to bypass IP-based restrictions, rate limiting, and…

Leave a Comment

How to prevent Cloudflare Proxy Bypasses

First two search results for “blocking origin access directly” on Google showed me two misleading Cloudflare community threads, with wrong security assumption, which is why I decided to write this guide. [1] [2] The best and recommended solution is using Authenticated Origin Pulls with custom certs per domain, but as this is not trivial to set up I decided write about…

Leave a Comment

Hacking the LEDA LUC2 Fireplace: Reading CAN Bus Data with ESP32 and ESPHome

Ever since I installed a LEDA LUC2 fireplace, I wanted deeper insights into how it operates — particularly pressure difference, exhaust temperature, and ventilation state. Unfortunately, the vendor doesn’t provide any integration options, and the only external interface is a mysterious RJ12 port on the controller. So I decided to reverse engineer it myself. In this post, I’ll walk you…

Leave a Comment

We’ve Normalised AI. But Not Secure Code.

Reflections from BSides Canberra 2023 to the Securing Sage Summit 2025 Last month at the Securing Sage Summit, I watched Sonya M. from Snyk give a slick, fast-paced live demo using GitHub Copilot. It was exactly the kind of session that draws a crowd — showing how quickly AI can help generate code from natural language prompts. But then it…

Leave a Comment

Is it just me – or is 2025 the year of scale?

Maybe it’s just the talks I’ve attended and articles I read. Maybe it’s just my rabbit hole that I went into. Or maybe… we’re all collectively realising the same thing. I hit a wall. At the end of 2024, I went all-in on automation. I built MVPs, tested capabilities, and made it my mission to influence others to do the…

Leave a Comment

From mysql_real_escape_string() to AI Firewalls: Are We Repeating History with Prompt Injection?

In the early days of web development, PHP developers often relied on functions like mysql_escape_string() to sanitize user inputs. However, this approach was fraught with pitfalls. Misuse, incorrect character encoding handling, and a lack of awareness led to numerous vulnerabilities. To address these issues, mysql_real_escape_string() was introduced, which considered the current character set of the database connection, offering a more…

Leave a Comment

Scaling AppSec in High-Velocity Engineering: My Take

Jason Chan’s article “Security for High Velocity Engineering” hit me hard. It captures a reality many of us in Product Security face: engineering teams move fast, and unless your security program evolves beyond one-off engagements and reactive fixes, you’ll constantly be playing catch-up. The Fragile Model: When 1:1 Investment Walks Out the Door When I started out as an AppSec…

Leave a Comment

Hacking your not-so-smart doorbell – Home Assistant and Gemini AI

At DEFCON32, my colleague Andra Lezza and I presented a talk on building and securing LLM applications – particularly chatbots – drawing from our work at Sage. One of the highlights of our talk was a practical proof of concept: a smart home setup using Home-Assistant.io, which we showcased to demonstrate safety implications and security considerations of AI-integrated applications. In…

2 Comments
Data protection
Security & Software Engineering Javan Rasokat, Owner: Javan Rasokat (Registered business address: Germany), processes personal data only to the extent strictly necessary for the operation of this website. All details in the privacy policy.
Data protection
Security & Software Engineering Javan Rasokat, Owner: Javan Rasokat (Registered business address: Germany), processes personal data only to the extent strictly necessary for the operation of this website. All details in the privacy policy.