← marwandiallo.comlabs

Labs

Hands-on, opinionated security playgrounds. Each lab pairs a working demo with the failure modes I've actually seen in production. Built because the topics here don't survive PowerPoint.

Live

Identity Lab

Phishing-resistant authentication, end to end. Register a passkey in your browser, decode real JWTs and see what makes them forgeable, and learn how the same primitives apply to AI agents acting on a user's behalf.

  • WebAuthn / passkey registration + sign-in
  • JWT inspector with 8 alg-confusion / PII findings
  • Phishing-resistant MFA explainer
  • Agent identity (OIDC, SPIFFE, RFC 8693)
Open lab →Live

CSP Playground

Paste a Content-Security-Policy header, watch the analyzer flag the same patterns I flag in client engagements: unsafe-inline, wildcards, missing object-src, no nonce, no report-uri. Then see the four canonical CSP shapes side by side.

  • Live CSP header analyzer (12 rules)
  • Four canonical policy shapes compared
  • Common bypass patterns (JSONP, base-uri, dangling markup)
  • Migration path from unsafe-inline to nonces
Open lab →Live

Prompt Injection Lab

Indirect prompt injection, tool-call hijacking, exfiltration via markdown images. A deterministic side-by-side simulator of a naive vs hardened agent on identical attacker-crafted documents. No LLM API key required.

  • Naive vs hardened agent simulator (6 samples)
  • 10-rule injection detector (PI01–PI10)
  • Defense playbook ranked by impact
  • Pairs with the agent identity work in Identity Lab
Open lab →Live

SSRF / Cloud Metadata

Why 169.254.169.254 is the most-attacked IP on the internet. URL analyzer that decodes decimal, hex, octal, and alias-hostname bypasses; a tour of the five canonical SSRF targets; and the four hardening layers ranked by impact.

  • URL bypass analyzer (8 sample payloads)
  • AWS IMDS, GCP, Azure, Redis, Kubernetes targets
  • IMDSv2, egress firewall, SSRF-safe URL validation
  • Identity-layer scoping for blast-radius control
Open lab →

Why labs

Every security finding I've ever written has been more convincing when the reader could touch the bug. Slide decks let people nod along; a working demo, with the actual headers on the actual wire, is what changes architecture decisions.

These labs cost nothing to run, are linkable in a code review, and each one is a complete teaching artifact in under five minutes. If you're an engineer trying to convince a leader, or a leader trying to understand an engineer, that's what they're for.

Source

Everything is open source under MIT. github.com/mdiallo15/identity-lab. Issues and PRs welcome.