zizkill
Armend Gashi
Anit Hajdari
Large-language-model wrappers increasingly rely on the “ChatML” format to segregate system, assistant, and user roles, yet those delimiters introduce a critical appsec flaw: there is a role hierarchy but no ChatML/server-side RBAC or parameter-level trust boundary built in to ChatML or its chat-completions JSON wrapper. Any client that can speak ChatML can also impersonate privilege, similar to the logical flaws of early-2000s webapps. To make it worse: everybody and their mother forked this thing with roles/privileges but no built-in RBAC pioneered by leading model providers.
In twenty minutes we will walk through the anatomy of that oversight and unveil three vendor-agnostic role-injection techniques that bypass guardrails, trigger unbounded consumption, and hijack function calls in under 50 tokens. We then pivot to parameter pollution, showing how key overrides (temperature, system, tools) can be further used to abuse agents.
OWASP AAI001: Agent Authorization and Control Hijacking
zizkill
Co-Founder, Sentry (https://sentry.security)
Robert Shala is co-founder of Sentry, where he leads 50 security consultants and has delivered 2000-plus red-team and appsec engagements for some of the world largest organizatons. He also contributes as a AI Red Teamer for a major AI model developer, probing frontier models for safety and security flaws.
Robert holds an M.S. in Security Studies from Georgetown, a B.S. from RIT, and has a passion for wargaming.
Armend Gashi
Managing Security Consultant at Sentry Cybersecurity
Armend Gashi is Managing Security Consultant at Sentry. With over 5 years in the industry, he specialized in application security and AWS cloud assessments. Armend also performed AI red teaming engagements and developed multi-agent systems to perform security-focused tasks such as code auditing and exploit development.
Anit Hajdari
Role Injection - Hijacking ChatML Compatible Agents
Hi, I'm Anit Hajdari, a Security Consultant at Sentry with nearly two years of hands-on experience in the cybersecurity field. Throughout my career, I've been involved in a wide range of security assessments, including internal and external network penetration testing, as well as web and mobile application security evaluations. More recently, I've expanded my expertise into the emerging area of Large Language Model (LLM) penetration testing, staying ahead of the curve as AI technologies evolve. My work focuses on identifying vulnerabilities, delivering actionable insights, and helping organizations strengthen their overall security posture.