Skip to content
View ninajafli's full-sized avatar
3 followers · 4 following

Achievements

Achievement: Pull Shark

Achievements

Achievement: Pull Shark

Block or report ninajafli

Block user

Prevent this user from interacting with your repositories and sending you notifications. Learn more about blocking users.

You must be logged in to block users.

Maximum 250 characters. Please don’t include any personal information such as legal names or email addresses. Markdown is supported. This note will only be visible to you.
Report abuse

Contact GitHub support about this user’s behavior. Learn more about reporting abuse.

Report abuse
ninajafli/README.md

Hi, I'm Nino Najafli 👋

OSCP & OSWE certified security engineer — application security, penetration testing, and LLM security. M.S. in Information Security, Carnegie Mellon University.

I work across offensive security, detection/defense, and DevSecOps - from breaking web/mobile/network targets to building the pipelines and detections that catch the next attacker.

ninajafli.github.io · LinkedIn

Featured work

Project What it is
llm-redteam-harness Prompt-injection red-team harness for local LLMs, scored with Wilson CIs and mapped to OWASP LLM Top 10 + MITRE ATLAS
threatflow Real-time + batch threat-analytics platform on GCP (Kafka, Spark Streaming, Dataproc, Terraform, k8s)
DotCMS-CVE-2022-45782 Full PoC for predictable dotCMS password-reset tokens, including a token cracker
browser-sec-labs Dockerized, genuinely cross-origin labs for CORS and CSP-bypass attacks

Toolbox

Burp Suite · Semgrep · Snyk · Metasploit · Frida · Splunk · Wazuh · Cortex XDR · Docker · Kubernetes · Terraform · GitHub Actions

Languages: Python · Go · C · Bash · JavaScript · SQL · PowerShell

Certifications

OSCP · OSWE · eCPPTv2 · CRTO · Certified DevSecOps Professional (CDP)

📫 Reach me at nnajafli@alumni.cmu.edu

Pinned Loading

  1. DotCMS-CVE-2022-45782 DotCMS-CVE-2022-45782 Public

    Proof-of-concept for CVE-2022-45782: predictable dotCMS password-reset tokens, with a token cracker and full exploit chain.

    Python 1

  2. browser-sec-labs browser-sec-labs Public

    Dockerized, genuinely cross-origin labs demonstrating CORS misconfiguration and CSP-bypass attacks.

    Python

  3. llm-redteam-harness llm-redteam-harness Public

    Prompt-injection red-team harness for local LLMs - scored with Wilson CIs and mapped to OWASP LLM Top 10 and MITRE ATLAS.

    Python

  4. threatflow threatflow Public

    Real-time and batch threat-analytics platform on GCP: Kafka, Spark Streaming, Dataproc, Terraform, and Kubernetes.

    Python