Sven Morgenroth | Personal Portfolio

Prompt Injection Cheat Sheet

Blog Post

Prompt Injection Cheat Sheet

A while ago I wrote this cheat sheet just as a way to remember all the up and coming prompt injection techniques that I have used or seen online. In the mean time the amount of techniques has exploded, together with the use cases of AI.

Fun fact: for the longest time this post has ranked #1 on Google's search results for "Prompt Injection Cheat Sheet", due to its inclusion in two research papers and Amazon AWS documentation.

Type: Blog Post
Platform: Seclify Blog
Year: 2023
Link: Seclify Blog

Traceroute Won't Help A Lot When Someone Plows Through Your Junction Box

Blog Post

Traceroute Won't Help A Lot When Someone Plows Through Your Junction Box

After a literal delivery track took down a junction box in my street and left me without internet at home, I was curious about how debugging tools work. Sure, once the physical cable is scattered across someones yard, it won't do much, but how does traceroute actually detect these intermittend servers responsible for routing packets to their destination?

With a clever hack, that's how! And that piqued my interest eough to explore some protocols like ICMP, UDP and everything connected with the way how traceroute works. It's a fun read and not too long.

Type: Blog Post
Platform: substack
Year: 2025
Link: Substack post

How I hacked my Smart TV without even leaving my bed

Blog Post

How I Hacked my Smart TV from My Bed via a Command Injection

This blog post is one of my all time favorites. Not only because it became quite popular, but also because it combined so many of my favorite things about hacking: A vulnerability in an unexpected place, overcoming obstacles to exploit it, and a cool way to demonstrate it for the readers.

Fun fact: This blog post garnered some attention on reddit and at the time of this writing is still in the top 25 posts of all time on /r/netsec with 1.3k upvotes.

Type: Blog Post
Platform: Invicti Blog
Year: 2017
Link: Invicti Blog

Prompt Injection Playground

Open Source Project

Prompt Injection Playground

Given both my passion for emerging technologies and the still existing uncertainty in regards to Prompt Injection Attacks, I decided to create one of the first playgrounds, dedicated to understanding this kind of vulnerability.

I took inspiration from various real world cases I encountered to create realistic testing scenarios. The goal of the resulting project is to equip developers and defenders with the knowledge of how to detect and prevent such attacks.

Since creating this, both the use cases and the attack methods for LLM Chatbots have evolved. I'm ready to revisit, refactor and refine this project at a future date to give others more options to explore Prompt Injection Attacks first hand.

Type: Open Source Project
Platform: GitHub
Year: 2023
Link: Repository

Deobfuscating JavaScript Code of a Steam Phishing Website

Blog Post / White Paper

Deobfuscating JavaScript Code of a Steam Phishing Website

Phishing Page Deobfuscation White Paper

In this white paper I explain the process of manually deobfuscating the JavaScript code of a steam phishing website. The challenge of presenting a topic like this, comes from the fact that it's generally hard to follow along as a reader, as deobfuscating code is generally a time consuming and intensive task.

I therefore decided to make it an interactive experience by providing links that skip between the obfuscated and deobfuscated portions of the code. Based on the feedback I received, this was the right call as it helped conveying a topic that is generally difficult to understand.

Type: Blog Post / White Paper
Platform: Invicti Website
Year: 2019
Link: Invicti Website

Bypassing Input Filters - Paul's Security Weekly #526

Video

Bypassing Input Filters - Paul's Security Weekly #526

Even though this show was recorded several years ago, this is still one of my favorite Security Weekly demos that I held. I demonstrated some of my favorite bypass techniques for input filters, showcasing some of the most interesting tricks I picked up over the years, ranging from XSS to System Command Injections to PHP Deserialization issues and much more.

Fun fact: The shows are recorded live, around 6PM EST and the technical segments start an hour later. So usually I would hold my presentations at 1AM CET. This was such a fun experience though that I never really minded the late hours and got all excited about the upcoming show well in advance!

Type: Video / Technical Demo
Platform: Paul's Security Weekly (youtube.com)
Year: 2017
Link: Invicti Blog

Bypassing Firewalls with Client Side Vulnerabilities

Blog Post

Bypassing Firewalls with Client Side Vulnerabilities

One of my earlier posts on invicti was about clever ways that attackers may utilize to bypass firewalls and access services in development that were more vulnerable or contained known bugs. This required extensive knowledge of client side vulnerabilites and inherent issues in which browsers tie origin checks to a domain name.

Luckily most of the issues mentioned in the blog post are fixed or commonly mitigated these days. Especially in the context of web browsers, some bugs are short lived and others may arise with the implementation of new features, frameworks and technologies. That is one of the reasons why it is important to keep up to date with the latest security threats and developments.

Type: Blog Post
Platform: Invicti Blog
Year: 2017
Link: Invicti Blog

Years of
Experience

Educational Posts
Blog Articles
& Webinars

Hello, I'mSven
Morgenroth

Who am I?

About MeStaff Security Researcher from Germany

Name

Email

Age

Location

My SkillsSecurity Expert with a Growth Mindset

Programming

Bypassing Security Controls

Source Code Analysis

Web Application Security

Portfolio

Prompt Injection Cheat Sheet

Traceroute Won't Help A Lot When Someone Plows Through Your Junction Box

How I Hacked my Smart TV from My Bed via a Command Injection

Prompt Injection Playground

Deobfuscating JavaScript Code of a Steam Phishing Website

Bypassing Input Filters - Paul's Security Weekly #526

Bypassing Firewalls with Client Side Vulnerabilities

Testimonials

Zbigniew Banach* Managing Editor and Senior Cybersecurity Writer at Invicti Security

Mustafa Hasan* Auditing Engineer at Quantstamp

Get in Touch

Years of Experience

Educational PostsBlog Articles& Webinars

Hello, I'mSvenMorgenroth

Who am I?

About MeStaff Security Researcher from Germany

Name

Email

Age

Location

My SkillsSecurity Expert with a Growth Mindset

Programming

Bypassing Security Controls

Source Code Analysis

Web Application Security

Portfolio

Prompt Injection Cheat Sheet

Traceroute Won't Help A Lot When Someone Plows Through Your Junction Box

How I Hacked my Smart TV from My Bed via a Command Injection

Prompt Injection Playground

Deobfuscating JavaScript Code of a Steam Phishing Website

Bypassing Input Filters - Paul's Security Weekly #526

Bypassing Firewalls with Client Side Vulnerabilities

Testimonials

Zbigniew Banach* Managing Editor and Senior Cybersecurity Writer at Invicti Security

Mustafa Hasan* Auditing Engineer at Quantstamp

Get in Touch

Years of
Experience

Educational Posts
Blog Articles
& Webinars

Hello, I'mSven
Morgenroth