Highlights from OWASP New Zealand day 2025

Unfortunately, this year I couldn’t make it to Rails World, but I did manage to pop into OWASP New Zealand Day. It’s New Zealand’s only national conference focused on application security, held in Auckland.

In this post, I’ll share a few highlights that caught my attention during the two-day conference.

Let’s start with the Credential Management API, mostly driven by Google and currently supported mainly in Chrome. This is an emerging browser API — a tentative first step toward a future where the browser itself handles logging in to a web application, rather than the web page doing it directly.

Basically, a website can use this API to create and manage credentials.

In the following gist, you’ll find a simple demo. First, you enter your credentials, and then with the new Credential Management API I’ll create a password representation in the browser and save it to the browser’s storage.
Next time the user visits the page, the script will check the browser storage for credentials. If one is found, it will be used to log the user in automatically.

Another interesting piece of technology is the OWASP GenAI project, which produces the top 10 risks and mitigations for LLMs and GenAI applications. Once again, injection attacks take the number one spot.

Here’s a cool example of a prompt injection in action: Inject my PDF by Kai Greshake.

Finally, an interesting topic was how we can stop robots, especially in today’s AI era where data is exactly what LLMs need for training.

This useful resource provides a comprehensive list of AI robots that you can add to your robots.txt.

🎉 Happy Coding.