XBOW is the world’s first fully automated web pentester. It previously scored an unprecedented 75% on renowned web pentesting benchmarks from @PentesterLab and @PortSwigger. So we decided to give it a harder challenge: competing against humans.

Watch the full interview here:

Just in time for the holidays: how XBOW found an arbitrary file download (CVE-2024-53982) in ZOO-Project, protecting Santa's critical geospatial processing infrastructure from attackers!

65 reports were submitted since September, including 20 critical findings

XBOW found a stored XSS vulnerability (CVE-2024-52597) in the migration functionality of 2FAuth by crafting a malicious SVG file with a Javascript payload! Our latest blog post, by @djurado9, gives the full details:

XBOW found a critical path traversal vulnerability in ZOO-Project (CVE-2024-53982). The vulnerability exists in the Echo example (enabled by default) and allows an attacker to retrieve any file on the server. Users should upgrade to the latest version.

RT @Konstantine: AI is shifting from simple language models to sophisticated agents that actually get things done. Case in point: @Xbow,…

AI vs AI: How XBOW found a path traversal vulnerability (CVE-2024-53844) in LabsAI's EDDI, an open source conversational AI middleware.

RT @niemand_sec: Katex? What's KaTex? Luckily the AI knows :)

XBOW found a path traversal vulnerability (CVE-2024-53844) in LabsAI's EDDI project that allows attackers to download any file on the server. XBOW combined a series of URL encodings and path normalization bypasses to trigger the flaw. Users of versions 4.3–5.3 should upgrade.

XBOW identified a complex XSS vulnerability in WikiDocs (CVE-2024-53930), leveraging deep knowledge of KaTex to craft a macro exploit. Update to version 1.0.65.

Here’s the walkthrough:

XBOW autonomously identified a persistent Cross Site Scripting vulnerability in the account migration feature of 2FAuth (CVE-2024-52597). Full details of the flaw and how it was discovered will be shared in our upcoming blog post.

RT @moyix: Our second CVE, this time a vulnerability in an OTP app that could be exploited to exfiltrate data from an internal network (Ser…

XBOW bypasses a MIME-type filter, abusing an OTP icon preview feature in 2FAuth to exploit an SSRF and discover CVE 2024-52598. Affected users should apply the patch and read about all the details in our blog post this Friday.

RT @jstnkndy: @moyix @nicowaisman this is easily one of my favorite writeups of the year.

XBOW autonomously discovered CVE-2024-50334, a critical authentication bypass in Scoold, an open-source Q&A webapp used by major companies like Cisco and IBM. Our latest blog post details how it found the flaw:

The XBOW band got together in Malta last week. Great new hits coming!

RT @moyix: Also, I'm very curious to see how difficult strong CTF players find these challenges – now's the chance to prove you're smarter…