FlagThis

Abstract

This talk explores the frontier of AI-driven offensive security, focusing on the architecture of Xbow, an autonomous pentesting platform. It demonstrates how AI "solvers" can be orchestrated by a central "coordinator" to perform complex, multi-step vulnerability research—such as identifying XXE via out-of-band (OOB) interactions and executing complex account takeover (ATO) chains—with near-zero false positives. Key takeaways include the mechanics of AI reasoning in pentesting, the integration of OOB interaction servers for validation, and the technical nuances of chaining API downgrades, JSONP, and XSS.