Johan Rosenkilde

The top hacker in the US is not a human, but a machine. @XBOW founder and CEO @oegerikus and @apoorv03 of @altcap joined @BloombergTV this morning to talk about the milestone.

For the first time in history, the #1 hacker in the US is an AI. (1/8)

XBOW found a stored XSS vulnerability (CVE-2024-52597) in the migration functionality of 2FAuth by crafting a malicious SVG file with a Javascript payload! Our latest blog post, by @djurado9, gives the full details: xbow.com/blog/xbow-2fau…

XBOW found a critical path traversal vulnerability in ZOO-Project (CVE-2024-53982). The vulnerability exists in the Echo example (enabled by default) and allows an attacker to retrieve any file on the server. Users should upgrade to the latest version.

Here’s the walkthrough: xbow.com/blog/xbow-2fau…

XBOW bypasses a MIME-type filter, abusing an OTP icon preview feature in 2FAuth to exploit an SSRF and discover CVE 2024-52598. Affected users should apply the patch and read about all the details in our blog post this Friday.

The XBOW band got together in Malta last week. Great new hits coming!

XBOW autonomously discovered CVE-2024-50334, a critical authentication bypass in Scoold, an open-source Q&A webapp used by major companies like Cisco and IBM. Our latest blog post details how it found the flaw: xbow.com/blog/xbow-scoo…

XBOW is the world’s first fully automated web pentester. It previously scored an unprecedented 75% on renowned web pentesting benchmarks from @PentesterLab and @PortSwigger. So we decided to give it a harder challenge: competing against humans.

What if an AI’s “brilliant” solution to a problem is just memorized? Modern AI systems have seen the whole web, so there’s only one way to be sure—we created 104 novel benchmarks. Now we can be certain that beautiful solves like this one are real: bit.ly/4cIW0NI

Autonomous AI pen-tester exploits 75% on industry benchmarks and 85% on novel benchmarks (verified not to be in the training dataset).

Real vulnerabilities don’t come with hints—so we asked XBOW to solve this task without giving it even a description of the benchmark. It performed just as well, finding exploiting an GraphQL-based IDOR vulnerability entirely autonomously: bit.ly/3XYPTQJ

Here's a quick tour through one of my favorites, where @XBOW not only solved the benchmark (a Jenkins RCE) but then went for style points by debugging a slightly broken benchmark setup to get the flag!

XBOW finds and exploits vulnerabilities in 75% of 647 renowned web benchmarks. Given a short description of the benchmark, it autonomously pursues high-level goals, executing commands and interpreting their output to achieve exploitation. Check it out: xbow.com

Can't remember that shell command? GitHub Copilot CLI has the answer. It's obviously a huge time saver for us all. What are you waiting for? githubnext.com/projects/copil…