Critical Thinking - Bug Bounty Podcast Episode 134: XBOW - AI Hacking Agent and Human in the Loop with Diego Djurado
11 snips
Aug 4, 2025 Diego Djurado, a security researcher at Expo and HackerOne ambassador from Spain, dives into the fascinating world of AI hacking agents like XBOW. He shares insights into its architecture and the challenges posed by AI hallucinations. Diego reflects on his bug bounty journey, including competitive experiences at the Ambassador World Cup, while discussing the balance between human expertise and AI in vulnerability testing. Concepts like chaining vulnerabilities and the ethics of AI in security assessments make this a thought-provoking conversation.
AI Snips
Chapters
Transcript
Episode notes
A Complex Five-step Account Takeover
- Diego Djurado shared a complex five-step account takeover involving API downgrade, JSONP, referer checks, and an XSS in Adobe Experience Manager.
- The bug was found collaboratively by different team members, showcasing teamwork and chaining skills.
Hallucinations Aid Vulnerability Discovery
- Expo's AI hallucinated a CVE and endpoint, which unintentionally led to testing a real vulnerable endpoint.
- This shows AI hallucinations can sometimes aid vulnerability discovery unexpectedly.
Use Python for Efficient Testing
- Use Python scripting in AI pentesting to efficiently batch multiple payload attempts in one iteration.
- Prioritize Python scripts as some models yield better results coding in Python than sending raw requests.