How it worksBlogFAQS
LoginBook a demoHIRE NOWHIRE NOW

The world's first Offensive Security AI to ace a web application hacking exam*

Shinobi helps fortify your web applications by performing expert level black-box and white-box penetration tests, on demand. All it needs is a scope of work
Book a demo
HIRE NOW

Watch Shinobi VS CTFs
Finding and exploiting vulnerabilities

Agent Shadow’s mission: Exploit the live chat WebSocket feature to execute an XSS payload in the support agent’s browser. Click for details

As It Happened:

  1. Agent Shadow carefully examined the chat interface and identified the WebSocket connection as a potential vector for injecting an XSS payload.
  2. It analyzed the WebSocket handshake and implemented IP spoofing using the X-Forwarded-For header to bypass IP restrictions and gain trusted access.
  3. The initial payloads were thwarted by an aggressive filter detecting event handlers like onerror, prompting a creative shift in its approach.
  4. Employing critical thinking, it crafted an iframe-based payload using srcdoc and obfuscated JavaScript functions like window.alert(1) content filter.
  5. The modified payload successfully triggered in the support agent’s browser, as evidenced by the agent’s response and the lab being marked as solved.

Agent Shadow’s persistence and strategic thinking demonstrated the importance of adaptability in exploiting vulnerabilities while navigating multiple layers of defense.

Agent Shadow's mission: Identify and exploit a DOM-based XSS vulnerability. Click for details

As It Happened:

  1. Agent Shadow’s sharp instincts identified the search functionality as a weak point, a hidden flaw waiting to be explored.
  2. It dissected the JavaScript code, uncovering an eval() function processing user input, confirming the vulnerability.
  3. Its first attempts were met with resistance—a server-side defense flagged inputs as “Potentially dangerous.”
  4. Undeterred, it skillfully bypassed the filter using obfuscation techniques, crafting payloads that evaded detection.
  5. The payload was deployed successfully, triggering the exploit and sending session cookies to a controlled server.
  6. Using the captured session token, Agent Shadow accessed a test account, demonstrating exploitation of the vulnerability.

This was an interesting test. The exploit had to bypass server side validation while escaping the vulnerable javascript.

Agent Shadow’s mission: Exploit an SQL injection vulnerability in the advanced search functionality to extract the administrator's password. Click for details

As It Happened:

  1. Agent Shadow began by authenticating into the application using the provided credentials to gain access to the advanced search functionality.
  2. Initial attempts to log in were thwarted due to incorrect session handling, but with methodical exploration of the application, the correct login flow was identified and resolved.
  3. With authenticated access to the advanced search, Agent Shadow tested the organize_by parameter and observed error messages hinting at a potential SQL injection vulnerability.
  4. Employing SQLmap, it skillfully exploited the vulnerability, evading defenses to extract sensitive data from the database.
  5. The mission culminated in the successful retrieval of the administrator’s hashed password, proving the exploit’s effectiveness.

Agent Shadow demonstrated skills in using tools for exploiting vulnerabilities like SQL injection.

Agent Shadow’s mission: Exploit a vulnerability in the admin interface to exfiltrate the contents of /home/carlos/secret. Click for details

As It Happened:

  1. Not knowing what the actual vulnerability is, Agent Shadow starts by looking for directory traversal vulnerabilities.
  2. After a bunch of failed attempts, it pivots its strategy and selects the admin-prefs cookie as a promising vector
  3. It diligently decodes and inspects the cookie to recognize the application’s reliance on serialized objects.
  4. Agent Shadow then clones the source code of a payload creation tool ysoserial and builds it from scratch.
  5. It's initial payloads experience compatibility errors, prompting it to experiment with alternative gadget chains.
  6. Finally, it delivers a valid payload through the admin interface, triggering the deserialization vulnerability and exfiltrates the secret.

Agent Shadow’s approach highlighted the importance of understanding and adapting exploits to the nuances of vulnerabilities.

Agent Shadow’s mission: Exploit the live chat WebSocket feature to execute an XSS payload in the support agent’s browser. Click for details

As It Happened:

  1. Agent Shadow carefully examined the chat interface and identified the WebSocket connection as a potential vector for injecting an XSS payload.
  2. It analyzed the WebSocket handshake and implemented IP spoofing using the X-Forwarded-For header to bypass IP restrictions and gain trusted access.
  3. The initial payloads were thwarted by an aggressive filter detecting event handlers like onerror, prompting a creative shift in its approach.
  4. Employing critical thinking, it crafted an iframe-based payload using srcdoc and obfuscated JavaScript functions like window.alert(1) content filter.
  5. The modified payload successfully triggered in the support agent’s browser, as evidenced by the agent’s response and the lab being marked as solved.

Agent Shadow’s persistence and strategic thinking demonstrated the importance of adaptability in exploiting vulnerabilities while navigating multiple layers of defense.

Agent Shadow's mission: Identify and exploit a DOM-based XSS vulnerability. Click for details

As It Happened:

  1. Agent Shadow’s sharp instincts identified the search functionality as a weak point, a hidden flaw waiting to be explored.
  2. It dissected the JavaScript code, uncovering an eval() function processing user input, confirming the vulnerability.
  3. Its first attempts were met with resistance—a server-side defense flagged inputs as “Potentially dangerous.”
  4. Undeterred, it skillfully bypassed the filter using obfuscation techniques, crafting payloads that evaded detection.
  5. The payload was deployed successfully, triggering the exploit and sending session cookies to a controlled server.
  6. Using the captured session token, Agent Shadow accessed a test account, demonstrating exploitation of the vulnerability.

This was an interesting test. The exploit had to bypass server side validation while escaping the vulnerable javascript.

blog

BLOG

Agent Shadow
Blog Coming Soon

We're crafting insightful content about cloud security and AI-powered testing.

Stay tuned
faqs

FAQS

Shinobi can test all kinds of web applications and APIs. For large web applications, we recommend splitting up tests by functionality to improve focus and performance - for example, when testing an ecommerce site, launch dedicated tests for critical areas like myaccount, basket or wishlist.
For API testing, providing access to your API documentation (whether OpenAPI spec or GraphiQL endpoint) helps Shinobi perform more thorough testing.

Yes, Shinobi provides a GitHub Action that makes it easy to add automated penetration testing to your CI/CD pipeline. Many teams choose to run Shinobi tests during nightly or weekly builds to regularly check for security vulnerabilities, without impacting development velocity.

Yes. We provide an NGROK type proxy that makes your internal web applications accessible for pentesting. Using our solution ensures only Shinobi can access your internal application, just for the duration of penetration test.

In a whitebox penetration test, Shinobi uses information gathered from your cloud configuration and code, to launch high precision attacks against your applications. This option is only available to customers who use Shinobi for cloud security

Agent Shadow completed a practice exam for the Burp Suite Certified Practitioner Exam. The Burp Suite Certified Practitioner is a world renowned web application security certification held in high regard by bug bounty hunters, penetration testers and employers. We went through great lengths to ensure the solutions were not memorized by the underlying models.