AI
Exploit CVE-2026-42208: LiteLLM Unauthenticated SQL Injection via Bearer Token
A technical breakdown of CVE-2026-42208, a CVSS 9.3 critical unauthenticated SQL Injection vulnerability in the LiteLLM Proxy API. Improper parameterization of the Bearer token within raw SQL queries used for complex multi-table joins allows blind boolean-based timing attacks, enabling unauthenticated attackers to exfiltrate sensitive data including virtual API keys, user information, and LLM spend logs directly from the database.
Fri 22 May 2026
8 Open-Source AI Pentest Tools for Security Teams in 2026
This article lists eight (8) open-source AI pentest tools. It covers how autonomous agents are po...
Fri 30 January 2026
AI Pentest Engine Discovers Critical WebSocket BFLA in GraphQL Subscriptions
Ostorlab's AI Pentest Engine systematically uncovered a critical Broken Function-Level Authorizat...
Fri 26 December 2025
AI Pentest Upgrades, ServiceNow Integration, Redesigned Email Notifications, and Enhanced Platform Controls
This release delivers major advancements across the Ostorlab platform, including a significant up...
Wed 17 December 2025
AI Engine Triggers Account Takeover via API Version Confusion
Methodical analysis beats blind fuzzing as Ostorlab's AI engine discovers cross-version password reset weakness and achieves account takeover without email access.
Ostorlab AI Pentest Engine: How it Works
Technical deep dive into Ostorlab AI Pentest Engine inner working, from threat intelligence, risk identification, mobile support to vulnerability validation.
Latest posts
Going Beyond: Ostorlab AI Engine Discovers Unknown Vulnerability Classes
Ostorlab’s reasoning-driven AI engine breaks past rule-based limits to surface previously unknown and hard-to-detect vulnerabilities—including WebView Safe Browsing bypasses, SQLi via projections, WebCrypto key exfiltration, and JWT verification ordering flaws—delivering deeper, smarter, complementary security coverage.
Mon 13 October 2025
Automating Security Research: AI Engine Exploits Complex Blind Code Injection
Precision beats payload spray using Ostorlab's AI engine to systematically land RCE on Titiler and proves exfiltration without a single stack trace.
Thu 04 September 2025
AI-Powered Pentesting: A Deep Dive into Android Intent Redirection
This article showcases Ostorlab's AI Pentest Engine's process for analyzing an Android application for Intent Redirection vulnerabilities. Follow the engine's journey from static analysis and initial findings to rigorous dynamic validation, demonstrating its ability to not only identify potential threats but also to meticulously discard false positives.
Sun 31 August 2025
Automating Security Research: AI Engine Exploits GCP Service Account Secret
This article presents a thorough, hands-on analysis and real-world exploitation of a hardcoded GCP service account with overprivileged Pub/Sub access discovered in a HackerOne mobile app. It details how Ostorlab’s AI-powered pentesting engine automated the full cycle—from authentication and permission enumeration to end-to-end message injection/interception—enabling remediation within four days.
Thu 28 August 2025
Automating Security Research: AI Engine Exploits Report Portal XXE (CVE-2021-29620)
This article presents a thorough, hands-on analysis and proof of concept for exploiting an OOB XXE vulnerability CVE-2021-29620 in Report Portal. It details how Ostorlab's AI-powered pentesting engine was used to automate the full cycle.
Thu 07 August 2025
From Random to Intelligent: How AI-Powered Monkey Testing Achieves 10x Mobile App Coverage
Ostorlab’s AI Monkey Tester transforms mobile app security testing by using natural language prompts and generative AI to automatically generate intelligent, context-aware test scenarios, resulting in up to a 10x increase in application coverage compared to traditional, rule-based testing approaches.
Fri 01 August 2025
Automating Security Research: AI Engine Exploits Zulip Stored XSS (CVE-2025-52559)
This article presents a thorough, hands-on analysis and proof of concept for exploiting the stored XSS vulnerability CVE-2025-52559 in Zulip. It details how Ostorlab's AI-powered pentesting engine was used to automate the full cycle.
Mon 28 July 2025
Bypassing Obfuscation in Android Apps: A Dual Approach with DalvikFLIRT and LLM-Powered Rewrites
This research introduces a pioneering dual approach that combines signature-based matching (DalvikFLIRT) with LLM-powered code transformation to bypass sophisticated Android app obfuscation, enabling automated security analysis of previously impenetrable code.
Wed 16 April 2025
Changelog
View all changesAI-automated Attack surface, Privacy Analysis, Wordpress agent, and more.
Mon 20 January 2025
New Features & Fixes in July 2023
Sat 01 July 2023