Strobesstrobes
Agent Showcase

Real Vulnerabilities
Found by AI Agents

Every finding below was discovered autonomously by Strobes AI agents during authorized security assessments. Click any card to see the full agent trace with thinking steps, tool calls, and the chain of reasoning that led to discovery.

A note on these traces: These are real-world examples from authorized security engagements. All identifying information has been heavily redacted. The traces were extracted programmatically from agent execution logs, so some formatting artifacts may appear. We apologize for any rough edges - the substance of what our agents found and how they found it is what matters.
21 findings36,343 agent eventsFull traces included
All Findings
14 Critical7 High
criticalAttack Chain

The GraphQL Heist: Parameter Pollution Meets CSRF Bypass

AI agent discovered URL query parameters silently override JSON body in GraphQL requests on a Rails-backed fintech platform, then chained it with a CSRF token bypass via URL authenticity_token to achieve full unauthenticated mutation injection.

A major fintech API platform
GraphQLHPPCSRFFintech
213 events61 tools31 thoughts
criticalBusiness Logic

KYC Bypass Chain: Zero-Field Entity Passes Verification

Agent systematically tested all API endpoints without authentication and discovered multiple endpoints that process requests without any auth checks.

A major fintech API platform
KYCPaymentAuth BypassFintech
557 events173 tools97 thoughts
criticalInjection

SQL Injection via AES Encryption WAF Bypass

Agent analyzed a prior security report to learn SQLi patterns, then used the discovered AES encryption key to encrypt payloads that bypass the WAF, achieving blind SQL injection.

A payment compliance platform
SQLiWAF BypassAESPayment
1160 events345 tools194 thoughts
criticalAttack Chain

Path Traversal + Config Overwrite = Platform DoS

Agent discovered an unsanitized FileName parameter in a bulk import endpoint. By crafting a path traversal payload, it overwrote the IIS configuration file, causing a full platform outage.

A payment gateway platform
Path TraversalDoSIISPayment
930 events271 tools167 thoughts
criticalAttack Chain

IDOR Chain to Full Account Impersonation

During workspace setup and initial recon, the agent mapped the full API surface of a payment gateway, discovering critical authentication weaknesses including SID non-validation and IDOR chains.

A payment gateway platform
IDORAuth BypassPIIPayment
761 events224 tools110 thoughts
criticalAttack Chain

SSRF Webhook Chain: Financial Data Exfiltration

Agent tested file upload and webhook functionality, discovering that malicious file types are accepted and webhook URLs can be pointed to attacker-controlled servers for data exfiltration.

A major fintech API platform
SSRFWebhookWAF BypassFintech
627 events180 tools125 thoughts
criticalAuthentication

Auth Bypass via Content-Type Manipulation

Agent discovered that card PIN reset, wallet transfer, and IP whitelist management endpoints all bypass authentication when requests use form-encoded body instead of JSON.

An enterprise expense management platform
Auth BypassContent-TypePIN ResetExpense Mgmt
802 events244 tools122 thoughts
criticalAuthentication

JWT Zero-Validation to SuperAdmin Impersonation

While testing for XSS, the agent discovered zero JWT signature validation - accepting alg:none, empty signatures, and forged tokens. It escalated to SuperAdmin impersonation and cross-tenant data access.

A payment compliance management platform
JWTPrivilege EscalationMulti-TenantCompliance
2254 events663 tools446 thoughts
criticalAuthentication

Unauthenticated Token Refresh Grants Full API Access

Agent discovered that an empty POST to the /refresh endpoint returns a valid JWE access token without any authentication. This token is accepted by all 45 protected API endpoints.

A music rights management system
TokenAuth BypassJWEMusic
1941 events534 tools338 thoughts
highFile Upload

ASPX Web Shell Upload Accepted on Fintech Platform

Agent tested for remote code execution by uploading ASPX web shells, PHP scripts, and polyglot files. Multiple upload endpoints accepted all file types without validation.

A major fintech API platform
RCEWeb ShellFile UploadFintech
535 events159 tools91 thoughts
highXSS

Stored XSS via Angular bypassSecurityTrustHtml

Agent identified all input fields where user-controlled data is reflected or stored, then tested for XSS with context-specific payloads. Found stored XSS chains through Angular's bypassSecurityTrustHtml.

A major fintech API platform
XSSAngularStoredFintech
2521 events749 tools632 thoughts
criticalIDOR

Zero-Auth BOLA: Entire Merchant Database Exposed

Agent analyzed a security assessment report and learned the API's broken authorization patterns, then verified that any GUID grants access to the entire merchant database.

A payment platform MMS portal
BOLAIDORPIIPayment
2536 events740 tools579 thoughts
highRecon

JS Bundle Attack Surface Extraction on Super-App

Agent deep-crawled React JS bundles from a super-app's bill payments module, extracting hardcoded API routes, service IDs, and fetch/axios calls to map the complete attack surface.

A major super-app bill payments module
JS AnalysisReactAPI DiscoveryBill Payments
3620 events1097 tools597 thoughts
criticalRecon

Subdomain Takeover on Internal Domains

Agent identified subdomain takeover opportunities where CNAME records point to unclaimed endpoints, including domains with 'internal' and 'codereview' in their names.

A major e-commerce ecosystem
Subdomain TakeoverDNSGitHub PagesE-Commerce
2182 events732 tools298 thoughts
criticalCryptography

JS Bundle Crypto Key Extraction: Full API Decryption

During workspace setup, the agent discovered AES encryption keys hardcoded in Angular JS bundles, where the same value is used as both the key and IV.

A payment gateway platform
AESKey ExposureJS BundlePayment
761 events224 tools110 thoughts
criticalRecon

Swagger UI with 480 Internal Endpoints Discovered

During black-box recon, the agent discovered publicly accessible Swagger UI exposing 480 internal API endpoints including wallet/payment endpoints and admin controls.

A major travel booking platform
SwaggerAPI ExposureBlack-BoxTravel
353 events111 tools48 thoughts
highXSS

DOM XSS via Cookie Source to jQuery .prepend() Sink

Agent traced a DOM XSS vulnerability from cookie source through storelogin.min.js to an unsanitized jQuery .prepend() sink, confirming JavaScript execution via cookie injection.

A payment compliance management platform
DOM XSSjQueryCookieCompliance
2254 events663 tools446 thoughts
highSSRF

Blind SSRF via HTTPS Scheme Bypass

During injection testing, the agent discovered that while http:// URLs are blocked, https://127.0.0.1 is accepted, with a 15-second TCP timeout confirming internal network access.

An enterprise SaaS platform
SSRFScheme BypassHTTPSEnterprise SaaS
7748 events2414 tools1440 thoughts
highIDOR

Unauthenticated Chargeback Record IDOR

Agent discovered session credentials leaking to third-party services, and chargeback endpoints accessible without authentication via sequential ID enumeration.

A payment gateway platform
IDORNo AuthChargebackPayment
193 events52 tools34 thoughts
highSSRF

Stored SSRF via Webhook with DNS Alias Bypass

Agent validated stored SSRF findings by testing webhook URL registration with DNS aliases resolving to internal IPs, bypassing WAF and application-layer validators.

A major fintech API platform
SSRFWebhookDNS BypassFintech
1013 events219 tools174 thoughts
criticalRecon

Hystrix Dashboard and Service Controls Exposed

During black-box testing, the agent discovered exposed microservice dashboards with service pause/resume controls, config management, and unauthenticated payment endpoints.

A major travel booking platform
HystrixDashboardMicroserviceTravel
3382 events1050 tools541 thoughts