BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//pretalx//cfp.troopers.de//tr26-cfp//speaker//G8CKLU
BEGIN:VTIMEZONE
TZID:CET
BEGIN:STANDARD
DTSTART:20001029T040000
RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10
TZNAME:CET
TZOFFSETFROM:+0200
TZOFFSETTO:+0100
END:STANDARD
BEGIN:DAYLIGHT
DTSTART:20000326T030000
RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=3
TZNAME:CEST
TZOFFSETFROM:+0100
TZOFFSETTO:+0200
END:DAYLIGHT
END:VTIMEZONE
BEGIN:VEVENT
UID:pretalx-tr26-cfp-FB8PAJ@cfp.troopers.de
DTSTART;TZID=CET:20260625T154500
DTEND;TZID=CET:20260625T161500
DESCRIPTION:AI-powered pentesting is the latest hype. Slap an LLM agent on 
 top of well-known offensive\ntools built by humans in their free time\, ru
 n it in YOLO mode\, and call it autonomous security\ntesting. Valuations a
 re going through the roof!\nHere is the thing though: these agents consume
  untrusted input from the very targets they are\ntesting by design.\n\nCur
 rent discourse around AI agent security focuses on prompt injection throug
 h direct\ninteraction. But what about the agent's environment itself? What
  happens when the attack\nsurface the agent is exploring has been prepared
  by an adversary? What if the authentication\nservice referenced in that o
 ne GitHub issue is actually a honeypot?\nIn this presentation we will demo
 nstrate a complete attack framework against AI pentesting\nagents and rele
 ase it as open source. We show how to inject tracking payloads at scale in
 to any\nplatform with user-generated content\, operate fake services that 
 capture credentials from AI\nagents\, and turn every future AI pentest eng
 agement against a sprayed target into a passive\ncredential harvesting fes
 t. No ongoing effort required\, no exploits needed. The AI leaks to us\,\n
 fully automated!\n\nThe attacker does not need to talk to the agent. They 
 just leave breadcrumbs where the agent\nwill find them during reconnaissan
 ce. A hint about a backup authentication endpoint in a GitHub\nissue. A de
 bug configuration in a support ticket. SSO metadata in a user profile bio.
  The agent\ndiscovers these reasons they are worth investigating\, and act
 s on them with whatever\ncredentials and access it was given.\n\nSSO authe
 ntication is a particularly brutal example because determining if they are
  in-scope is\ndifficult: When logging in\, anyone must follow OAuth/OIDC r
 edirects to external domains to test\nauthenticated applications\, and the
 y need to be told how do distinguish a legitimate Identity\nProvider from 
 a fake one we planted in user content.\n\nBut SSO is just one instance of 
 the fundamental problem: the AI makes decisions based on\ncontent it shoul
 d not trust\, and no amount of prompt engineering changes unless you know 
 in\nadvance what the target will look like. We want to shed some light on 
 the complications that\narise when putting AI literally to the test!
DTSTAMP:20260510T025747Z
LOCATION:Track 1
SUMMARY:Counteroffensive AI: Pwning AI Pentesters - Markus Vervier
URL:https://cfp.troopers.de/tr26-cfp/talk/FB8PAJ/
END:VEVENT
END:VCALENDAR