Zoonop

XBOW AI Uncovers Hidden PostgreSQL SQL Injection in Z-Push Authentication Layer

Image for XBOW AI Uncovers Hidden PostgreSQL SQL Injection in Z-Push Authentication Layer

XBOW, the AI-driven offensive security platform, has announced the discovery of a subtle PostgreSQL time-based SQL injection vulnerability within the Basic Authentication username field of Z-Push ActiveSync. This significant finding highlights the platform's ability to uncover critical flaws in widely-used software where conventional testing methods prove ineffective. The discovery was made by analyzing response timing differences after standard SQL injection vectors failed to yield results.

The cybersecurity firm, which recently secured $75 million in Series B funding, bringing its total to $117 million, specializes in autonomously finding and exploiting web application vulnerabilities. XBOW gained prominence earlier this year by becoming the top-ranked entity on HackerOne's US leaderboard, demonstrating its advanced capabilities in automated penetration testing. Its approach focuses on continuous security assessments, moving beyond traditional, periodic manual tests.

According to XBOW, the breakthrough occurred after extensive reconnaissance on a Z-Push server, where initial SQL injection attempts across typical entry points like URL parameters, POST data, and HTTP headers showed consistent response times. "When standard SQL injection vectors fail, dig deeper," XBOW stated in its social media announcement. The AI shifted its focus to the Basic Authentication mechanism, specifically the username field, leading to the critical finding.

The vulnerability, a PostgreSQL time-based SQL injection, was confirmed by observing an 8-second response time after injecting a specific payload, admin'; SELECT pg_sleep(5) --, into the username field, compared to the usual 0.6-0.7 seconds. This timing difference indicated the successful execution of the injected SQL command. XBOW's analysis revealed that "Response timing differences revealed PostgreSQL time-based injection where obvious targets were clean."

This discovery underscores that even mature and widely-deployed applications can harbor nuanced vulnerabilities within their foundational components, such as authentication layers. The incident further validates the growing importance of AI-powered security tools like XBOW in identifying complex and deeply embedded flaws that human-led efforts or less sophisticated automated systems might overlook.