Live Webinar

Tales from the Trace:
Finding IDORs with Agentic Reasoning

Join XBOW’s Offensive Security Engineers for a deep, trace-level walkthrough of how real Insecure Direct Object References (IDORs) are discovered and exploited in practice, using two 0-day vulnerabilities found in the Spree eCommerce framework.

‍

We’ll show how XBOW’s IDOR module reasons about authorization boundaries where traditional scanners stop at linear checks and error responses.

Date:
Thursday, February 12, 2026

Time:
9am PT / 12pm ET / 6pm CET

Tune in live and see:

Two real Spree zero-day IDORs: unauthenticated and cross-cart billing/shipping address access, walked through trace by trace.

Why scanners fail at IDORs: linear ID probing and response diffing break as soon as authorization logic and state come into play.

How XBOW finds them instead: agentic reasoning over objects, roles, and auth states, with access to real data.

Meet our Speakers

Fernando Diaz

Offensive Security Engineer

Adrian Losada Pita

Offensive Security Engineer

Leo Golovyrin

Application Security Lead of Seznam.cz

"Even right now after 1 year, I don’t know any other company that is at least close to XBOW in terms of agentic pentesting."

Read The Full Story

Tales from the Trace: Finding IDORs with Agentic Reasoning

Tune in live and see:

Meet our Speakers

Fernando Diaz

Adrian Losada Pita

Tales from the Trace:
Finding IDORs with Agentic Reasoning