Introduction
We express our gratitude to the Agent-X team for the collaborative engagement that enabled the execution of this Pentest.
Document | |
|---|---|
| Name | Pentest and Security Analysis Report for Agent-X |
| Audited By | Abdelfattah Ibrahim |
| Approved By | Ece Orsel |
| Website | https://agentx-antidetect.com/→ |
| Changelog | 05/02/2026 - Preliminary Report |
| 02/03/2026 - Final Report | |
| Platform | Desktop |
| Tags | Pentest, Black-box |
| Methodology | https://docs.hacken.io/methodologies/pentesting→ |
Document
- Name
- Pentest and Security Analysis Report for Agent-X
- Audited By
- Abdelfattah Ibrahim
- Approved By
- Ece Orsel
- Changelog
- 05/02/2026 - Preliminary Report
- 02/03/2026 - Final Report
- Platform
- Desktop
- Tags
- Pentest, Black-box
Review Scope | |
|---|---|
| Desktop App | Shared Privately |
| Version | 0.3.7 |
| Final Version | 0.3.15 |
Review Scope
- Desktop App
- Shared Privately
- Version
- 0.3.7
- Final Version
- 0.3.15
Audit Summary
The system users should acknowledge all the risks summed up in the risks section of the report
System Overview
The Agent X Antidetect desktop application is a multi profile browser environment that enables users to create and operate isolated browser instances on a single system. Each browser profile maintains separate storage contexts including cookies, cache, and local storage, and exposes configurable browser and device attributes such as user agent values, WebRTC behavior, and other fingerprint related parameters. The application is commonly used to manage multiple accounts on social media and other web based platforms by preventing session and identity overlap between profiles. It provides controls for generating, editing, and launching profiles, supports routing traffic for each profile through user defined proxy configurations, and allows multiple profiles to run concurrently. Review of outbound communications identified no insecure transmission of user-generated or sensitive data. The software uses a Chromium based browser engine to apply profile specific configurations to browser APIs, client side storage, and network requests.
Findings
Code ― | Title | Status | Severity | |
|---|---|---|---|---|
| F-2026-1490 | Authentication Bypass via Unverified Passcode Reset in Desktop Application | fixed | High | |
| F-2026-1595 | [DualDefense] XSS in IMAP Email Rendering | fixed | High | |
| F-2026-1492 | OTP Bypass via Brute-Force Attack | fixed | Medium | |
| F-2026-1489 | Plaintext Credentials Exposed via Application Memory Dump | fixed | Medium | |
| F-2026-1489 | Plaintext Credentials Exposed via Application Memory Dump | fixed | Medium | |
| F-2026-1488 | Unauthorized Access to Admin UI Through Client-Side Authorization Manipulation | fixed | Medium | |
| F-2026-1595 | [DualDefense] Chrome Web Store URL Fragment Path Traversal | unfixed | Medium | |
| F-2026-1493 | Missing Secure Cookie Attributes Increase Risk of Client-Side Attacks | fixed | Observation | |
| F-2026-1493 | Non-Exploitable CORS Misconfiguration with Potential Future Impact | fixed | Observation | |
| F-2026-1493 | Insecure JWT Signing Algorithm | fixed | Observation |
Appendix 1. Severity Definitions
Findings are categorized based on their potential impact and assigned a severity level using the Common Vulnerability Scoring System (CVSS) version 4.0: →
Severity | Description |
|---|---|
Critical | These issues present a major security vulnerability that poses a severe risk to the system. They require immediate attention and must be resolved to prevent a potential security breach or other significant harm. |
High | These issues present a significant risk to the system, but may not require immediate attention. They should be addressed in a timely manner to reduce the risk of the potential security breach. |
Medium | These issues present a moderate risk to the system and cannot have a great impact on its function. They should be addressed in a reasonable time frame, but may not require immediate attention. |
Low | These issues present no risk to the system and typically relate to the code quality problems or general recommendations. They do not require immediate attention and should be viewed as a minor recommendation. |
Severity
- Critical
Description
- These issues present a major security vulnerability that poses a severe risk to the system. They require immediate attention and must be resolved to prevent a potential security breach or other significant harm.
Severity
- High
Description
- These issues present a significant risk to the system, but may not require immediate attention. They should be addressed in a timely manner to reduce the risk of the potential security breach.
Severity
- Medium
Description
- These issues present a moderate risk to the system and cannot have a great impact on its function. They should be addressed in a reasonable time frame, but may not require immediate attention.
Severity
- Low
Description
- These issues present no risk to the system and typically relate to the code quality problems or general recommendations. They do not require immediate attention and should be viewed as a minor recommendation.
Appendix 2. Scope
The scope of the project includes the following:
Scope Details | |
|---|---|
| Desktop App | Shared Privately |
| Version | 0.3.7 |
| Final Version | 0.3.15 |
Scope Details
- Desktop App
- Shared Privately
- Version
- 0.3.7
- Final Version
- 0.3.15
Assets in Scope
Appendix 3. Additional Valuables
Frameworks and Methodologies
This security assessment was conducted in alignment with recognised penetration testing standards, methodologies and guidelines, including the NIST SP 800-115 – Technical Guide to Information Security Testing and Assessment →, the Penetration Testing Execution Standard (PTES) →, and the OWASP Testing Guide →. These assets provide a structured foundation for planning, executing, and documenting technical evaluations such as vulnerability assessments, exploitation activities, and security code reviews. Hacken’s internal penetration testing methodology extends these principles to Web2 and Web3 environments to ensure consistency, repeatability, and verifiable outcomes.