Release v2025.10.22.1

Author: zast-ai

_data/authors.yml

@@ -3,31 +3,31 @@
 
 "Geng Yang":
   name: "Geng Yang"
-  bio: "Co-founder & CEO, Zast.ai. Security research expert focused on AI-powered vulnerability detection."
-  avatar: "/assets/img/logo-single.png" # You can add individual author avatar later
+  bio: "Co-founder & CEO, ZAST.AI"
+  #avatar: "/assets/img/logo-single.png" # You can add individual author avatar later
   location: "Seattle, WA"
   links:
-    - label: "zast.ai"
+    - label: "ZAST.AI"
       icon: "fas fa-fw fa-link"
-      url: "https://zast.ai"
+      url: "https://ZAST.AI"
     - label: "X (Twitter)"
       icon: "fab fa-fw fa-x-twitter"
       url: "https://twitter.com/zast_ai"
     - label: "GitHub"
       icon: "fab fa-fw fa-github"
-      url: "https://github.com/zast-ai/zast"
-"Zast.ai Team":
-  name: "Zast.ai Team"
+      url: "https://github.com/ZAST.AI/zast"
+"ZAST.AI Team":
+  name: "ZAST.AI Team"
   bio: "AI agent that can identify vulnerabilities, and verify exploitability with zero false positives"
-  avatar: "/assets/img/logo-single.png" # You can add individual author avatar later
+  #avatar: "/assets/img/logo-single.png" # You can add individual author avatar later
   location: "Seattle, WA"
   links:
-    - label: "zast.ai"
+    - label: "ZAST.AI"
       icon: "fas fa-fw fa-link"
-      url: "https://zast.ai"
+      url: "https://ZAST.AI"
     - label: "X (Twitter)"
       icon: "fab fa-fw fa-x-twitter"
-      url: "https://twitter.com/zast_ai"
+      url: "https://twitter.com/ZAST.AI"
     - label: "GitHub"
       icon: "fab fa-fw fa-github"
-      url: "https://github.com/zast-ai"
+      url: "https://github.com/ZAST.AI"

_data/authors.yml.bak

@@ -0,0 +1,33 @@
+# Authors configuration for individual posts
+# Usage: Set author: "geng-yang" in post front matter
+
+"Geng Yang":
+  name: "Geng Yang"
+  bio: "Co-founder & CEO, Zast.ai. Security research expert focused on AI-powered vulnerability detection."
+  avatar: "/assets/img/logo-single.png" # You can add individual author avatar later
+  location: "Seattle, WA"
+  links:
+    - label: "zast.ai"
+      icon: "fas fa-fw fa-link"
+      url: "https://zast.ai"
+    - label: "X (Twitter)"
+      icon: "fab fa-fw fa-x-twitter"
+      url: "https://twitter.com/zast_ai"
+    - label: "GitHub"
+      icon: "fab fa-fw fa-github"
+      url: "https://github.com/zast-ai/zast"
+"Zast.ai Team":
+  name: "Zast.ai Team"
+  bio: "AI agent that can identify vulnerabilities, and verify exploitability with zero false positives"
+  avatar: "/assets/img/logo-single.png" # You can add individual author avatar later
+  location: "Seattle, WA"
+  links:
+    - label: "zast.ai"
+      icon: "fas fa-fw fa-link"
+      url: "https://zast.ai"
+    - label: "X (Twitter)"
+      icon: "fab fa-fw fa-x-twitter"
+      url: "https://twitter.com/zast_ai"
+    - label: "GitHub"
+      icon: "fab fa-fw fa-github"
+      url: "https://github.com/zast-ai"

_includes/masthead.html

@@ -5,9 +5,9 @@
     <div class="masthead__menu">
       <nav id="site-nav" class="greedy-nav">
         {% unless logo_path == empty %}
-          <a class="site-logo" href="{{ '/' | relative_url }}"><img src="{{ logo_path | relative_url }}" alt="{{ site.masthead_title | default: site.title }}"></a>
+          <a class="site-logo" href="{{ 'https://zast.ai' }}"><img src="{{ logo_path | relative_url }}" alt="{{ site.masthead_title | default: site.title }}"></a>
         {% endunless %}
-        <a class="site-title" href="{{ '/' | relative_url }}">
+        <a class="site-title" href="{{ 'https://zast.ai' }}">
           {{ site.masthead_title | default: site.title }}
           {% if site.subtitle %}<span class="site-subtitle">{{ site.subtitle }}</span>{% endif %}
         </a>

_posts/2025-10-21-Defeating-Bandaid-Solutions.md

@@ -0,0 +1,75 @@
+---
+title: 'Defeating "Bandaid Solutions"'
+description: "A case study demonstrating how ZAST.AI effectively detects and defeats various temporary security fixes, including Base64 encoding and prefix matching obfuscation techniques, to uncover deep command injection vulnerabilities."
+keywords: "ZAST.AI, command injection, security testing, vulnerability detection, bandaid solutions, Base64 encoding, prefix matching, white-box testing, black-box testing, AI security"
+author: "Geng Yang"
+date: 2025-10-21
+categories: ["Security Research", "Vulnerability Analysis", "AI Security"]
+tags:
+  [
+    "ZAST.AI",
+    "Command Injection",
+    "Security Testing",
+    "Vulnerability Detection",
+    "AI Security"
+  ]
+
+
+---
+
+
+
+### Introduction
+
+A recent client test on ZAST.AI yielded a notable case regarding its ability to assess command injection vulnerabilities, including sophisticated variants. With their permission, we would like to share the findings in this case study.
+
+### Vulnerability  Assessed by ZAST.AI - Command Injection
+
+Let's see the 1st vulnerability report:
+
+<center><img src="{{'/assets/img/Defeating-Bandaid-Solutions/1ZAST-AI.png' | relative_url }}" alt="1ZAST-AI" width="750" height="auto"></center>
+
+<u>The taint source and taint sink are identified, along with a POC that shows a malicious payload executing a shell command.</u>
+
+To test ZAST.AI’s abilities, they chose to add Base64 encoding instead of fully fixing the vulnerability. They then resubmitted the updated version for evaluation. Let’s see what happens next.
+
+### 1st Patch - Base64 Encoding
+
+See below for the second report:
+
+<center><img src="{{'/assets/img/Defeating-Bandaid-Solutions/2ZAST-AI.png' | relative_url }}" alt="2ZAST-AI" width="750" height="auto"></center>
+
+<u>The taint source remained the same in both reports, indicating that the vulnerability was unchanged. In the taint sink, it shows that Base64 encoding is applied.</u>
+
+<u>The POC indicates a request with an encoded shell command that bypasses superficial checks. Despite the encoding, the application processes the input without proper validation, allowing the command to execute.</u>
+
+The results caught their interest, and they were a bit amazed by ZAST.AI’s dynamic assessment capabilities. They decided to try another method of obscurity to make detection nearly impossible and then ran the assessment again.
+
+### 2nd Patch - Prefix Matching
+
+Let's see how ZAST.AI works this time:
+
+<center><img src="{{'/assets/img/Defeating-Bandaid-Solutions/3ZAST-AI.png' | relative_url }}" alt="3ZAST-AI" width="750" height="auto"></center>
+
+<u>The taint source stays the same, so the vulnerability wasn't fixed. In the taint sink, the code implemented a prefix validation for the Base64-decoded command, allowing execution only if the command starts with "secret." It reduces command injection risks by validating the input and using</u> `.substring(6)` <u>to remove the prefix, ensuring only specific commands execute.</u>
+
+<u>Again, the POC validate the command injection vulnerability by sending a Base64-encoded shell command with a prefix match to a specified URL. By combining the prefix "secret" with the command, it tests whether the server is susceptible to remote code execution. Additionally, it uses HTTP headers to mimic legitimate requests, revealing potential security weaknesses in the application's input handling.</u>
+
+The client reviewed the results and discussed the findings with us:  
+"We see that [ZAST.AI](https://zast.ai/)'s analysis worked effectively to locate the issue."  
+"Yes, it clearly processed our obfuscated inputs and still flagged vulnerability."  
+"We noticed its method is quite distinct from conventional testing."  
+"From the results, that distinct method seems to find issues that standard approaches can overlook."  
+"It certainly points to a more modern way of handling vulnerability detection."  
+
+It was encouraging to receive this feedback from our client, which demonstrates the system functioning as intended. We also took the opportunity to provide some suggestions for fixing the vulnerability.
+
+### ZAST.AI's Edge in Vulnerability Assessment
+
+From this case, we can see that after two patches, the vulnerability has become much harder to spot. Yet, ZAST.AI was still able to uncover and confirm it using its advanced large language model. Like our client said, ZAST.AI truly stands out from traditional methods like black-box and white-box testing.
+
+While black-box testing examines the system from an external perspective and relies on input/output, it often suffers from limited coverage, as it only tests predefined scenarios based on expected inputs. This approach can overlook vulnerabilities that occur under unexpected conditions or rare input combinations, making it less effective in identifying complex security flaws. In contrast, white-box testing inspects the internal workings of the code, providing a more thorough analysis but requiring extensive knowledge of the system architecture.
+
+ZAST.AI, on the other hand, analyzes taint sinks to locate taint sources and then leverages its LLM to generate POC exploits and verify their correctness.
+
+Visit [ZAST.AI](https://zast.ai/) to explore its capabilities for your own systems. We welcome your vulnerability case studies and remediation insights. Also, stay tuned for our upcoming releases, including Python language support and IDE extensions.