Agentic Chaos: Weaponizing Autonomous AI

As enterprises integrate “Agentic AI” into their infrastructure, they are inadvertently exposing critical business logic to stochastic actors. This talk explores the Execution Layer of autonomous agents, revealing how LLMs can be weaponized to act as proxies for traditional web attacks.

We will introduce “Agentic Mass Assignment,” a technique where attackers coerce agents to hallucinate undocumented parameters (like status: APPROVED or is_admin) to exploit backend ORM vulnerabilities. Additionally, we will demonstrate “Cognitive Denial of Service,” using semantic paradoxes to trap agents in infinite reasoning loops that result in “Denial of Wallet.”

Attendees will see live exploitation of these logic flaws and receive Agent-Fuzz, an open-source tool for auditing agentic middleware.

The Problem: The Middleware Gap Security teams currently focus on “Prompt Injection” (content safety), ignoring the far greater risk: the “Middleware Gap” where non-deterministic LLMs interface with rigid REST APIs. In this session, we prove that Agentic Frameworks (like LangChain or Semantic Kernel) often lack the strict schema enforcement required to protect legacy backends.

Vector 1: The Integrity Hack (Agentic Mass Assignment) We demonstrate how an Agent can be manipulated to function as an “Intelligent Fuzzer.”

Mechanism: By reversing the prompt templates used for tool execution, we show how to force the LLM to “invent” JSON fields based on common developer conventions.

The Vulnerability: We exploit the disconnect between the Frontend Schema (OpenAPI) and the Backend Database Models (ORM). We show how the hallucinated parameters pass through the Agent and are blindly accepted by backends vulnerable to Mass Assignment.

Impact: Privilege escalation and data corruption without direct database access.

Demo: A live walkthrough of bypassing a Corporate Expense Approval flow by injecting a hidden override parameter via natural language.

Vector 2: The Availability Hack (Cognitive DoS) We introduce the concept of “Economic Asymmetry” in AI attacks.

Mechanism: We use Generative Style Injection (GSI) to poison the agent’s context with pathological reasoning styles (e.g., recursive bureaucracy).

The Vulnerability: Semantic loops consume tokens at every step. We show that rate limits based on “requests per second” fail to catch a single session that enters a self-sustaining “Cognitive Deadlock.”

Impact: Rapid depletion of API quotas and cloud budgets (“Denial of Wallet”).

Demo: Triggering a negotiation loop between autonomous agents that consumes the entire monthly budget in minutes.

Solution & Tooling: We conclude with defense. We will release Agent-Fuzz (a scanner for schema hallucination) and discuss architectural patterns for “Zero-Trust Schema Validation” at the API Gateway level.