PentesterLab
@pentesterlab.com
We make learning web hacking and security easier. Online systems, code review, videos & courses that can be used to understand, test and exploit bugs!
Reposted by PentesterLab
November 7, 2025 at 11:39 PM
Research to read this week: Android, Django, MCP…
🤖 knifecoat.com/Posts/Runtim...
🐍 www.endorlabs.com/learn/critic...
🌽 googleprojectzero.blogspot.com/2025/11/defe...
🤖 medium.com/@kulkan-secu...
🧑🏻💻 words.filippo.io/claude-debug...
#PentesterLabWeekly
🤖 knifecoat.com/Posts/Runtim...
🐍 www.endorlabs.com/learn/critic...
🌽 googleprojectzero.blogspot.com/2025/11/defe...
🤖 medium.com/@kulkan-secu...
🧑🏻💻 words.filippo.io/claude-debug...
#PentesterLabWeekly
Runtime Android Object Instrumentation - KnifeCoat
Intro This year I have been doing quite a bit Android userland analysis. Android is a wonderful platform to work on, great decompiler support (JEB), easy access to rooted devices (unless you buy NA l…
knifecoat.com
November 9, 2025 at 11:37 PM
Research to read this week: Android, Django, MCP…
🤖 knifecoat.com/Posts/Runtim...
🐍 www.endorlabs.com/learn/critic...
🌽 googleprojectzero.blogspot.com/2025/11/defe...
🤖 medium.com/@kulkan-secu...
🧑🏻💻 words.filippo.io/claude-debug...
#PentesterLabWeekly
🤖 knifecoat.com/Posts/Runtim...
🐍 www.endorlabs.com/learn/critic...
🌽 googleprojectzero.blogspot.com/2025/11/defe...
🤖 medium.com/@kulkan-secu...
🧑🏻💻 words.filippo.io/claude-debug...
#PentesterLabWeekly
Reposted by PentesterLab
Don't just look at bad code
Know what good looks like!
@pentesterlab.com
#Kawaiicon @kawaiicon.bsky.social
Know what good looks like!
@pentesterlab.com
#Kawaiicon @kawaiicon.bsky.social
November 7, 2025 at 11:40 PM
Don't just look at bad code
Know what good looks like!
@pentesterlab.com
#Kawaiicon @kawaiicon.bsky.social
Know what good looks like!
@pentesterlab.com
#Kawaiicon @kawaiicon.bsky.social
Articles worth reading discovered last week: Passports, WIFI and AI-SAST!
🛂 blog.trailofbits.com/2025/10/31/t...
🛜 pulsesecurity.co.nz/articles/byp...
🧠 parsiya.net/blog/wtf-is-...
🛂 blog.trailofbits.com/2025/10/31/t...
🛜 pulsesecurity.co.nz/articles/byp...
🧠 parsiya.net/blog/wtf-is-...
The cryptography behind electronic passports
This blog post describes how electronic passports work, the threats within their threat model, and how they protect against those threats using cryptography. It also discusses the implications of usin...
blog.trailofbits.com
November 2, 2025 at 10:51 PM
Articles worth reading discovered last week: Passports, WIFI and AI-SAST!
🛂 blog.trailofbits.com/2025/10/31/t...
🛜 pulsesecurity.co.nz/articles/byp...
🧠 parsiya.net/blog/wtf-is-...
🛂 blog.trailofbits.com/2025/10/31/t...
🛜 pulsesecurity.co.nz/articles/byp...
🧠 parsiya.net/blog/wtf-is-...
Reposted by PentesterLab
Yeah @nastystereo.com I think you and @pentesterlab.com would get along just fine collabbing. 👀
October 30, 2025 at 12:42 AM
Yeah @nastystereo.com I think you and @pentesterlab.com would get along just fine collabbing. 👀
Reposted by PentesterLab
Upgrading the designer bag with a necessary accessory @pentesterlab.com
October 30, 2025 at 11:32 PM
Upgrading the designer bag with a necessary accessory @pentesterlab.com
🚨 New labs just dropped!
3 new Python Code Review labs are now live on PentesterLab 🐍
Learn to spot subtle bugs and insecure patterns by reading real Python code.
🎯 pentesterlab.com/badges/python-code-review
#Python #AppSec #CodeReview #PentesterLab
3 new Python Code Review labs are now live on PentesterLab 🐍
Learn to spot subtle bugs and insecure patterns by reading real Python code.
🎯 pentesterlab.com/badges/python-code-review
#Python #AppSec #CodeReview #PentesterLab
PentesterLab: Learn with our Python Code Review Badge
The Python Code Review Badge is our badge dedicated to code review in Python. It covers the discovery of weaknesses and vulnerabilities using source code review.
pentesterlab.com
October 28, 2025 at 3:37 AM
🚨 New labs just dropped!
3 new Python Code Review labs are now live on PentesterLab 🐍
Learn to spot subtle bugs and insecure patterns by reading real Python code.
🎯 pentesterlab.com/badges/python-code-review
#Python #AppSec #CodeReview #PentesterLab
3 new Python Code Review labs are now live on PentesterLab 🐍
Learn to spot subtle bugs and insecure patterns by reading real Python code.
🎯 pentesterlab.com/badges/python-code-review
#Python #AppSec #CodeReview #PentesterLab
Reposted by PentesterLab
Really awesome preso from @snyff.pentesterlab.com @pentesterlab.com over at BSides Perth. Jam packed with patterns, approaches, tips and tricks to level up finding bugs in code. #bsides #bsidesperth
October 19, 2025 at 2:33 AM
Really awesome preso from @snyff.pentesterlab.com @pentesterlab.com over at BSides Perth. Jam packed with patterns, approaches, tips and tricks to level up finding bugs in code. #bsides #bsidesperth
The past few weeks have been quiet, but we’re back!
🛠️ deepwiki.com
🛠️ github.com/AsyncFuncAI/...
🪲 blog.trailofbits.com/2025/04/23/h...
🛠️ github.com/quarkslab/pr...
🛡️ hdm.io/decks/Charti...
🛠️ deepwiki.com
🛠️ github.com/AsyncFuncAI/...
🪲 blog.trailofbits.com/2025/04/23/h...
🛠️ github.com/quarkslab/pr...
🛡️ hdm.io/decks/Charti...
DeepWiki | AI documentation you can talk to, for every repo
DeepWiki provides up-to-date documentation you can talk to, for every repo in the world. Think Deep Research for GitHub - powered by Devin.
deepwiki.com
May 4, 2025 at 10:37 PM
The past few weeks have been quiet, but we’re back!
🛠️ deepwiki.com
🛠️ github.com/AsyncFuncAI/...
🪲 blog.trailofbits.com/2025/04/23/h...
🛠️ github.com/quarkslab/pr...
🛡️ hdm.io/decks/Charti...
🛠️ deepwiki.com
🛠️ github.com/AsyncFuncAI/...
🪲 blog.trailofbits.com/2025/04/23/h...
🛠️ github.com/quarkslab/pr...
🛡️ hdm.io/decks/Charti...
Your face when you realize your next security code review is on a Clojure codebase...
April 20, 2025 at 11:10 PM
Your face when you realize your next security code review is on a Clojure codebase...
Articles worth reading discovered last week:
🪲 labs.watchtowr.com/xss-to-rce-b...
🧩 gist.github.com/Panya/990b45...
#PentesterLabWeekly
🪲 labs.watchtowr.com/xss-to-rce-b...
🧩 gist.github.com/Panya/990b45...
#PentesterLabWeekly
XSS To RCE By Abusing Custom File Handlers - Kentico Xperience CMS (CVE-2025-2748)
We know what you’re waiting for - this isn’t it. Today, we’re back with more tales of our adventures in Kentico’s Xperience CMS. Due to it’s wide usage, the type of solution, and the types of enterpri...
labs.watchtowr.com
April 6, 2025 at 9:54 PM
Articles worth reading discovered last week:
🪲 labs.watchtowr.com/xss-to-rce-b...
🧩 gist.github.com/Panya/990b45...
#PentesterLabWeekly
🪲 labs.watchtowr.com/xss-to-rce-b...
🧩 gist.github.com/Panya/990b45...
#PentesterLabWeekly
Two great pieces of content for this week:
🪲 www.wiz.io/blog/ingress...
🪲 zhero-web-sec.github.io/research-and...
#PentesterLabWeekly
🪲 www.wiz.io/blog/ingress...
🪲 zhero-web-sec.github.io/research-and...
#PentesterLabWeekly
Remote Code Execution Vulnerabilities in Ingress NGINX | Wiz Blog
Wiz Research uncovered RCE vulnerabilities (CVE-2025-1097, 1098, 24514, 1974) in Ingress NGINX for Kubernetes allowing cluster-wide secret access.
www.wiz.io
March 30, 2025 at 9:33 PM
Two great pieces of content for this week:
🪲 www.wiz.io/blog/ingress...
🪲 zhero-web-sec.github.io/research-and...
#PentesterLabWeekly
🪲 www.wiz.io/blog/ingress...
🪲 zhero-web-sec.github.io/research-and...
#PentesterLabWeekly
‼️ blog.doyensec.com/2025/03/18/e...
📨 workos.com/blog/samlstorm
🛤️ projectdiscovery.io/blog/discour...
☑️ labs.watchtowr.com/by-executive...
❤️ tmpout.sh/4/
🗼 labs.watchtowr.com/bypassing-au...
Get our weekly news direct to your mailbox: pentesterlab.substack.com
📨 workos.com/blog/samlstorm
🛤️ projectdiscovery.io/blog/discour...
☑️ labs.watchtowr.com/by-executive...
❤️ tmpout.sh/4/
🗼 labs.watchtowr.com/bypassing-au...
Get our weekly news direct to your mailbox: pentesterlab.substack.com
!exploitable Episode Three - Devfile Adventures · Doyensec's Blog
!exploitable Episode Three - Devfile Adventures
blog.doyensec.com
March 23, 2025 at 10:00 PM
‼️ blog.doyensec.com/2025/03/18/e...
📨 workos.com/blog/samlstorm
🛤️ projectdiscovery.io/blog/discour...
☑️ labs.watchtowr.com/by-executive...
❤️ tmpout.sh/4/
🗼 labs.watchtowr.com/bypassing-au...
Get our weekly news direct to your mailbox: pentesterlab.substack.com
📨 workos.com/blog/samlstorm
🛤️ projectdiscovery.io/blog/discour...
☑️ labs.watchtowr.com/by-executive...
❤️ tmpout.sh/4/
🗼 labs.watchtowr.com/bypassing-au...
Get our weekly news direct to your mailbox: pentesterlab.substack.com
If people spent as much time actually learning hacking as they do optimizing how to learn hacking, they’d be a lot better at it. Just start. Break things. Learn. Repeat.
March 20, 2025 at 9:18 AM
If people spent as much time actually learning hacking as they do optimizing how to learn hacking, they’d be a lot better at it. Just start. Break things. Learn. Repeat.
What a week! SAML&Ruby, PHP&XXE and so much more!
📨 github.blog/security/sig...
🧑🏻💻 seeinglogic.com/posts/visual...
🤯 swarm.ptsecurity.com/impossible-x...
😻 scrapco.de/blog/analysi...
More details in our blog: pentesterlab.com/blog/researc...
#PentesterLabWeekly
📨 github.blog/security/sig...
🧑🏻💻 seeinglogic.com/posts/visual...
🤯 swarm.ptsecurity.com/impossible-x...
😻 scrapco.de/blog/analysi...
More details in our blog: pentesterlab.com/blog/researc...
#PentesterLabWeekly
Sign in as anyone: Bypassing SAML SSO authentication with parser differentials
Critical authentication bypass vulnerabilities were discovered in ruby-saml up to version 1.17.0. See how they were uncovered.
github.blog
March 16, 2025 at 10:22 PM
What a week! SAML&Ruby, PHP&XXE and so much more!
📨 github.blog/security/sig...
🧑🏻💻 seeinglogic.com/posts/visual...
🤯 swarm.ptsecurity.com/impossible-x...
😻 scrapco.de/blog/analysi...
More details in our blog: pentesterlab.com/blog/researc...
#PentesterLabWeekly
📨 github.blog/security/sig...
🧑🏻💻 seeinglogic.com/posts/visual...
🤯 swarm.ptsecurity.com/impossible-x...
😻 scrapco.de/blog/analysi...
More details in our blog: pentesterlab.com/blog/researc...
#PentesterLabWeekly
Articles worth reading discovered last week:
💎 www.elttam.com/blog/rails-s...
﹟ afine.com/understandin...
🪲 slcyber.io/blog/sitecor...
For more details, check out our blog:
pentesterlab.com/blog/researc...
💎 www.elttam.com/blog/rails-s...
﹟ afine.com/understandin...
🪲 slcyber.io/blog/sitecor...
For more details, check out our blog:
pentesterlab.com/blog/researc...
New Method to Leverage Unsafe Reflection and Deserialisation to RCE on Rails - elttamNew Method to Leverage Unsafe Reflection and Deserialisation to RCE on Rails - elttam
elttam is a globally recognised, independent information security company, renowned for our advanced technical security assessments.
www.elttam.com
March 9, 2025 at 10:19 PM
Articles worth reading discovered last week:
💎 www.elttam.com/blog/rails-s...
﹟ afine.com/understandin...
🪲 slcyber.io/blog/sitecor...
For more details, check out our blog:
pentesterlab.com/blog/researc...
💎 www.elttam.com/blog/rails-s...
﹟ afine.com/understandin...
🪲 slcyber.io/blog/sitecor...
For more details, check out our blog:
pentesterlab.com/blog/researc...
Want to prove your API hacking skills?
Earn the PentesterLab API badge!
Hands-on labs designed to test and improve your ability to find and exploit API vulnerabilities.
https://pentesterlab.com/badges/api
Earn the PentesterLab API badge!
Hands-on labs designed to test and improve your ability to find and exploit API vulnerabilities.
https://pentesterlab.com/badges/api
PentesterLab: API Badge
The API badge is our set of exercises created to help you learn API testing. The first few challenges are based on challenges you already solved to get you more confident with API testing and review your knowledge and methodology. Then, harder challenges are provided to get you to the next level.
pentesterlab.com
March 2, 2025 at 4:47 AM
Want to prove your API hacking skills?
Earn the PentesterLab API badge!
Hands-on labs designed to test and improve your ability to find and exploit API vulnerabilities.
https://pentesterlab.com/badges/api
Earn the PentesterLab API badge!
Hands-on labs designed to test and improve your ability to find and exploit API vulnerabilities.
https://pentesterlab.com/badges/api
AI-generated code is reshaping secure code review—fewer trivial bugs, but more hidden threats.
Read more in our new blog post:
pentesterlab.com/blog/secure-...
What do you think?
Read more in our new blog post:
pentesterlab.com/blog/secure-...
What do you think?
How AI-Generated Code Is Changing Secure Code Review
Learn how AI-generated code impacts secure code review and application security. Discover why AI excels at catching common vulnerabilities but needs human expertise for complex bugs.
pentesterlab.com
February 24, 2025 at 10:49 PM
AI-generated code is reshaping secure code review—fewer trivial bugs, but more hidden threats.
Read more in our new blog post:
pentesterlab.com/blog/secure-...
What do you think?
Read more in our new blog post:
pentesterlab.com/blog/secure-...
What do you think?
Articles worth reading discovered last week:
📚 mizu.re/post/explori...
☁️ devanshbatham.hashnode.dev/fragility-of...
🫙 www.wiz.io/blog/nvidia-...
🐍 www.reversinglabs.com/blog/rl-iden...
🎥 brutecat.com/articles/lea...
📚 mizu.re/post/explori...
☁️ devanshbatham.hashnode.dev/fragility-of...
🫙 www.wiz.io/blog/nvidia-...
🐍 www.reversinglabs.com/blog/rl-iden...
🎥 brutecat.com/articles/lea...
Exploring the DOMPurify library: Hunting for Misconfigurations (2/2). Tags:Article - Article - Web - mXSS
Exploring the DOMPurify library: Hunting for Misconfigurations (2/2)
mizu.re
February 17, 2025 at 2:58 AM
Articles worth reading discovered last week:
📚 mizu.re/post/explori...
☁️ devanshbatham.hashnode.dev/fragility-of...
🫙 www.wiz.io/blog/nvidia-...
🐍 www.reversinglabs.com/blog/rl-iden...
🎥 brutecat.com/articles/lea...
📚 mizu.re/post/explori...
☁️ devanshbatham.hashnode.dev/fragility-of...
🫙 www.wiz.io/blog/nvidia-...
🐍 www.reversinglabs.com/blog/rl-iden...
🎥 brutecat.com/articles/lea...
Think teaching devs to hack is risky?
In reality, a bit of hacking knowledge helps them spot vulnerabilities early and build stronger apps.
Discover why having devs with a 'hacker mindset' is a win for security:
pentesterlab.com/blog/why-dev...
In reality, a bit of hacking knowledge helps them spot vulnerabilities early and build stronger apps.
Discover why having devs with a 'hacker mindset' is a win for security:
pentesterlab.com/blog/why-dev...
I Don’t Want My Devs to Become Hackers! - PentesterLab's Blog
Discover why encouraging developers to learn ethical hacking boosts security, reduces bugs, and fosters a proactive security culture in your organization.
pentesterlab.com
February 13, 2025 at 6:21 PM
Think teaching devs to hack is risky?
In reality, a bit of hacking knowledge helps them spot vulnerabilities early and build stronger apps.
Discover why having devs with a 'hacker mindset' is a win for security:
pentesterlab.com/blog/why-dev...
In reality, a bit of hacking knowledge helps them spot vulnerabilities early and build stronger apps.
Discover why having devs with a 'hacker mindset' is a win for security:
pentesterlab.com/blog/why-dev...
🚨 Just launched: Two brand-new API Mass Assignment labs!
Ready to level up your #API hacking skills? Dive into realistic scenarios & learn how to exploit hidden parameters:
1️⃣ API Mass Assignment 01
2️⃣ API Mass Assignment 02
pentesterlab.com/badges/api/
Ready to level up your #API hacking skills? Dive into realistic scenarios & learn how to exploit hidden parameters:
1️⃣ API Mass Assignment 01
2️⃣ API Mass Assignment 02
pentesterlab.com/badges/api/
PentesterLab: Learn with our API Badge
The API badge is our set of exercises created to help you learn API testing. The first few challenges are based on challenges you already solved to get you more confident with API testing and review y...
pentesterlab.com
February 3, 2025 at 10:57 PM
🚨 Just launched: Two brand-new API Mass Assignment labs!
Ready to level up your #API hacking skills? Dive into realistic scenarios & learn how to exploit hidden parameters:
1️⃣ API Mass Assignment 01
2️⃣ API Mass Assignment 02
pentesterlab.com/badges/api/
Ready to level up your #API hacking skills? Dive into realistic scenarios & learn how to exploit hidden parameters:
1️⃣ API Mass Assignment 01
2️⃣ API Mass Assignment 02
pentesterlab.com/badges/api/
Articles worth reading discovered last week:
🤝 blog.doyensec.com/2025/01/30/o...
☠️ www.feistyduck.com/newsletter/i...
📚 pathonproject.com/zb/?871f0933...
And as always, it’s in our blog: pentesterlab.com/blog/researc...
#PentesterLabWeekly
🤝 blog.doyensec.com/2025/01/30/o...
☠️ www.feistyduck.com/newsletter/i...
📚 pathonproject.com/zb/?871f0933...
And as always, it’s in our blog: pentesterlab.com/blog/researc...
#PentesterLabWeekly
Common OAuth Vulnerabilities · Doyensec's Blog
Common OAuth Vulnerabilities
blog.doyensec.com
February 2, 2025 at 9:50 PM
Articles worth reading discovered last week:
🤝 blog.doyensec.com/2025/01/30/o...
☠️ www.feistyduck.com/newsletter/i...
📚 pathonproject.com/zb/?871f0933...
And as always, it’s in our blog: pentesterlab.com/blog/researc...
#PentesterLabWeekly
🤝 blog.doyensec.com/2025/01/30/o...
☠️ www.feistyduck.com/newsletter/i...
📚 pathonproject.com/zb/?871f0933...
And as always, it’s in our blog: pentesterlab.com/blog/researc...
#PentesterLabWeekly
Reposted by PentesterLab
I’m excited to share that in a few weeks I’ll be heading to the US for a series of talks and workshops focused on security code review and JWT—and I’ll be bringing some
@pentesterlab.com swag along too!
@pentesterlab.com swag along too!
January 29, 2025 at 11:33 PM
I’m excited to share that in a few weeks I’ll be heading to the US for a series of talks and workshops focused on security code review and JWT—and I’ll be bringing some
@pentesterlab.com swag along too!
@pentesterlab.com swag along too!