PentesterLab
@pentesterlab.com
We make learning web hacking and security easier. Online systems, code review, videos & courses that can be used to understand, test and exploit bugs!
𝗥𝗲𝘀𝗲𝗮𝗿𝗰𝗵 𝗪𝗼𝗿𝘁𝗵 𝗥𝗲𝗮𝗱𝗶𝗻𝗴 - 𝗪𝗲𝗲𝗸 𝟲, 𝟮𝟬𝟮𝟲
Busy week! AI, AI, AI and the death of Flash!
🤖 𝗦𝗲𝗺𝗴𝗿𝗲𝗽'𝘀 𝗔𝗴𝗲𝗻𝘁 𝗦𝗸𝗶𝗹𝗹𝘀
Semgrep released a set of agent skills worth looking into: github.com/semgrep/skills.
Busy week! AI, AI, AI and the death of Flash!
🤖 𝗦𝗲𝗺𝗴𝗿𝗲𝗽'𝘀 𝗔𝗴𝗲𝗻𝘁 𝗦𝗸𝗶𝗹𝗹𝘀
Semgrep released a set of agent skills worth looking into: github.com/semgrep/skills.
GitHub - semgrep/skills: A collection of skills for AI coding agents from Semgrep
A collection of skills for AI coding agents from Semgrep - semgrep/skills
github.com
February 8, 2026 at 10:25 PM
𝗥𝗲𝘀𝗲𝗮𝗿𝗰𝗵 𝗪𝗼𝗿𝘁𝗵 𝗥𝗲𝗮𝗱𝗶𝗻𝗴 - 𝗪𝗲𝗲𝗸 𝟲, 𝟮𝟬𝟮𝟲
Busy week! AI, AI, AI and the death of Flash!
🤖 𝗦𝗲𝗺𝗴𝗿𝗲𝗽'𝘀 𝗔𝗴𝗲𝗻𝘁 𝗦𝗸𝗶𝗹𝗹𝘀
Semgrep released a set of agent skills worth looking into: github.com/semgrep/skills.
Busy week! AI, AI, AI and the death of Flash!
🤖 𝗦𝗲𝗺𝗴𝗿𝗲𝗽'𝘀 𝗔𝗴𝗲𝗻𝘁 𝗦𝗸𝗶𝗹𝗹𝘀
Semgrep released a set of agent skills worth looking into: github.com/semgrep/skills.
Reposted by PentesterLab
🧑🎓 Learning of the day for me thanks to @pentesterlab.com and Claude.
🔬 For the regular expression "[A-z]":
In a character class [X-Y], it matches all characters with ASCII codes from X to Y inclusive. So [A-z] means all ASCII characters from 65 (A) to 122 (z).
#appsec #appsecurity
🔬 For the regular expression "[A-z]":
In a character class [X-Y], it matches all characters with ASCII codes from X to Y inclusive. So [A-z] means all ASCII characters from 65 (A) to 122 (z).
#appsec #appsecurity
February 2, 2026 at 10:28 AM
🧑🎓 Learning of the day for me thanks to @pentesterlab.com and Claude.
🔬 For the regular expression "[A-z]":
In a character class [X-Y], it matches all characters with ASCII codes from X to Y inclusive. So [A-z] means all ASCII characters from 65 (A) to 122 (z).
#appsec #appsecurity
🔬 For the regular expression "[A-z]":
In a character class [X-Y], it matches all characters with ASCII codes from X to Y inclusive. So [A-z] means all ASCII characters from 65 (A) to 122 (z).
#appsec #appsecurity
February 6, 2026 at 12:53 AM
Research Worth Reading - Week 5, 2026
Bugs EVERYWHERE….
Bugs EVERYWHERE….
February 2, 2026 at 12:26 AM
Research Worth Reading - Week 5, 2026
Bugs EVERYWHERE….
Bugs EVERYWHERE….
🔥 CVE-2026-23993: HarbourJwt JWT auth bypass via unknown alg.
Not just alg=none: unsupported alg => empty signature, so forged token header.payload. passes.
Write-up + fix: pentesterlab.com/blog/cve-202...
Not just alg=none: unsupported alg => empty signature, so forged token header.payload. passes.
Write-up + fix: pentesterlab.com/blog/cve-202...
CVE-2026-23993: JWT authentication bypass in HarbourJwt via “unknown alg”
I didn't know Harbour even existed as a language when I found this bug. The fun part is that I also ...
pentesterlab.com
January 21, 2026 at 10:12 PM
🔥 CVE-2026-23993: HarbourJwt JWT auth bypass via unknown alg.
Not just alg=none: unsupported alg => empty signature, so forged token header.payload. passes.
Write-up + fix: pentesterlab.com/blog/cve-202...
Not just alg=none: unsupported alg => empty signature, so forged token header.payload. passes.
Write-up + fix: pentesterlab.com/blog/cve-202...
Research Worth Reading Week 03/2026
Claude RedTeam, Claude Hacking, Claude Skills...Is it Claude week?
🤖 AI models are showing a greater ability to find and exploit vulnerabilities
The latest Claude models are getting noticeably better at hacking: red.anthropic.com/2026/cyber-t...
Claude RedTeam, Claude Hacking, Claude Skills...Is it Claude week?
🤖 AI models are showing a greater ability to find and exploit vulnerabilities
The latest Claude models are getting noticeably better at hacking: red.anthropic.com/2026/cyber-t...
AI Models on Realistic Cyber Ranges \ red.anthropic.com
red.anthropic.com
January 18, 2026 at 11:52 PM
Research Worth Reading Week 03/2026
Claude RedTeam, Claude Hacking, Claude Skills...Is it Claude week?
🤖 AI models are showing a greater ability to find and exploit vulnerabilities
The latest Claude models are getting noticeably better at hacking: red.anthropic.com/2026/cyber-t...
Claude RedTeam, Claude Hacking, Claude Skills...Is it Claude week?
🤖 AI models are showing a greater ability to find and exploit vulnerabilities
The latest Claude models are getting noticeably better at hacking: red.anthropic.com/2026/cyber-t...
Happy New Year! Research Worth Reading Week 01/2026!
💧 Cross-Site ETag Length Leak
An amazing CTF write-up on XS Leaks. Make sure you also read the unintended solution linked at the bottom of the page: blog.arkark.dev/2025/12/26/e...
💧 Cross-Site ETag Length Leak
An amazing CTF write-up on XS Leaks. Make sure you also read the unintended solution linked at the bottom of the page: blog.arkark.dev/2025/12/26/e...
Cross-Site ETag Length Leak | XS-Spin Blog
A novel XS-Leak technique that turns ETag length differences into a cross-site oracle via 431 errors and History API.
blog.arkark.dev
January 6, 2026 at 10:24 PM
Happy New Year! Research Worth Reading Week 01/2026!
💧 Cross-Site ETag Length Leak
An amazing CTF write-up on XS Leaks. Make sure you also read the unintended solution linked at the bottom of the page: blog.arkark.dev/2025/12/26/e...
💧 Cross-Site ETag Length Leak
An amazing CTF write-up on XS Leaks. Make sure you also read the unintended solution linked at the bottom of the page: blog.arkark.dev/2025/12/26/e...
Reposted by PentesterLab
Research Worth Reading Week 51/2025
A quieter week that perfectly fits the two deep dives!
📚 ORM Leaking More Than You Joined For
The latest opus in Elttam's posts on ORM leaks, including some semgrep rules and a reference to my blog post on the subject: www.elttam.com/blog/leaking...
A quieter week that perfectly fits the two deep dives!
📚 ORM Leaking More Than You Joined For
The latest opus in Elttam's posts on ORM leaks, including some semgrep rules and a reference to my blog post on the subject: www.elttam.com/blog/leaking...
ORM Leaking More Than You Joined For - elttamORM Leaking More Than You Joined For - elttam
elttam is a globally recognised, independent information security company, renowned for our advanced technical security assessments.
www.elttam.com
December 21, 2025 at 10:07 PM
Research Worth Reading Week 51/2025
A quieter week that perfectly fits the two deep dives!
📚 ORM Leaking More Than You Joined For
The latest opus in Elttam's posts on ORM leaks, including some semgrep rules and a reference to my blog post on the subject: www.elttam.com/blog/leaking...
A quieter week that perfectly fits the two deep dives!
📚 ORM Leaking More Than You Joined For
The latest opus in Elttam's posts on ORM leaks, including some semgrep rules and a reference to my blog post on the subject: www.elttam.com/blog/leaking...
Research Worth Reading Week 50/2025: SAML bypasses & LLM-assisted crash triage.
🔒 The Fragile Lock: Novel Bypasses for SAML Authentication
Ruby SAML falls again. An extraordinary exploit by the PortSwigger team: portswigger.net/research/the...
🔒 The Fragile Lock: Novel Bypasses for SAML Authentication
Ruby SAML falls again. An extraordinary exploit by the PortSwigger team: portswigger.net/research/the...
The Fragile Lock: Novel Bypasses For SAML Authentication
TLDR This post shows how to achieve a full authentication bypass in the Ruby and PHP SAML ecosystem by exploiting several parser-level inconsistencies: including attribute pollution, namespace confusi
portswigger.net
December 14, 2025 at 10:50 PM
Research Worth Reading Week 50/2025: SAML bypasses & LLM-assisted crash triage.
🔒 The Fragile Lock: Novel Bypasses for SAML Authentication
Ruby SAML falls again. An extraordinary exploit by the PortSwigger team: portswigger.net/research/the...
🔒 The Fragile Lock: Novel Bypasses for SAML Authentication
Ruby SAML falls again. An extraordinary exploit by the PortSwigger team: portswigger.net/research/the...
Reposted by PentesterLab
🧑🎓 Learning of the day for me thanks to:
- @pentesterlab.com for the presentation of the behavior and the code review lab.
- ChatGPT for the detailed explanation.
#appsec #appsecurity #python
- @pentesterlab.com for the presentation of the behavior and the code review lab.
- ChatGPT for the detailed explanation.
#appsec #appsecurity #python
December 13, 2025 at 8:44 AM
🧑🎓 Learning of the day for me thanks to:
- @pentesterlab.com for the presentation of the behavior and the code review lab.
- ChatGPT for the detailed explanation.
#appsec #appsecurity #python
- @pentesterlab.com for the presentation of the behavior and the code review lab.
- ChatGPT for the detailed explanation.
#appsec #appsecurity #python
Reposted by PentesterLab
I just completed @pentesterlab.com 's Recon Badge!!!
December 14, 2025 at 4:21 PM
I just completed @pentesterlab.com 's Recon Badge!!!
Welcome back to Slytherin! 🐍
We just released 3 new labs in our python^w Slytherin code review badge: real CVEs, sneaky bugs, and plenty of chances to sharpen your dark code arts..
Grab your wand here:
pentesterlab.com/badges/pytho...
We just released 3 new labs in our python^w Slytherin code review badge: real CVEs, sneaky bugs, and plenty of chances to sharpen your dark code arts..
Grab your wand here:
pentesterlab.com/badges/pytho...
PentesterLab: Learn with our Python Code Review Badge
The Python Code Review Badge is our badge dedicated to code review in Python. It covers the discovery of weaknesses and vulnerabilities using source code review.
pentesterlab.com
December 9, 2025 at 10:53 PM
Welcome back to Slytherin! 🐍
We just released 3 new labs in our python^w Slytherin code review badge: real CVEs, sneaky bugs, and plenty of chances to sharpen your dark code arts..
Grab your wand here:
pentesterlab.com/badges/pytho...
We just released 3 new labs in our python^w Slytherin code review badge: real CVEs, sneaky bugs, and plenty of chances to sharpen your dark code arts..
Grab your wand here:
pentesterlab.com/badges/pytho...
Research Worth Reading Week 49/2025:
⏰ Introducing constant-time support for LLVM to protect cryptographic code
Trail of Bits explains their work on adding constant-time support to LLVM so that compiled cryptographic code remains constant-time: blog.trailofbits.com/2025/12/02/i...
⏰ Introducing constant-time support for LLVM to protect cryptographic code
Trail of Bits explains their work on adding constant-time support to LLVM so that compiled cryptographic code remains constant-time: blog.trailofbits.com/2025/12/02/i...
Introducing constant-time support for LLVM to protect cryptographic code
Trail of Bits developed constant-time coding support for LLVM that prevents compilers from breaking cryptographic implementations vulnerable to timing attacks, introducing the __builtin_ct_select fami...
blog.trailofbits.com
December 7, 2025 at 10:45 PM
Research Worth Reading Week 49/2025:
⏰ Introducing constant-time support for LLVM to protect cryptographic code
Trail of Bits explains their work on adding constant-time support to LLVM so that compiled cryptographic code remains constant-time: blog.trailofbits.com/2025/12/02/i...
⏰ Introducing constant-time support for LLVM to protect cryptographic code
Trail of Bits explains their work on adding constant-time support to LLVM so that compiled cryptographic code remains constant-time: blog.trailofbits.com/2025/12/02/i...
Black Friday at @pentesterlab.com 🧨
For a limited time:
🔒 1 year of PRO for $146.52
🎓 Student special: 3 months PRO for $25.99
Hands-on labs. Real CVEs. Security code review training used by real AppSec & pentest teams.
⏰ Offer ends 2 Dec 2025, 23:59:59 UTC
👉 pentesterlab.com/pro
For a limited time:
🔒 1 year of PRO for $146.52
🎓 Student special: 3 months PRO for $25.99
Hands-on labs. Real CVEs. Security code review training used by real AppSec & pentest teams.
⏰ Offer ends 2 Dec 2025, 23:59:59 UTC
👉 pentesterlab.com/pro
November 27, 2025 at 10:06 PM
Black Friday at @pentesterlab.com 🧨
For a limited time:
🔒 1 year of PRO for $146.52
🎓 Student special: 3 months PRO for $25.99
Hands-on labs. Real CVEs. Security code review training used by real AppSec & pentest teams.
⏰ Offer ends 2 Dec 2025, 23:59:59 UTC
👉 pentesterlab.com/pro
For a limited time:
🔒 1 year of PRO for $146.52
🎓 Student special: 3 months PRO for $25.99
Hands-on labs. Real CVEs. Security code review training used by real AppSec & pentest teams.
⏰ Offer ends 2 Dec 2025, 23:59:59 UTC
👉 pentesterlab.com/pro
Added 3 new Java CVEs to our Java Code Review Badge!
Now at 64 real-world labs to sharpen your Java code review skills.
Try them here: pentesterlab.com/badges/java-...
More CVEs coming soon 👀🔥
Now at 64 real-world labs to sharpen your Java code review skills.
Try them here: pentesterlab.com/badges/java-...
More CVEs coming soon 👀🔥
PentesterLab: Learn with our Java Code Review Badge
The Java Code Review Badge is our badge dedicated to code review in Java. It covers the discovery of weaknesses and vulnerabilities using source code review.
pentesterlab.com
November 21, 2025 at 6:25 AM
Added 3 new Java CVEs to our Java Code Review Badge!
Now at 64 real-world labs to sharpen your Java code review skills.
Try them here: pentesterlab.com/badges/java-...
More CVEs coming soon 👀🔥
Now at 64 real-world labs to sharpen your Java code review skills.
Try them here: pentesterlab.com/badges/java-...
More CVEs coming soon 👀🔥
Articles worth reading discovered last week:
📲 security.googleblog.com/2025/11/rust...
📸 www.pixnapping.com
🧩 www.praetorian.com/blog/how-i-f...
🤖 buganizer.cc/hacking-gemi...
📲 security.googleblog.com/2025/11/rust...
📸 www.pixnapping.com
🧩 www.praetorian.com/blog/how-i-f...
🤖 buganizer.cc/hacking-gemi...
Rust in Android: move fast and fix things
Posted by Jeff Vander Stoep, Android Last year, we wrote about why a memory safety strategy that focuses on vulnerability prevention in ...
security.googleblog.com
November 16, 2025 at 11:23 PM
Articles worth reading discovered last week:
📲 security.googleblog.com/2025/11/rust...
📸 www.pixnapping.com
🧩 www.praetorian.com/blog/how-i-f...
🤖 buganizer.cc/hacking-gemi...
📲 security.googleblog.com/2025/11/rust...
📸 www.pixnapping.com
🧩 www.praetorian.com/blog/how-i-f...
🤖 buganizer.cc/hacking-gemi...
Reposted by PentesterLab
November 7, 2025 at 11:39 PM
Research to read this week: Android, Django, MCP…
🤖 knifecoat.com/Posts/Runtim...
🐍 www.endorlabs.com/learn/critic...
🌽 googleprojectzero.blogspot.com/2025/11/defe...
🤖 medium.com/@kulkan-secu...
🧑🏻💻 words.filippo.io/claude-debug...
#PentesterLabWeekly
🤖 knifecoat.com/Posts/Runtim...
🐍 www.endorlabs.com/learn/critic...
🌽 googleprojectzero.blogspot.com/2025/11/defe...
🤖 medium.com/@kulkan-secu...
🧑🏻💻 words.filippo.io/claude-debug...
#PentesterLabWeekly
Runtime Android Object Instrumentation - KnifeCoat
Intro This year I have been doing quite a bit Android userland analysis. Android is a wonderful platform to work on, great decompiler support (JEB), easy access to rooted devices (unless you buy NA l…
knifecoat.com
November 9, 2025 at 11:37 PM
Research to read this week: Android, Django, MCP…
🤖 knifecoat.com/Posts/Runtim...
🐍 www.endorlabs.com/learn/critic...
🌽 googleprojectzero.blogspot.com/2025/11/defe...
🤖 medium.com/@kulkan-secu...
🧑🏻💻 words.filippo.io/claude-debug...
#PentesterLabWeekly
🤖 knifecoat.com/Posts/Runtim...
🐍 www.endorlabs.com/learn/critic...
🌽 googleprojectzero.blogspot.com/2025/11/defe...
🤖 medium.com/@kulkan-secu...
🧑🏻💻 words.filippo.io/claude-debug...
#PentesterLabWeekly
Reposted by PentesterLab
Don't just look at bad code
Know what good looks like!
@pentesterlab.com
#Kawaiicon @kawaiicon.bsky.social
Know what good looks like!
@pentesterlab.com
#Kawaiicon @kawaiicon.bsky.social
November 7, 2025 at 11:40 PM
Don't just look at bad code
Know what good looks like!
@pentesterlab.com
#Kawaiicon @kawaiicon.bsky.social
Know what good looks like!
@pentesterlab.com
#Kawaiicon @kawaiicon.bsky.social
Articles worth reading discovered last week: Passports, WIFI and AI-SAST!
🛂 blog.trailofbits.com/2025/10/31/t...
🛜 pulsesecurity.co.nz/articles/byp...
🧠 parsiya.net/blog/wtf-is-...
🛂 blog.trailofbits.com/2025/10/31/t...
🛜 pulsesecurity.co.nz/articles/byp...
🧠 parsiya.net/blog/wtf-is-...
The cryptography behind electronic passports
This blog post describes how electronic passports work, the threats within their threat model, and how they protect against those threats using cryptography. It also discusses the implications of usin...
blog.trailofbits.com
November 2, 2025 at 10:51 PM
Articles worth reading discovered last week: Passports, WIFI and AI-SAST!
🛂 blog.trailofbits.com/2025/10/31/t...
🛜 pulsesecurity.co.nz/articles/byp...
🧠 parsiya.net/blog/wtf-is-...
🛂 blog.trailofbits.com/2025/10/31/t...
🛜 pulsesecurity.co.nz/articles/byp...
🧠 parsiya.net/blog/wtf-is-...
Reposted by PentesterLab
Yeah @nastystereo.com I think you and @pentesterlab.com would get along just fine collabbing. 👀
October 30, 2025 at 12:42 AM
Yeah @nastystereo.com I think you and @pentesterlab.com would get along just fine collabbing. 👀
Reposted by PentesterLab
Upgrading the designer bag with a necessary accessory @pentesterlab.com
October 30, 2025 at 11:32 PM
Upgrading the designer bag with a necessary accessory @pentesterlab.com
🚨 New labs just dropped!
3 new Python Code Review labs are now live on PentesterLab 🐍
Learn to spot subtle bugs and insecure patterns by reading real Python code.
🎯 pentesterlab.com/badges/python-code-review
#Python #AppSec #CodeReview #PentesterLab
3 new Python Code Review labs are now live on PentesterLab 🐍
Learn to spot subtle bugs and insecure patterns by reading real Python code.
🎯 pentesterlab.com/badges/python-code-review
#Python #AppSec #CodeReview #PentesterLab
PentesterLab: Learn with our Python Code Review Badge
The Python Code Review Badge is our badge dedicated to code review in Python. It covers the discovery of weaknesses and vulnerabilities using source code review.
pentesterlab.com
October 28, 2025 at 3:37 AM
🚨 New labs just dropped!
3 new Python Code Review labs are now live on PentesterLab 🐍
Learn to spot subtle bugs and insecure patterns by reading real Python code.
🎯 pentesterlab.com/badges/python-code-review
#Python #AppSec #CodeReview #PentesterLab
3 new Python Code Review labs are now live on PentesterLab 🐍
Learn to spot subtle bugs and insecure patterns by reading real Python code.
🎯 pentesterlab.com/badges/python-code-review
#Python #AppSec #CodeReview #PentesterLab
Reposted by PentesterLab
Really awesome preso from @snyff.pentesterlab.com @pentesterlab.com over at BSides Perth. Jam packed with patterns, approaches, tips and tricks to level up finding bugs in code. #bsides #bsidesperth
October 19, 2025 at 2:33 AM
Really awesome preso from @snyff.pentesterlab.com @pentesterlab.com over at BSides Perth. Jam packed with patterns, approaches, tips and tricks to level up finding bugs in code. #bsides #bsidesperth