PentesterLab is widely recognized as a top-tier training platform for application security (AppSec) professionals, penetration testers, and code reviewers. However, our ...
It's starting to look a lot like Christ^WHackMas🔐 Another JWT Algorithm Confusion Vulnerability: CVE-2024-54150Why shouldn't I share my own content? Here's ...
PentesterLab is a comprehensive platform designed for application security engineers focused on identifying weaknesses, vulnerabilities, and areas for improvement in real-world ...
Recently, I was in Brisbane to give a talk on JWT algorithm confusion vulnerabilities. During a conversation with my friend Luke ...
As we gear up for the new year, many of us reflect on how we can improve and grow. For those ...
Bug bounty hunting has become an exciting way to develop security skills, earn some extra income, and contribute to securing applications ...
Another great week! Enjoy!💎 The Ruby on Rails _json Juggling AttackAnother fantastic article from Luke on The Ruby on Rails _json ...
My friend Luke recently published a great blog post titled: The Ruby on Rails _json Juggling Attack. Please make sure you ...
I've read the source code of many JWT libraries—some might say, too many. In doing so, I've seen patterns of both ...
Busy week! It seems like everyone is wrapping up their research for the year and sharing it with the world! 🌟🛠️ ...
After my recent article on CORS Vulnerabilities in Go: Vulnerable Patterns and Lessons, I started exploring similar issues in Rust. Interestingly, ...
If you read this blog regularly, you know that I like looking at CVE. I do that to create labs and ...
When talking with aspiring hackers, bug bounty hunters, or application security engineers, it often feels that there’s some misunderstanding around encoding. ...
Only content from Australia and New Zealand this week! Is the rest of the world asleep?💎 Ruby 3.4 Universal RCE Deserialization ...
Web hacking is a domain that rewards curiosity, persistence, and a hands-on approach to learning. To master the intricacies of web ...
If you want to take your web skills to the next level, one tool you really need to master is curl. ...
Busy week, some really interesting read this week!!🔍 Reverse Engineering iOS 18 Inactivity RebootA lot of people have been talking about ...
When I wrote the first lab on algorithm confusion, I remember spending a bit of time trying to find a vulnerable ...
Slow week, thankfully someone sent me a cool last-minute link!🪲 Authenticated OS Command Injection in LibreNMSAn interesting chain of bugs to ...
When doing security code review, you sometimes come across infuriating code—code that appears to be vulnerable but isn't, due to unexpected ...
This week has been crazy with a lot of excellent content that should keep you busy for a while! Crypto, Sandboxes, ...
A notable threat in application security arises when applications execute commands within directories that may be under an attacker's influence. It's ...
This week, we’re excited to share a list of must-read research! It’s been a quiet but exciting week for Ruby hackers!❤️ ...
This week, we’re excited to share a list of must-read research! These are some of the most fascinating findings we’ve come ...
In the early days of software development, secure coding was indispensable in safeguarding applications against common security threats. Developers had to ...
In many sports and activities, deliberate practice is the key to improvement. Chess masters break down their training into openings, middle ...
In the world of application security and code review, there’s a misconception that the success of a review is measured solely ...
In a previous blog post titled "Hiring Your First AppSec Engineer", we discussed some key recommendations for hiring your first application ...
Recently, I was asked by a CISO for recommendations on hiring their first AppSec or product security professional. This sparked a ...
One of the things I enjoy doing is looking at CVEs. I find it a great way to learn about new ...
In today’s world, there is an overwhelming obsession with productivity. Efficiency is the gold standard, and procrastination is seen as the ...
This week, we are publishing a list of research worth reading! Make sure you check it out! ❤️ We Spent $20 ...
One of the classic examples of SQL Injection is using ' or 1=1 -- in a username to bypass the authentication ...
In the world of software development, the allure of writing clever code is strong. Developers, especially those who are highly skilled, ...
This week again, we are publishing a list of research worth reading! Make sure you check it out! ❤️ CVE Hunting ...
The discovery of a new bug or the analysis of a Common Vulnerabilities and Exposures (CVE) can often feel like a ...
This week again, we publish a list of research worth reading! Make sure you check it out! ❤️ BACK TO SCHOOL ...
I woke up this morning and saw that yet another certification is now available. You can now be "XYZ" certified! The ...
In the field of application security, two crucial types of training often come up: secure coding training and security code review ...
This week again, we publish a list of research worth reading! Make sure you check it out! ❤️ PHRACK IS BACK ...
One of the recurring questions I get during my Web Security Code Review Training is how to keep notes when multiple ...
This week again, we publish a list of research worth reading! Make sure you check it out! ❤️ We wrote the ...
Bad code reviewers use grep... well, good code reviewers use grep, but they are good code reviewers! You are probably not ...
When running our Web Security Code Review Training, I use an analogy on the difference between "They are French" and "They ...
This week again, we publish a list of research worth reading! Make sure you check it out! 🛠️Gitxray: a security X-Ray ...
As a security engineer, and like many people in security, I prefer bulletproof solutions to patches that fix only half of ...
This week again, we publish a list of research worth reading! Not sure if it is the BlackHat/Defcon effect, but it ...
We are currently building our ORM Leak labs and found a quirk worth sharing. The goal of our labs is to ...
This week again, we publish a list of research worth reading! A lot of Java this week! 🔥 Let's Make & ...
When it comes to the security of programming languages, the conversation often revolves around memory safety and typing. These features, while ...
There’s been a lot of chatter about PHP being insecure, but as Luke Stephens points out in his article, "People who ...
This week again, we publish a list of research worth reading! 🔥 Unveiling TE.0 HTTP Request Smuggling This blog post provides ...
I think the hardest part for pentesters transitioning into security code review is going back to the low level of confidence ...
This week again, we publish a list of research worth reading! For the first time, we also make this content available ...
One effective way to accelerate your security code review or pentest is to understand what developers get for free! In this ...
In web hacking, scripting is a key skill that separates good hackers from great ones. If you follow top web hackers, ...
You wrote the perfect resume, the interview is going well! Now the classic “Do you have any questions for us?” is ...
When handling customer support for PentesterLab, we often get emails from people who can’t solve a challenge: “… I have been ...
In the world of hacking, the right tools can make all the difference. However, when you’re just starting out, it’s crucial ...
In every field, people eventually hit plateaux in their progression. Security code review is no different. In this article, we explore ...
Tell a bit more about yourself? My name is Ryan Montgomery, also known in the cybersecurity world as 0day. I’ve been ...
JSON Web Tokens (JWT) are widely used for authentication in modern applications. As their use increases, so does the importance of ...
In this blog post, we are going to cover a strategy to help you get a job as a pentester or ...
Too often (me included), savvy code reviewers recommend to get started into code review by “Just reading code” and that is ...
I recently found a small issue in some TLS clients. More precisely, it is more of a difference between what happens ...
After reading this blog post on a bug in Github and Unicode, I started playing more and more with Unicode (even ...
Every week, our twitter account @PentesterLab publishes a list of articles worth-reading. This is the list of all the articles for ...
For a long time, I have been looking at solving a simple problem: be more efficient when scaling vulnerability research/bug hunting. ...
When building a Capture-The-Flag (for a conference), you need to have a good mix of very easy challenges and very hard ...
One of the common advice when trying to improve security at scale is to invest in QA. In this article, we ...
Since it’s something I’m really passionate about, I have decided to spend more time writing about application security at scale. Today ...
If you follow PentesterLab on Twitter, you probably saw the following tweet: Want to bypass WAF when exploiting CVE-2019-5418 ? curl ...
In this short article, I’m going to discuss a little bit on the exploitability of CVE-2019–5420. Ruby-on-Rails offers three different environments ...
Tell me a bit more about yourself? Current occupation? Aspirations? Twitter? I run my own security business called Shea Information Security ...
One of the questions I often get asked is whether or not I recommend going to university/engineering school/… or to get ...
Tell me a bit more about yourself? Current occupation? Aspirations? I’ve been playing with computers for a while now, until I ...
Tell me a bit more about yourself? Current occupation? Aspirations? Twitter? I’m Robert Kugler (@robertchrk), a 22 year-old penetration tester & ...
Tell me a bit more about yourself? Current occupation? Aspirations? I started using PentesterLab at around 2014. At that point of ...
The HackIM 2018/NullCon CTF just wrapped up. PentesterLab wrote 3 challenges for this CTF: “JWT V” (web4) worth 200 points “JWT ...
At PentesterLab, we have been helping thousands of people become pentesters or better pentesters: with PentesterLab PRO offering for students/individuals/enterprises with ...
Since you now have the perfect resume, you probably land some interviews! We decided to put together some advices on how ...
One of most common and potentially most painful task you will have to perform as a penetration tester is retesting. If ...
If you are familiar with PentesterLab, you may have looked into our Play XML Entities exercise. Recently, we decided to create ...
As a pentester, most clients will judge your work by the quality of your reports. Your resume is the best way ...
We put together some advice for new pentesters; we hope you will like them! Be precise One of the key issues ...
Scoping is one of the most important parts of a penetration testing engagement as it will determine if you will be ...
Ensuring that your team stays up-to-date is a hard problem. The security field is always evolving and new vulnerabilities and attacks ...
Keeping notes is one of the key aspects of penetration testing. In this article I’m going to share some information on ...