Lightnews — Scholar-powered news

Reposted by PentesterLab

Christian @xntrik.wtf · 2d

Really awesome preso from @snyff.pentesterlab.com @pentesterlab.com over at BSides Perth. Jam packed with patterns, approaches, tips and tricks to level up finding bugs in code. #bsides #bsidesperth

1 2 2

PentesterLab @pentesterlab.com · May 4

The past few weeks have been quiet, but we’re back!

🛠️ deepwiki.com
🛠️ github.com/AsyncFuncAI/...
🪲 blog.trailofbits.com/2025/04/23/h...
🛠️ github.com/quarkslab/pr...
🛡️ hdm.io/decks/Charti...

DeepWiki | AI documentation you can talk to, for every repo

DeepWiki provides up-to-date documentation you can talk to, for every repo in the world. Think Deep Research for GitHub - powered by Devin.

deepwiki.com

3 5

PentesterLab @pentesterlab.com · Apr 20

Your face when you realize your next security code review is on a Clojure codebase...

1 1

PentesterLab @pentesterlab.com · Apr 6

Articles worth reading discovered last week:

🪲 labs.watchtowr.com/xss-to-rce-b...
🧩 gist.github.com/Panya/990b45...

#PentesterLabWeekly

XSS To RCE By Abusing Custom File Handlers - Kentico Xperience CMS (CVE-2025-2748)

We know what you’re waiting for - this isn’t it. Today, we’re back with more tales of our adventures in Kentico’s Xperience CMS. Due to it’s wide usage, the type of solution, and the types of enterpri...

labs.watchtowr.com

1 2

PentesterLab @pentesterlab.com · Mar 30

Two great pieces of content for this week:

🪲 www.wiz.io/blog/ingress...
🪲 zhero-web-sec.github.io/research-and...

#PentesterLabWeekly

Remote Code Execution Vulnerabilities in Ingress NGINX | Wiz Blog

Wiz Research uncovered RCE vulnerabilities (CVE-2025-1097, 1098, 24514, 1974) in Ingress NGINX for Kubernetes allowing cluster-wide secret access.

www.wiz.io

3 4

PentesterLab @pentesterlab.com · Mar 23

‼️ blog.doyensec.com/2025/03/18/e...
📨 workos.com/blog/samlstorm
🛤️ projectdiscovery.io/blog/discour...
☑️ labs.watchtowr.com/by-executive...
❤️ tmpout.sh/4/
🗼 labs.watchtowr.com/bypassing-au...  

Get our weekly news direct to your mailbox: pentesterlab.substack.com

!exploitable Episode Three - Devfile Adventures · Doyensec's Blog

!exploitable Episode Three - Devfile Adventures

blog.doyensec.com

2

PentesterLab @pentesterlab.com · Mar 20

If people spent as much time actually learning hacking as they do optimizing how to learn hacking, they’d be a lot better at it. Just start. Break things. Learn. Repeat.

4

PentesterLab @pentesterlab.com · Mar 16

We just released 3 new labs in our Golang Code Review Badge:

pentesterlab.com/badges/golan...

#golang

PentesterLab: Learn with our Golang Code Review Badge

The Golang Code Review Badge is our badge dedicated to code review in Golang. It covers the discovery of weaknesses and vulnerabilities using source code review.

pentesterlab.com

3 3

PentesterLab @pentesterlab.com · Mar 16

What a week! SAML&Ruby, PHP&XXE and so much more!

📨 github.blog/security/sig...
🧑🏻‍💻 seeinglogic.com/posts/visual...
🤯 swarm.ptsecurity.com/impossible-x...
😻 scrapco.de/blog/analysi...

More details in our blog: pentesterlab.com/blog/researc...

#PentesterLabWeekly

Sign in as anyone: Bypassing SAML SSO authentication with parser differentials

Critical authentication bypass vulnerabilities were discovered in ruby-saml up to version 1.17.0. See how they were uncovered.

github.blog

2 3

PentesterLab @pentesterlab.com · Mar 12

3 5

PentesterLab @pentesterlab.com · Mar 9

Articles worth reading discovered last week:

💎 www.elttam.com/blog/rails-s...
﹟ afine.com/understandin...
🪲 slcyber.io/blog/sitecor...

For more details, check out our blog:
pentesterlab.com/blog/researc...

New Method to Leverage Unsafe Reflection and Deserialisation to RCE on Rails - elttamNew Method to Leverage Unsafe Reflection and Deserialisation to RCE on Rails - elttam

elttam is a globally recognised, independent information security company, renowned for our advanced technical security assessments.

www.elttam.com

2

PentesterLab @pentesterlab.com · Mar 2

Want to prove your API hacking skills?

Earn the PentesterLab API badge!

Hands-on labs designed to test and improve your ability to find and exploit API vulnerabilities.

https://pentesterlab.com/badges/api

PentesterLab: API Badge

The API badge is our set of exercises created to help you learn API testing. The first few challenges are based on challenges you already solved to get you more confident with API testing and review your knowledge and methodology. Then, harder challenges are provided to get you to the next level.

pentesterlab.com

3

PentesterLab @pentesterlab.com · Feb 24

AI-generated code is reshaping secure code review—fewer trivial bugs, but more hidden threats.

Read more in our new blog post:

pentesterlab.com/blog/secure-...

What do you think?

How AI-Generated Code Is Changing Secure Code Review

Learn how AI-generated code impacts secure code review and application security. Discover why AI excels at catching common vulnerabilities but needs human expertise for complex bugs.

pentesterlab.com

1

PentesterLab @pentesterlab.com · Feb 17

Articles worth reading discovered last week:

📚 mizu.re/post/explori...
☁️ devanshbatham.hashnode.dev/fragility-of...
🫙 www.wiz.io/blog/nvidia-...
🐍 www.reversinglabs.com/blog/rl-iden...
🎥 brutecat.com/articles/lea...

Exploring the DOMPurify library: Hunting for Misconfigurations (2/2). Tags:Article - Article - Web - mXSS

Exploring the DOMPurify library: Hunting for Misconfigurations (2/2)

mizu.re

5 7

PentesterLab @pentesterlab.com · Feb 13

Think teaching devs to hack is risky?

In reality, a bit of hacking knowledge helps them spot vulnerabilities early and build stronger apps.

Discover why having devs with a 'hacker mindset' is a win for security:

pentesterlab.com/blog/why-dev...

I Don’t Want My Devs to Become Hackers! - PentesterLab's Blog

Discover why encouraging developers to learn ethical hacking boosts security, reduces bugs, and fosters a proactive security culture in your organization.

pentesterlab.com

1 2

PentesterLab @pentesterlab.com · Feb 3

🚨 Just launched: Two brand-new API Mass Assignment labs!

Ready to level up your #API hacking skills? Dive into realistic scenarios & learn how to exploit hidden parameters:

1️⃣ API Mass Assignment 01
2️⃣ API Mass Assignment 02

pentesterlab.com/badges/api/

PentesterLab: Learn with our API Badge

The API badge is our set of exercises created to help you learn API testing. The first few challenges are based on challenges you already solved to get you more confident with API testing and review y...

pentesterlab.com

1 2 5

PentesterLab @pentesterlab.com · Feb 2

Articles worth reading discovered last week:

🤝 blog.doyensec.com/2025/01/30/o...
☠️ www.feistyduck.com/newsletter/i...
📚 pathonproject.com/zb/?871f0933...

And as always, it’s in our blog: pentesterlab.com/blog/researc...

#PentesterLabWeekly

Common OAuth Vulnerabilities · Doyensec's Blog

Common OAuth Vulnerabilities

blog.doyensec.com

3 6

Reposted by PentesterLab

Louis Nyffenegger @snyff.pentesterlab.com · Jan 29

I’m excited to share that in a few weeks I’ll be heading to the US for a series of talks and workshops focused on security code review and JWT—and I’ll be bringing some
@pentesterlab.com swag along too!

1 2 5

PentesterLab @pentesterlab.com · Jan 28

Invariants + Short Feedback Loops = your secret weapon 🛡️ in web hacking & exploit dev!   

Validate assumptions locally, iterate fast ⚡, and say goodbye to endless 10-minute test cycles ⏱️. 

Master these two techniques and watch your productivity skyrocket 🚀 :

pentesterlab.com/blog/invaria...

Learn Web Pentesting: Invariants and Feedback Loops

Learn Web Pentesting techniques by leveraging invariants and short feedback loops to efficiently crack MongoDB IDOR and enhance your security skills.

pentesterlab.com

3 4

PentesterLab @pentesterlab.com · Jan 27

Jumping straight into “full exploitation” can lead to confusion and missed bugs.

Instead, focus on minimal, incremental changes to isolate vulnerabilities. It’s a simple shift that reduces false negatives and clarifies which step triggers the bug.

pentesterlab.com/blog/minimal...

Minimal Changes Vulnerability Testing: Why Less is More in Security

Discover how a systematic, minimal-change approach to vulnerability testing can expose weaknesses that full-exploitation attempts often overlook. By making only small, essential adjustments, you reduc...

pentesterlab.com

PentesterLab @pentesterlab.com · Jan 27

Articles worth reading discovered last week:

🎮 ssno.cc/posts/revers...
👾 github.blog/security/vul...
🎹 psi3.ru/blog/swl01u/
🚗 samcurry.net/hacking-subaru
📚 pathonproject.com/zb/?f4f3382a...

#PentesterLabWeekly

Reverse Engineering Call Of Duty Anti-Cheat

I’ve been reversing Black Ops Cold War for a while now, and I’ve finally decided to share my research regarding the user-mode anti-cheat inside the game. It’s not my intention to shame or promote chea...

ssno.cc

1 2

PentesterLab @pentesterlab.com · Jan 25

🚀 Level up your #CyberSecurity skills FOR FREE! 🛡️

Earn the Recon Badge with Pentesterlab and master: 🔍 Virtual Hosts 🌐 DNS Recon 🔒 TLS Recon ...and so much more!

Start your journey today
👉 pentesterlab.com/badges/recon

PentesterLab: Learn with our Recon Badge

The Recon badge is our set of exercises created to help you learn Reconnaissance. From findings usual files down to DNS and TLS exploration, this badge will help you get better at finding new targets

pentesterlab.com

2 2

PentesterLab @pentesterlab.com · Jan 23

🚨 3 new MongoDB IDOR labs are live! 🚨

Learn how to understand and predict MongoDB's ObjectId. Perfect for pentesters, appsec engineers, and devs looking to level up their security skills!

Start learning now: pentesterlab.com/badges/api/

PentesterLab: Learn with our API Badge

The API badge is our set of exercises created to help you learn API testing. The first few challenges are based on challenges you already solved to get you more confident with API testing and review y...

pentesterlab.com

1 3

PentesterLab @pentesterlab.com · Jan 11

Networking in InfoSec isn’t just about IP addresses and ports—it’s also about people!

Discover how meetups, conferences, and volunteering can open big career doors in InfoSec.

Read more: pentesterlab.com/blog/infosec...

Networking but not TCP/IP - PentesterLab's Blog

Discover how building real-world connections in the InfoSec community can accelerate your journey into pentesting and cybersecurity. From local meetups and conferences to online communities, this guid...

pentesterlab.com

3 11

PentesterLab @pentesterlab.com · Jan 7

Scoping a security code review? Don’t fall into these traps:
🚫 Too little time = missed issues
🚫 Too much time = wasted resources

Learn how to balance depth, coverage & cost while delivering tailored artefacts like SAST rules for long-term security.
🔗 pentesterlab.com/blog/scoping...

Scoping a Security Code Review - PentesterLab's Blog

Learn how to scope a security code review effectively to balance depth, coverage, and cost. Discover key strategies to identify vulnerabilities and deliver value-driven results.

pentesterlab.com

1 2