PentesterLab
@pentesterlab.com
We make learning web hacking and security easier. Online systems, code review, videos & courses that can be used to understand, test and exploit bugs!
Research Worth Reading Week 49/2025:
⏰ Introducing constant-time support for LLVM to protect cryptographic code
Trail of Bits explains their work on adding constant-time support to LLVM so that compiled cryptographic code remains constant-time: blog.trailofbits.com/2025/12/02/i...
⏰ Introducing constant-time support for LLVM to protect cryptographic code
Trail of Bits explains their work on adding constant-time support to LLVM so that compiled cryptographic code remains constant-time: blog.trailofbits.com/2025/12/02/i...
Introducing constant-time support for LLVM to protect cryptographic code
Trail of Bits developed constant-time coding support for LLVM that prevents compilers from breaking cryptographic implementations vulnerable to timing attacks, introducing the __builtin_ct_select fami...
blog.trailofbits.com
December 7, 2025 at 10:45 PM
Research Worth Reading Week 49/2025:
⏰ Introducing constant-time support for LLVM to protect cryptographic code
Trail of Bits explains their work on adding constant-time support to LLVM so that compiled cryptographic code remains constant-time: blog.trailofbits.com/2025/12/02/i...
⏰ Introducing constant-time support for LLVM to protect cryptographic code
Trail of Bits explains their work on adding constant-time support to LLVM so that compiled cryptographic code remains constant-time: blog.trailofbits.com/2025/12/02/i...
Black Friday at @pentesterlab.com 🧨
For a limited time:
🔒 1 year of PRO for $146.52
🎓 Student special: 3 months PRO for $25.99
Hands-on labs. Real CVEs. Security code review training used by real AppSec & pentest teams.
⏰ Offer ends 2 Dec 2025, 23:59:59 UTC
👉 pentesterlab.com/pro
For a limited time:
🔒 1 year of PRO for $146.52
🎓 Student special: 3 months PRO for $25.99
Hands-on labs. Real CVEs. Security code review training used by real AppSec & pentest teams.
⏰ Offer ends 2 Dec 2025, 23:59:59 UTC
👉 pentesterlab.com/pro
November 27, 2025 at 10:06 PM
Black Friday at @pentesterlab.com 🧨
For a limited time:
🔒 1 year of PRO for $146.52
🎓 Student special: 3 months PRO for $25.99
Hands-on labs. Real CVEs. Security code review training used by real AppSec & pentest teams.
⏰ Offer ends 2 Dec 2025, 23:59:59 UTC
👉 pentesterlab.com/pro
For a limited time:
🔒 1 year of PRO for $146.52
🎓 Student special: 3 months PRO for $25.99
Hands-on labs. Real CVEs. Security code review training used by real AppSec & pentest teams.
⏰ Offer ends 2 Dec 2025, 23:59:59 UTC
👉 pentesterlab.com/pro
Added 3 new Java CVEs to our Java Code Review Badge!
Now at 64 real-world labs to sharpen your Java code review skills.
Try them here: pentesterlab.com/badges/java-...
More CVEs coming soon 👀🔥
Now at 64 real-world labs to sharpen your Java code review skills.
Try them here: pentesterlab.com/badges/java-...
More CVEs coming soon 👀🔥
PentesterLab: Learn with our Java Code Review Badge
The Java Code Review Badge is our badge dedicated to code review in Java. It covers the discovery of weaknesses and vulnerabilities using source code review.
pentesterlab.com
November 21, 2025 at 6:25 AM
Added 3 new Java CVEs to our Java Code Review Badge!
Now at 64 real-world labs to sharpen your Java code review skills.
Try them here: pentesterlab.com/badges/java-...
More CVEs coming soon 👀🔥
Now at 64 real-world labs to sharpen your Java code review skills.
Try them here: pentesterlab.com/badges/java-...
More CVEs coming soon 👀🔥
Articles worth reading discovered last week:
📲 security.googleblog.com/2025/11/rust...
📸 www.pixnapping.com
🧩 www.praetorian.com/blog/how-i-f...
🤖 buganizer.cc/hacking-gemi...
📲 security.googleblog.com/2025/11/rust...
📸 www.pixnapping.com
🧩 www.praetorian.com/blog/how-i-f...
🤖 buganizer.cc/hacking-gemi...
Rust in Android: move fast and fix things
Posted by Jeff Vander Stoep, Android Last year, we wrote about why a memory safety strategy that focuses on vulnerability prevention in ...
security.googleblog.com
November 16, 2025 at 11:23 PM
Articles worth reading discovered last week:
📲 security.googleblog.com/2025/11/rust...
📸 www.pixnapping.com
🧩 www.praetorian.com/blog/how-i-f...
🤖 buganizer.cc/hacking-gemi...
📲 security.googleblog.com/2025/11/rust...
📸 www.pixnapping.com
🧩 www.praetorian.com/blog/how-i-f...
🤖 buganizer.cc/hacking-gemi...
Reposted by PentesterLab
November 7, 2025 at 11:39 PM
Research to read this week: Android, Django, MCP…
🤖 knifecoat.com/Posts/Runtim...
🐍 www.endorlabs.com/learn/critic...
🌽 googleprojectzero.blogspot.com/2025/11/defe...
🤖 medium.com/@kulkan-secu...
🧑🏻💻 words.filippo.io/claude-debug...
#PentesterLabWeekly
🤖 knifecoat.com/Posts/Runtim...
🐍 www.endorlabs.com/learn/critic...
🌽 googleprojectzero.blogspot.com/2025/11/defe...
🤖 medium.com/@kulkan-secu...
🧑🏻💻 words.filippo.io/claude-debug...
#PentesterLabWeekly
Runtime Android Object Instrumentation - KnifeCoat
Intro This year I have been doing quite a bit Android userland analysis. Android is a wonderful platform to work on, great decompiler support (JEB), easy access to rooted devices (unless you buy NA l…
knifecoat.com
November 9, 2025 at 11:37 PM
Research to read this week: Android, Django, MCP…
🤖 knifecoat.com/Posts/Runtim...
🐍 www.endorlabs.com/learn/critic...
🌽 googleprojectzero.blogspot.com/2025/11/defe...
🤖 medium.com/@kulkan-secu...
🧑🏻💻 words.filippo.io/claude-debug...
#PentesterLabWeekly
🤖 knifecoat.com/Posts/Runtim...
🐍 www.endorlabs.com/learn/critic...
🌽 googleprojectzero.blogspot.com/2025/11/defe...
🤖 medium.com/@kulkan-secu...
🧑🏻💻 words.filippo.io/claude-debug...
#PentesterLabWeekly
Reposted by PentesterLab
Don't just look at bad code
Know what good looks like!
@pentesterlab.com
#Kawaiicon @kawaiicon.bsky.social
Know what good looks like!
@pentesterlab.com
#Kawaiicon @kawaiicon.bsky.social
November 7, 2025 at 11:40 PM
Don't just look at bad code
Know what good looks like!
@pentesterlab.com
#Kawaiicon @kawaiicon.bsky.social
Know what good looks like!
@pentesterlab.com
#Kawaiicon @kawaiicon.bsky.social
Articles worth reading discovered last week: Passports, WIFI and AI-SAST!
🛂 blog.trailofbits.com/2025/10/31/t...
🛜 pulsesecurity.co.nz/articles/byp...
🧠 parsiya.net/blog/wtf-is-...
🛂 blog.trailofbits.com/2025/10/31/t...
🛜 pulsesecurity.co.nz/articles/byp...
🧠 parsiya.net/blog/wtf-is-...
The cryptography behind electronic passports
This blog post describes how electronic passports work, the threats within their threat model, and how they protect against those threats using cryptography. It also discusses the implications of usin...
blog.trailofbits.com
November 2, 2025 at 10:51 PM
Articles worth reading discovered last week: Passports, WIFI and AI-SAST!
🛂 blog.trailofbits.com/2025/10/31/t...
🛜 pulsesecurity.co.nz/articles/byp...
🧠 parsiya.net/blog/wtf-is-...
🛂 blog.trailofbits.com/2025/10/31/t...
🛜 pulsesecurity.co.nz/articles/byp...
🧠 parsiya.net/blog/wtf-is-...
Reposted by PentesterLab
Yeah @nastystereo.com I think you and @pentesterlab.com would get along just fine collabbing. 👀
October 30, 2025 at 12:42 AM
Yeah @nastystereo.com I think you and @pentesterlab.com would get along just fine collabbing. 👀
Reposted by PentesterLab
Upgrading the designer bag with a necessary accessory @pentesterlab.com
October 30, 2025 at 11:32 PM
Upgrading the designer bag with a necessary accessory @pentesterlab.com
🚨 New labs just dropped!
3 new Python Code Review labs are now live on PentesterLab 🐍
Learn to spot subtle bugs and insecure patterns by reading real Python code.
🎯 pentesterlab.com/badges/python-code-review
#Python #AppSec #CodeReview #PentesterLab
3 new Python Code Review labs are now live on PentesterLab 🐍
Learn to spot subtle bugs and insecure patterns by reading real Python code.
🎯 pentesterlab.com/badges/python-code-review
#Python #AppSec #CodeReview #PentesterLab
PentesterLab: Learn with our Python Code Review Badge
The Python Code Review Badge is our badge dedicated to code review in Python. It covers the discovery of weaknesses and vulnerabilities using source code review.
pentesterlab.com
October 28, 2025 at 3:37 AM
🚨 New labs just dropped!
3 new Python Code Review labs are now live on PentesterLab 🐍
Learn to spot subtle bugs and insecure patterns by reading real Python code.
🎯 pentesterlab.com/badges/python-code-review
#Python #AppSec #CodeReview #PentesterLab
3 new Python Code Review labs are now live on PentesterLab 🐍
Learn to spot subtle bugs and insecure patterns by reading real Python code.
🎯 pentesterlab.com/badges/python-code-review
#Python #AppSec #CodeReview #PentesterLab
Reposted by PentesterLab
Really awesome preso from @snyff.pentesterlab.com @pentesterlab.com over at BSides Perth. Jam packed with patterns, approaches, tips and tricks to level up finding bugs in code. #bsides #bsidesperth
October 19, 2025 at 2:33 AM
Really awesome preso from @snyff.pentesterlab.com @pentesterlab.com over at BSides Perth. Jam packed with patterns, approaches, tips and tricks to level up finding bugs in code. #bsides #bsidesperth
The past few weeks have been quiet, but we’re back!
🛠️ deepwiki.com
🛠️ github.com/AsyncFuncAI/...
🪲 blog.trailofbits.com/2025/04/23/h...
🛠️ github.com/quarkslab/pr...
🛡️ hdm.io/decks/Charti...
🛠️ deepwiki.com
🛠️ github.com/AsyncFuncAI/...
🪲 blog.trailofbits.com/2025/04/23/h...
🛠️ github.com/quarkslab/pr...
🛡️ hdm.io/decks/Charti...
DeepWiki | AI documentation you can talk to, for every repo
DeepWiki provides up-to-date documentation you can talk to, for every repo in the world. Think Deep Research for GitHub - powered by Devin.
deepwiki.com
May 4, 2025 at 10:37 PM
The past few weeks have been quiet, but we’re back!
🛠️ deepwiki.com
🛠️ github.com/AsyncFuncAI/...
🪲 blog.trailofbits.com/2025/04/23/h...
🛠️ github.com/quarkslab/pr...
🛡️ hdm.io/decks/Charti...
🛠️ deepwiki.com
🛠️ github.com/AsyncFuncAI/...
🪲 blog.trailofbits.com/2025/04/23/h...
🛠️ github.com/quarkslab/pr...
🛡️ hdm.io/decks/Charti...
Your face when you realize your next security code review is on a Clojure codebase...
April 20, 2025 at 11:10 PM
Your face when you realize your next security code review is on a Clojure codebase...
Articles worth reading discovered last week:
🪲 labs.watchtowr.com/xss-to-rce-b...
🧩 gist.github.com/Panya/990b45...
#PentesterLabWeekly
🪲 labs.watchtowr.com/xss-to-rce-b...
🧩 gist.github.com/Panya/990b45...
#PentesterLabWeekly
XSS To RCE By Abusing Custom File Handlers - Kentico Xperience CMS (CVE-2025-2748)
We know what you’re waiting for - this isn’t it. Today, we’re back with more tales of our adventures in Kentico’s Xperience CMS. Due to it’s wide usage, the type of solution, and the types of enterpri...
labs.watchtowr.com
April 6, 2025 at 9:54 PM
Articles worth reading discovered last week:
🪲 labs.watchtowr.com/xss-to-rce-b...
🧩 gist.github.com/Panya/990b45...
#PentesterLabWeekly
🪲 labs.watchtowr.com/xss-to-rce-b...
🧩 gist.github.com/Panya/990b45...
#PentesterLabWeekly
Two great pieces of content for this week:
🪲 www.wiz.io/blog/ingress...
🪲 zhero-web-sec.github.io/research-and...
#PentesterLabWeekly
🪲 www.wiz.io/blog/ingress...
🪲 zhero-web-sec.github.io/research-and...
#PentesterLabWeekly
Remote Code Execution Vulnerabilities in Ingress NGINX | Wiz Blog
Wiz Research uncovered RCE vulnerabilities (CVE-2025-1097, 1098, 24514, 1974) in Ingress NGINX for Kubernetes allowing cluster-wide secret access.
www.wiz.io
March 30, 2025 at 9:33 PM
Two great pieces of content for this week:
🪲 www.wiz.io/blog/ingress...
🪲 zhero-web-sec.github.io/research-and...
#PentesterLabWeekly
🪲 www.wiz.io/blog/ingress...
🪲 zhero-web-sec.github.io/research-and...
#PentesterLabWeekly
‼️ blog.doyensec.com/2025/03/18/e...
📨 workos.com/blog/samlstorm
🛤️ projectdiscovery.io/blog/discour...
☑️ labs.watchtowr.com/by-executive...
❤️ tmpout.sh/4/
🗼 labs.watchtowr.com/bypassing-au...
Get our weekly news direct to your mailbox: pentesterlab.substack.com
📨 workos.com/blog/samlstorm
🛤️ projectdiscovery.io/blog/discour...
☑️ labs.watchtowr.com/by-executive...
❤️ tmpout.sh/4/
🗼 labs.watchtowr.com/bypassing-au...
Get our weekly news direct to your mailbox: pentesterlab.substack.com
!exploitable Episode Three - Devfile Adventures · Doyensec's Blog
!exploitable Episode Three - Devfile Adventures
blog.doyensec.com
March 23, 2025 at 10:00 PM
‼️ blog.doyensec.com/2025/03/18/e...
📨 workos.com/blog/samlstorm
🛤️ projectdiscovery.io/blog/discour...
☑️ labs.watchtowr.com/by-executive...
❤️ tmpout.sh/4/
🗼 labs.watchtowr.com/bypassing-au...
Get our weekly news direct to your mailbox: pentesterlab.substack.com
📨 workos.com/blog/samlstorm
🛤️ projectdiscovery.io/blog/discour...
☑️ labs.watchtowr.com/by-executive...
❤️ tmpout.sh/4/
🗼 labs.watchtowr.com/bypassing-au...
Get our weekly news direct to your mailbox: pentesterlab.substack.com
If people spent as much time actually learning hacking as they do optimizing how to learn hacking, they’d be a lot better at it. Just start. Break things. Learn. Repeat.
March 20, 2025 at 9:18 AM
If people spent as much time actually learning hacking as they do optimizing how to learn hacking, they’d be a lot better at it. Just start. Break things. Learn. Repeat.
What a week! SAML&Ruby, PHP&XXE and so much more!
📨 github.blog/security/sig...
🧑🏻💻 seeinglogic.com/posts/visual...
🤯 swarm.ptsecurity.com/impossible-x...
😻 scrapco.de/blog/analysi...
More details in our blog: pentesterlab.com/blog/researc...
#PentesterLabWeekly
📨 github.blog/security/sig...
🧑🏻💻 seeinglogic.com/posts/visual...
🤯 swarm.ptsecurity.com/impossible-x...
😻 scrapco.de/blog/analysi...
More details in our blog: pentesterlab.com/blog/researc...
#PentesterLabWeekly
Sign in as anyone: Bypassing SAML SSO authentication with parser differentials
Critical authentication bypass vulnerabilities were discovered in ruby-saml up to version 1.17.0. See how they were uncovered.
github.blog
March 16, 2025 at 10:22 PM
What a week! SAML&Ruby, PHP&XXE and so much more!
📨 github.blog/security/sig...
🧑🏻💻 seeinglogic.com/posts/visual...
🤯 swarm.ptsecurity.com/impossible-x...
😻 scrapco.de/blog/analysi...
More details in our blog: pentesterlab.com/blog/researc...
#PentesterLabWeekly
📨 github.blog/security/sig...
🧑🏻💻 seeinglogic.com/posts/visual...
🤯 swarm.ptsecurity.com/impossible-x...
😻 scrapco.de/blog/analysi...
More details in our blog: pentesterlab.com/blog/researc...
#PentesterLabWeekly
Articles worth reading discovered last week:
💎 www.elttam.com/blog/rails-s...
﹟ afine.com/understandin...
🪲 slcyber.io/blog/sitecor...
For more details, check out our blog:
pentesterlab.com/blog/researc...
💎 www.elttam.com/blog/rails-s...
﹟ afine.com/understandin...
🪲 slcyber.io/blog/sitecor...
For more details, check out our blog:
pentesterlab.com/blog/researc...
New Method to Leverage Unsafe Reflection and Deserialisation to RCE on Rails - elttamNew Method to Leverage Unsafe Reflection and Deserialisation to RCE on Rails - elttam
elttam is a globally recognised, independent information security company, renowned for our advanced technical security assessments.
www.elttam.com
March 9, 2025 at 10:19 PM
Articles worth reading discovered last week:
💎 www.elttam.com/blog/rails-s...
﹟ afine.com/understandin...
🪲 slcyber.io/blog/sitecor...
For more details, check out our blog:
pentesterlab.com/blog/researc...
💎 www.elttam.com/blog/rails-s...
﹟ afine.com/understandin...
🪲 slcyber.io/blog/sitecor...
For more details, check out our blog:
pentesterlab.com/blog/researc...
Want to prove your API hacking skills?
Earn the PentesterLab API badge!
Hands-on labs designed to test and improve your ability to find and exploit API vulnerabilities.
https://pentesterlab.com/badges/api
Earn the PentesterLab API badge!
Hands-on labs designed to test and improve your ability to find and exploit API vulnerabilities.
https://pentesterlab.com/badges/api
PentesterLab: API Badge
The API badge is our set of exercises created to help you learn API testing. The first few challenges are based on challenges you already solved to get you more confident with API testing and review your knowledge and methodology. Then, harder challenges are provided to get you to the next level.
pentesterlab.com
March 2, 2025 at 4:47 AM
Want to prove your API hacking skills?
Earn the PentesterLab API badge!
Hands-on labs designed to test and improve your ability to find and exploit API vulnerabilities.
https://pentesterlab.com/badges/api
Earn the PentesterLab API badge!
Hands-on labs designed to test and improve your ability to find and exploit API vulnerabilities.
https://pentesterlab.com/badges/api
AI-generated code is reshaping secure code review—fewer trivial bugs, but more hidden threats.
Read more in our new blog post:
pentesterlab.com/blog/secure-...
What do you think?
Read more in our new blog post:
pentesterlab.com/blog/secure-...
What do you think?
How AI-Generated Code Is Changing Secure Code Review
Learn how AI-generated code impacts secure code review and application security. Discover why AI excels at catching common vulnerabilities but needs human expertise for complex bugs.
pentesterlab.com
February 24, 2025 at 10:49 PM
AI-generated code is reshaping secure code review—fewer trivial bugs, but more hidden threats.
Read more in our new blog post:
pentesterlab.com/blog/secure-...
What do you think?
Read more in our new blog post:
pentesterlab.com/blog/secure-...
What do you think?
Articles worth reading discovered last week:
📚 mizu.re/post/explori...
☁️ devanshbatham.hashnode.dev/fragility-of...
🫙 www.wiz.io/blog/nvidia-...
🐍 www.reversinglabs.com/blog/rl-iden...
🎥 brutecat.com/articles/lea...
📚 mizu.re/post/explori...
☁️ devanshbatham.hashnode.dev/fragility-of...
🫙 www.wiz.io/blog/nvidia-...
🐍 www.reversinglabs.com/blog/rl-iden...
🎥 brutecat.com/articles/lea...
Exploring the DOMPurify library: Hunting for Misconfigurations (2/2). Tags:Article - Article - Web - mXSS
Exploring the DOMPurify library: Hunting for Misconfigurations (2/2)
mizu.re
February 17, 2025 at 2:58 AM
Articles worth reading discovered last week:
📚 mizu.re/post/explori...
☁️ devanshbatham.hashnode.dev/fragility-of...
🫙 www.wiz.io/blog/nvidia-...
🐍 www.reversinglabs.com/blog/rl-iden...
🎥 brutecat.com/articles/lea...
📚 mizu.re/post/explori...
☁️ devanshbatham.hashnode.dev/fragility-of...
🫙 www.wiz.io/blog/nvidia-...
🐍 www.reversinglabs.com/blog/rl-iden...
🎥 brutecat.com/articles/lea...