Lightnews — Scholar-powered news

Louis Nyffenegger @snyff.pentesterlab.com · Apr 20

I’ve spent 2 solid hours doing bug bounty and I still haven’t made $200k.

Can someone tell me what I’m doing wrong?

#bugbountytips

1 4

Reposted by Louis Nyffenegger

PentesterLab @pentesterlab.com · Feb 24

AI-generated code is reshaping secure code review—fewer trivial bugs, but more hidden threats.

Read more in our new blog post:

pentesterlab.com/blog/secure-...

What do you think?

How AI-Generated Code Is Changing Secure Code Review

Learn how AI-generated code impacts secure code review and application security. Discover why AI excels at catching common vulnerabilities but needs human expertise for complex bugs.

pentesterlab.com

1

Reposted by Louis Nyffenegger

PentesterLab @pentesterlab.com · Feb 13

Think teaching devs to hack is risky?

In reality, a bit of hacking knowledge helps them spot vulnerabilities early and build stronger apps.

Discover why having devs with a 'hacker mindset' is a win for security:

pentesterlab.com/blog/why-dev...

I Don’t Want My Devs to Become Hackers! - PentesterLab's Blog

Discover why encouraging developers to learn ethical hacking boosts security, reduces bugs, and fosters a proactive security culture in your organization.

pentesterlab.com

1 2

Louis Nyffenegger @snyff.pentesterlab.com · Feb 7

From now on, I'll call any snippet of vulnerable code shared on Social Media as

"Security Code Review Porn"

It gives the wrong expectations about what real code review actually involves.

4

Reposted by Louis Nyffenegger

PentesterLab @pentesterlab.com · Feb 2

Articles worth reading discovered last week:

🤝 blog.doyensec.com/2025/01/30/o...
☠️ www.feistyduck.com/newsletter/i...
📚 pathonproject.com/zb/?871f0933...

And as always, it’s in our blog: pentesterlab.com/blog/researc...

#PentesterLabWeekly

Common OAuth Vulnerabilities · Doyensec's Blog

Common OAuth Vulnerabilities

blog.doyensec.com

3 6

Louis Nyffenegger @snyff.pentesterlab.com · Jan 29

If you’re in the area, here’s my schedule:
* OWASP Bay Area (Feb 11)
* CactusCon in Mesa/Phoenix (Feb 14 & 15)
* OWASP Los Angeles (Feb 18)
* OWASP Orange County (Feb 20)

I’d love to connect—if you’re nearby, please stop by and say hello (and maybe grab some swag)!

Louis Nyffenegger @snyff.pentesterlab.com · Jan 29

I’m excited to share that in a few weeks I’ll be heading to the US for a series of talks and workshops focused on security code review and JWT—and I’ll be bringing some
@pentesterlab.com swag along too!

1 2 5

Louis Nyffenegger @snyff.pentesterlab.com · Jan 28

1 9

Reposted by Louis Nyffenegger

PentesterLab @pentesterlab.com · Jan 25

🚀 Level up your #CyberSecurity skills FOR FREE! 🛡️

Earn the Recon Badge with Pentesterlab and master: 🔍 Virtual Hosts 🌐 DNS Recon 🔒 TLS Recon ...and so much more!

Start your journey today
👉 pentesterlab.com/badges/recon

PentesterLab: Learn with our Recon Badge

The Recon badge is our set of exercises created to help you learn Reconnaissance. From findings usual files down to DNS and TLS exploration, this badge will help you get better at finding new targets

pentesterlab.com

2 2

Louis Nyffenegger @snyff.pentesterlab.com · Jan 22

...

1 2

Reposted by Louis Nyffenegger

PentesterLab @pentesterlab.com · Jan 11

Networking in InfoSec isn’t just about IP addresses and ports—it’s also about people!

Discover how meetups, conferences, and volunteering can open big career doors in InfoSec.

Read more: pentesterlab.com/blog/infosec...

Networking but not TCP/IP - PentesterLab's Blog

Discover how building real-world connections in the InfoSec community can accelerate your journey into pentesting and cybersecurity. From local meetups and conferences to online communities, this guid...

pentesterlab.com

3 11

Louis Nyffenegger @snyff.pentesterlab.com · Jan 5

Someone shared this write-up in the @pentesterlab.com 's discord:

www.wiz.io/blog/nuclei-...

I love this article so much! The content and the analysis are A+

I really like the 🚩 (very similar to pentesterlab.com/blog/another...)

A Signature Verification Bypass in Nuclei (CVE-2024-43405) | Wiz Blog

Wiz's engineering team discovered a high-severity signature verification bypass in Nuclei which could potentially lead to arbitrary code execution.

www.wiz.io

8

Reposted by Louis Nyffenegger

joern @jrn.bsky.social · Jan 4

Have a great weekend and enjoy some tunes:

youtu.be/j_Md8_7mhOU

joernchen - Friday 13th @ 1°C

YouTube video by Tiny Club Berlin

youtu.be

2 3 6

Reposted by Louis Nyffenegger

PentesterLab @pentesterlab.com · Dec 31

If your New Year’s resolution is to get better at web security code review, don’t miss our upcoming live training. Learn how to find vulnerabilities and strengthen your skills:

pentesterlab.gumroad.com

Subscribe to PentesterLab on Gumroad

PentesterLab is an easy and great way to learn security code review and penetration testing. We provide vulnerable systems that can be used to test and understand vulnerabilities.

pentesterlab.gumroad.com

2 3

Louis Nyffenegger @snyff.pentesterlab.com · Dec 31

Happy New Year!

pentesterlab.com/gift/xDzcB35... (3-month)
pentesterlab.com/gift/UBMtCsi... (3-month)
pentesterlab.com/gift/BWEYEme... (3-month)

Learn Web Penetration Testing: The Right Way

pentesterlab.com

1 2

Louis Nyffenegger @snyff.pentesterlab.com · Dec 30

Golang: because hackers haven’t given up on SQL injection in 2024...

1 1 11

Louis Nyffenegger @snyff.pentesterlab.com · Dec 24

🎅

pentesterlab.com/gift/v5kegJq... (3-month)
pentesterlab.com/gift/4VG6RYU... (3-month)
pentesterlab.com/gift/lsgfEwJ... (3-month)

Learn Web Penetration Testing: The Right Way

pentesterlab.com

2 3 9

Louis Nyffenegger @snyff.pentesterlab.com · Dec 23

Thank you! ☺️☺️☺️

1

Louis Nyffenegger @snyff.pentesterlab.com · Dec 18

Someone replied that I had the wrong handle for James, I fixed it but I cannot find the original message.

Thanks to whoever raised it.

1 1

Louis Nyffenegger @snyff.pentesterlab.com · Dec 18

I put together a VERY limited (for now) list of web hackers in a Starter pack:

go.bsky.app/9uay4Ad

A lot of people are missing (I will try to add more as I find them) but make sure you follow people already in the list!

3 14 31

Reposted by Louis Nyffenegger

Bug Bounty Reports Explained @gregxsunday.bsky.social · Dec 16

Cross-Site POST Requests Without a Content-Type Header by @lukejahnke
https://nastystereo.com/security/cross-site-post-without-content-type.html
#BBRENewsletter85

1 2

Reposted by Louis Nyffenegger

Dominique Righetto @righettod.eu · Dec 14

❤It is why I am a huge fan and student of @pentesterlab.com and @snyff.pentesterlab.com
😱This lab show me that I was wrong, since several years, recommending to dev teams using a hash of the token as identifier in a revocation list.
🥰Now, I know the correct recommendation to provide.
#appsec #jwt

PentesterLab @pentesterlab.com · Dec 12

🚨 New Lab Alert!

💡 How NOT to revoke JWTs: Learn how Base64 malleability can be used to bypass weak revocation mechanisms.

Ready to test your skills? 💥

👉 pentesterlab.com/exercises/ap...

#APISecurity #Pentesting

PentesterLab: API JWT REVOCATION

This exercise covers how to bypass a weak JWT Revocation Mechanism.

pentesterlab.com

2 7

Reposted by Louis Nyffenegger

PentesterLab @pentesterlab.com · Dec 12

Want to level up your learning in security? 🚀 Stop scrolling and start reflecting.

'Reading Between the Lines' challenges you to dig deeper:
1️⃣ What can I learn from this?
2️⃣ What patterns apply elsewhere?
3️⃣ Why didn’t I spot this?

The real breakthroughs come when you ask the right questions. 💡

👇

PentesterLab Blog: Reading Between the Lines: A Guide to Thoughtful Learning in Security

Discover how to extract deeper insights from security content by going beyond surface-level understanding. This post explores a reflective approach to learning, helping you uncover patterns, improve y...

pentesterlab.com

1 4 5

Louis Nyffenegger @snyff.pentesterlab.com · Dec 8

2 6 18

Louis Nyffenegger @snyff.pentesterlab.com · Dec 7

Yes, just a one off :/

1 1