PentesterLab's Blog: Insights, weekly research highlights, and deep dives into web security, code review, and pentesting.

How "Strengthening Crypto" Broke Authentication: FreshRSS and bcrypt's 72-Byte Limit

As part of our CVE monitoring, we came across GHSA-pcq9-mq6m-mvmp (CVE-2025-68402), an authentication bypass in FreshRSS, a self-hosted RSS aggregator. It ...

By Louis Nyffenegger March 10, 2026 · 10 min read

Filter: All Research APPSEC AuthZ CAREER Code Review Insight JWT PENTESTING

Code Review

The Value of Code Reviews Without Bugs

In the world of application security and code review, there’s a misconception that the success of a review is measured solely ...

Louis Nyffenegger Oct 10, 2024 · 7 min read

Research Worth Reading Week 40/2024

h5::after { display:none !important; } .tag-color { background-color: #448AB1; } h7 { font-family: SFMono-Regular, Menlo, Monaco, Consolas, "Liberation Mono", "Courier New", ...

PentesterLab Oct 7, 2024 · 1 min read

Hiring Your First AppSec Engineer: The Technical Interview

In a previous blog post titled "Hiring Your First AppSec Engineer", we discussed some key recommendations for hiring your first application ...

Louis Nyffenegger Oct 2, 2024 · 8 min read

Research Worth Reading Week 39/2024

h5::after { display:none !important; } .tag-color { background-color: #448AB1; } h7 { font-family: SFMono-Regular, Menlo, Monaco, Consolas, "Liberation Mono", "Courier New", ...

PentesterLab Sep 30, 2024 · 1 min read

Hiring Your First AppSec Engineer

Recently, I was asked by a CISO for recommendations on hiring their first AppSec or product security professional. This sparked a ...

Louis Nyffenegger Sep 25, 2024 · 9 min read

Research Worth Reading Week 38/2024

h5::after { display:none !important; } .tag-color { background-color: #448AB1; } h7 { font-family: SFMono-Regular, Menlo, Monaco, Consolas, "Liberation Mono", "Courier New", ...

PentesterLab Sep 24, 2024 · 2 min read

Code Review

From CVE to Swarm: A Case Study on CVE-2024-32963

One of the things I enjoy doing is looking at CVEs. I find it a great way to learn about new ...

Louis Nyffenegger Sep 20, 2024 · 8 min read

The Power of Wasting Time

In today’s world, there is an overwhelming obsession with productivity. Efficiency is the gold standard, and procrastination is seen as the ...

Louis Nyffenegger Sep 18, 2024 · 5 min read

Research Worth Reading Week 37/2024

h5::after { display:none !important; } .tag-color { background-color: #448AB1; } h7 { font-family: SFMono-Regular, Menlo, Monaco, Consolas, "Liberation Mono", "Courier New", ...

PentesterLab Sep 15, 2024 · 2 min read

OR 1=1 -- is Dying

One of the classic examples of SQL Injection is using ' or 1=1 -- in a username to bypass the authentication ...

Louis Nyffenegger Sep 13, 2024 · 6 min read

Code Review

Clever Developers, Costly Mistakes

In the world of software development, the allure of writing clever code is strong. Developers, especially those who are highly skilled, ...

Louis Nyffenegger Sep 10, 2024 · 8 min read

Research Worth Reading Week 36/2024

h5::after { display:none !important; } .tag-color { background-color: #448AB1; } h7 { font-family: SFMono-Regular, Menlo, Monaco, Consolas, "Liberation Mono", "Courier New", ...

PentesterLab Sep 9, 2024 · 1 min read