PentesterLab's Blog: Insights, weekly research highlights, and deep dives into web security, code review, and pentesting.

How "Strengthening Crypto" Broke Authentication: FreshRSS and bcrypt's 72-Byte Limit

As part of our CVE monitoring, we came across GHSA-pcq9-mq6m-mvmp (CVE-2025-68402), an authentication bypass in FreshRSS, a self-hosted RSS aggregator. It ...

By Louis Nyffenegger March 10, 2026 · 10 min read

Filter: All Research APPSEC AuthZ CAREER Code Review Insight JWT PENTESTING

Code Review

Why Settle for a Bug When You Can Catch a Swarm?

The discovery of a new bug or the analysis of a Common Vulnerabilities and Exposures (CVE) can often feel like a ...

Louis Nyffenegger Sep 2, 2024 · 10 min read

Research Worth Reading Week 35/2024

h5::after { display:none !important; } .tag-color { background-color: #448AB1; } h7 { font-family: SFMono-Regular, Menlo, Monaco, Consolas, "Liberation Mono", "Courier New", ...

PentesterLab Sep 1, 2024 · 1 min read

The Certification Trap

I woke up this morning and saw that yet another certification is now available. You can now be "XYZ" certified! The ...

Louis Nyffenegger Aug 30, 2024 · 6 min read

Code Review

Secure Coding Training Versus Security Code Review Training

In the field of application security, two crucial types of training often come up: secure coding training and security code review ...

Louis Nyffenegger Aug 29, 2024 · 7 min read

Research Worth Reading Week 34/2024

h5::after { display:none !important; } .tag-color { background-color: #448AB1; } h7 { font-family: SFMono-Regular, Menlo, Monaco, Consolas, "Liberation Mono", "Courier New", ...

PentesterLab Aug 25, 2024 · 1 min read

Code Review

Effective Note-Keeping for Web Security Code Reviews

One of the recurring questions I get during my Web Security Code Review Training is how to keep notes when multiple ...

Louis Nyffenegger Aug 20, 2024 · 11 min read

Research Worth Reading Week 33/2024

h5::after { display:none !important; } .tag-color { background-color: #448AB1; } h7 { font-family: SFMono-Regular, Menlo, Monaco, Consolas, "Liberation Mono", "Courier New", ...

PentesterLab Aug 18, 2024 · 2 min read

Code Review

The Difference between Good and Bad Code Reviewers

Bad code reviewers use grep... well, good code reviewers use grep, but they are good code reviewers! You are probably not ...

Louis Nyffenegger Aug 15, 2024 · 4 min read

Code Review

Spotting Discrepancies in Security Code Reviews

When running our Web Security Code Review Training, I use an analogy on the difference between "They are French" and "They ...

Louis Nyffenegger Aug 12, 2024 · 4 min read

Research Worth Reading Week 32/2024

h5::after { display:none !important; } .tag-color { background-color: #448AB1; } h7 { font-family: SFMono-Regular, Menlo, Monaco, Consolas, "Liberation Mono", "Courier New", ...

PentesterLab Aug 11, 2024 · 1 min read

Good Enough - A look at Golang http.ServeFile

As a security engineer, and like many people in security, I prefer bulletproof solutions to patches that fix only half of ...

Louis Nyffenegger Aug 6, 2024 · 3 min read

Research Worth Reading Week 31/2024

h5::after { display:none !important; } .tag-color { background-color: #448AB1; } h7 { font-family: SFMono-Regular, Menlo, Monaco, Consolas, "Liberation Mono", "Courier New", ...

PentesterLab Aug 4, 2024 · 1 min read