PentesterLab's Blog: Insights, weekly research highlights, and deep dives into web security, code review, and pentesting.

How "Strengthening Crypto" Broke Authentication: FreshRSS and bcrypt's 72-Byte Limit

As part of our CVE monitoring, we came across GHSA-pcq9-mq6m-mvmp (CVE-2025-68402), an authentication bypass in FreshRSS, a self-hosted RSS aggregator. It ...

By Louis Nyffenegger March 10, 2026 · 10 min read

Filter: All Research APPSEC AuthZ CAREER Code Review Insight JWT PENTESTING

ORM Leak Exploitation Against SQLite

We are currently building our ORM Leak labs and found a quirk worth sharing. The goal of our labs is to ...

Louis Nyffenegger Jul 30, 2024 · 5 min read

Research Worth Reading Week 30/2024

h5::after { display:none !important; } .tag-color { background-color: #448AB1; } h7 { font-family: SFMono-Regular, Menlo, Monaco, Consolas, "Liberation Mono", "Courier New", ...

PentesterLab Jul 29, 2024 · 1 min read

What makes a Language More Secure

When it comes to the security of programming languages, the conversation often revolves around memory safety and typing. These features, while ...

Louis Nyffenegger Jul 26, 2024 · 5 min read

Is PHP REALLY Getting Better?

There’s been a lot of chatter about PHP being insecure, but as Luke Stephens points out in his article, "People who ...

Louis Nyffenegger Jul 23, 2024 · 8 min read

Research Worth Reading Week 29/2024

h5::after { display:none !important; } .tag-color { background-color: #448AB1; } h7 { font-family: SFMono-Regular, Menlo, Monaco, Consolas, "Liberation Mono", "Courier New", ...

PentesterLab Jul 22, 2024 · 2 min read

Code Review PENTESTING

The Journey from Pentesting to Security Code Review

I think the hardest part for pentesters transitioning into security code review is going back to the low level of confidence ...

Louis Nyffenegger Jul 18, 2024 · 4 min read

Research Worth Reading Week 28/2024

h5::after { display:none !important; } .tag-color { background-color: #448AB1; } h7 { font-family: SFMono-Regular, Menlo, Monaco, Consolas, "Liberation Mono", "Courier New", ...

PentesterLab Jul 15, 2024 · 1 min read

What Developers Get for Free

One effective way to accelerate your security code review or pentest is to understand what developers get for free! In this ...

Louis Nyffenegger Jul 10, 2024 · 8 min read

PENTESTING

The Power of Scripting in Web Hacking

In web hacking, scripting is a key skill that separates good hackers from great ones. If you follow top web hackers, ...

Louis Nyffenegger Jul 3, 2024 · 5 min read

6 Questions to Ask When Interviewing for an AppSec Role

You wrote the perfect resume, the interview is going well! Now the classic “Do you have any questions for us?” is ...

Louis Nyffenegger Jun 14, 2024 · 5 min read

Embrace the suck!

When handling customer support for PentesterLab, we often get emails from people who can’t solve a challenge: “… I have been ...

Louis Nyffenegger Jun 3, 2024 · 2 min read

PENTESTING CAREER

Don't Let Tools Spoil Your Hacking Education

In the world of hacking, the right tools can make all the difference. However, when you’re just starting out, it’s crucial ...

Louis Nyffenegger May 29, 2024 · 6 min read