PentesterLab's Blog: Insights, weekly research highlights, and deep dives into web security, code review, and pentesting.

RSS
Filter: All Research APPSEC AuthZ CAREER Code Review Insight JWT PENTESTING
Weekly Research

Research Worth Reading - Week 8, 2026

🦫 CTFtime.org / justCTF [*] 2020 / Go-fs / Writeup β€’ β˜•οΈ Almost Impossible: Java Deserialization Through Broken Crypto in OpenText Directory Services β€’ 😱 Vulnerability Disclosure: JWT Authentication Bypass in OpenID Connect Authenticator for Tomcat

PentesterLab Feb 22, 2026
Weekly Research

Research Worth Reading - Week 7, 2026

⨐ Breaking Down CVE-2026-25049: How TypeScript Types Failed n8n's Security β€’ βš’οΈ Introducing Augustus: Open Source LLM Prompt Injection Tool β€’ 🀺 When Two Parsers Disagree: Exploiting Query String Differentials for XSS

PentesterLab Feb 16, 2026
APPSEC PENTESTING

Playing Tag with GCM

It all started with a CVE. It feels like it always does πŸ˜‰. CVE-2025-54887 (CVSS 9.1) disclosed a missing GCM authentication ...

Louis Nyffenegger Feb 13, 2026 · 10 min read
Insight

What Dependency Management Can Learn from Certificate Management?

There was a time when certificate management was a constant source of outages. Not because TLS is complicated, and not because ...

Louis Nyffenegger Feb 10, 2026 · 15 min read
Insight

When Code Is Cheap, What Happens to AppSec?

With Anthropic's Opus 4.5, Ralph Wiggum Loop and GastOwn, a few people on the bleeding edge of AI-based software development are ...

Louis Nyffenegger Feb 10, 2026 · 6 min read
Weekly Research

Research Worth Reading - Week 6, 2026

πŸ€– Semgrep's Agent Skills β€’ 🀿 Shaking the MCP Tree: A Security Deep Dive β€’ πŸ€– Evaluating and mitigating the growing risk of LLM-discovered 0-days

PentesterLab Feb 8, 2026
AuthZ APPSEC APPSEC

Killing IDORs in Rails Applications: Make the Database Say "No" By Default

Rails is great at making the happy path simple. You need a record, you write Model.find(params[:id]). You need an authorization check, ...

Louis Nyffenegger Feb 5, 2026 · 16 min read
Insight

Need for Speed: AI, Security, and Productivity

Security and privacy have always been about doing the right thing while balancing it with staying productive. People do not work ...

Louis Nyffenegger Feb 3, 2026 · 5 min read
Weekly Research

Research Worth Reading Week 05/2026

πŸͺŸ Corrupting the Hive Mind: Persistence Through Forgotten Windows Internals β€’ ␛ On the clock: Escaping VMware Workstation at Pwn2Own Berlin 2025 β€’ πŸͺ² Insecure Defaults Detection

PentesterLab Feb 2, 2026
Weekly Research

Research Worth Reading Week 04/2026

🀯 On the Coming Industrialisation of Exploit Generation with LLMs β€’ 🚨 Cloudflare Zero-day: Accessing Any Host Globally β€’ πŸ€– Claude Magic String Denial of Service

PentesterLab Jan 26, 2026
JWT

CVE-2026-23993: JWT authentication bypass in HarbourJwt via β€œunknown alg”

I didn't know Harbour even existed as a language when I found this bug. The fun part is that I also ...

Louis Nyffenegger Jan 21, 2026 · 8 min read
Weekly Research

Research Worth Reading Week 03/2026

πŸ€– AI models are showing a greater ability to find and exploit vulnerabilities on realistic cyber ranges β€’ πŸ΄β€β˜ οΈ Pwning Claude Code in 8 Different Ways β€’ πŸ” The State of OpenSSL for pyca/cryptography

PentesterLab Jan 18, 2026