PentesterLab's Blog: Insights, weekly research highlights, and deep dives into web security, code review, and pentesting.

How "Strengthening Crypto" Broke Authentication: FreshRSS and bcrypt's 72-Byte Limit

As part of our CVE monitoring, we came across GHSA-pcq9-mq6m-mvmp (CVE-2025-68402), an authentication bypass in FreshRSS, a self-hosted RSS aggregator. It ...

By Louis Nyffenegger March 10, 2026 · 10 min read

Filter: All Research APPSEC AuthZ CAREER Code Review Insight JWT PENTESTING

Research Worth Reading Week 47/2024

h5::after { display:none !important; } .tag-color { background-color: #448AB1; } h7 { font-family: SFMono-Regular, Menlo, Monaco, Consolas, "Liberation Mono", "Courier New", ...

PentesterLab Nov 24, 2024 · 1 min read

JWT Code Review

How JWT Libraries Block Algorithm Confusion: Key Lessons for Code Review

When I wrote the first lab on algorithm confusion, I remember spending a bit of time trying to find a vulnerable ...

Louis Nyffenegger Nov 20, 2024 · 25 min read

Research Worth Reading Week 46/2024

h5::after { display:none !important; } .tag-color { background-color: #448AB1; } h7 { font-family: SFMono-Regular, Menlo, Monaco, Consolas, "Liberation Mono", "Courier New", ...

PentesterLab Nov 17, 2024 · 0 min read

JWT

How split() Can Prevent None Exploitation in JWT Validation

When doing security code review, you sometimes come across infuriating code—code that appears to be vulnerable but isn't, due to unexpected ...

Louis Nyffenegger Nov 13, 2024 · 7 min read

Research Worth Reading Week 45/2024

h5::after { display:none !important; } .tag-color { background-color: #448AB1; } h7 { font-family: SFMono-Regular, Menlo, Monaco, Consolas, "Liberation Mono", "Courier New", ...

PentesterLab Nov 10, 2024 · 3 min read

Mitigating Risks of Command Execution in Compromised Directories

A notable threat in application security arises when applications execute commands within directories that may be under an attacker's influence. It's ...

Louis Nyffenegger Nov 7, 2024 · 4 min read

Research Worth Reading Week 44/2024

h5::after { display:none !important; } .tag-color { background-color: #448AB1; } h7 { font-family: SFMono-Regular, Menlo, Monaco, Consolas, "Liberation Mono", "Courier New", ...

PentesterLab Nov 3, 2024 · 0 min read

Research Worth Reading Week 43/2024

h5::after { display:none !important; } .tag-color { background-color: #448AB1; } h7 { font-family: SFMono-Regular, Menlo, Monaco, Consolas, "Liberation Mono", "Courier New", ...

PentesterLab Oct 27, 2024 · 2 min read

The Diminishing Value of Secure Coding Training

In the early days of software development, secure coding was indispensable in safeguarding applications against common security threats. Developers had to ...

Louis Nyffenegger Oct 24, 2024 · 5 min read

Research Worth Reading Week 42/2024

h5::after { display:none !important; } .tag-color { background-color: #448AB1; } h7 { font-family: SFMono-Regular, Menlo, Monaco, Consolas, "Liberation Mono", "Courier New", ...

PentesterLab Oct 21, 2024 · 1 min read

PENTESTING

Mastering Hacking Through Deliberate Practice

In many sports and activities, deliberate practice is the key to improvement. Chess masters break down their training into openings, middle ...

Louis Nyffenegger Oct 18, 2024 · 5 min read

Research Worth Reading Week 41/2024

h5::after { display:none !important; } .tag-color { background-color: #448AB1; } h7 { font-family: SFMono-Regular, Menlo, Monaco, Consolas, "Liberation Mono", "Courier New", ...

PentesterLab Oct 15, 2024 · 1 min read