PentesterLab's Blog: Insights, weekly research highlights, and deep dives into web security, code review, and pentesting.

How "Strengthening Crypto" Broke Authentication: FreshRSS and bcrypt's 72-Byte Limit

As part of our CVE monitoring, we came across GHSA-pcq9-mq6m-mvmp (CVE-2025-68402), an authentication bypass in FreshRSS, a self-hosted RSS aggregator. It ...

By Louis Nyffenegger March 10, 2026 · 10 min read

Filter: All Research APPSEC AuthZ CAREER Code Review Insight JWT PENTESTING

APPSEC PENTESTING

Playing Tag with GCM

It all started with a CVE. It feels like it always does 😉. CVE-2025-54887 (CVSS 9.1) disclosed a missing GCM authentication ...

Louis Nyffenegger Feb 13, 2026 · 10 min read

AuthZ APPSEC APPSEC

Killing IDORs in Rails Applications: Make the Database Say "No" By Default

Rails is great at making the happy path simple. You need a record, you write Model.find(params[:id]). You need an authorization check, ...

Louis Nyffenegger Feb 5, 2026 · 16 min read

APPSEC

How Devise Solves Session Invalidation in Rails

Rails relies on signed sessions to keep track of logged-in users. Since Rails 5.2, those sessions use AES GCM for authenticated ...

Louis Nyffenegger Sep 3, 2025 · 5 min read

APPSEC

Security Twins: Learning From Your Software’s Closest Relatives

When you are doing code review, penetration testing, bug bounty or threat modeling, it is easy to get tunnel vision and ...

Louis Nyffenegger Aug 31, 2025 · 5 min read

APPSEC

Do You Care About Exploitability?

When reviewing code, you often uncover problematic patterns or weaknesses. Unfortunately, discovering something concerning doesn't automatically mean you have found an ...

Louis Nyffenegger Apr 19, 2025 · 4 min read