PentesterLab

💥🐹 4 new Go Code Review Labs just dropped! 🐹💥 Read the code, peek at the diff, find the bug. Sharpen your skills: pentesterlab.com/badges/golang-…

𝗥𝗲𝘀𝗲𝗮𝗿𝗰𝗵 𝗪𝗼𝗿𝘁𝗵 𝗥𝗲𝗮𝗱𝗶𝗻𝗴 - 𝗪𝗲𝗲𝗸 𝟭𝟴, 𝟮𝟬𝟮𝟲 The consensus seems to be: models don't matter... 🤖 𝗔𝗜 𝘁𝗵𝗿𝗲𝗮𝘁𝘀 𝗶𝗻 𝘁𝗵𝗲 𝘄𝗶𝗹𝗱: 𝗧𝗵𝗲 𝗰𝘂𝗿𝗿𝗲𝗻𝘁 𝘀𝘁𝗮𝘁𝗲 𝗼𝗳 𝗽𝗿𝗼𝗺𝗽𝘁 𝗶𝗻𝗷𝗲𝗰𝘁𝗶𝗼𝗻𝘀 𝗼𝗻 𝘁𝗵𝗲 𝘄𝗲𝗯 A quick list of indirect prompt injection examples Google came across: security.googleblog.com/2026/04/ai-thr…. 🪟 𝗣𝗲𝗿𝘀𝗶𝘀𝘁𝗲𝗻𝗰𝗲 𝗔𝘁𝗹𝗮𝘀: 𝟭𝟵 𝗧𝗲𝗰𝗵𝗻𝗶𝗾𝘂𝗲𝘀 𝗡𝗼𝗯𝗼𝗱𝘆 𝗧𝗮𝗹𝗸𝘀 𝗔𝗯𝗼𝘂𝘁 A great list of persistence methods for AD and Windows: 0xsr.com/blog/windows-p…. 😳 𝗦𝗲𝗰𝘂𝗿𝗶𝗻𝗴 𝗚𝗶𝘁𝗛𝘂𝗯: 𝗪𝗶𝘇 𝗥𝗲𝘀𝗲𝗮𝗿𝗰𝗵 𝘂𝗻𝗰𝗼𝘃𝗲𝗿𝘀 𝗥𝗖𝗘 𝗶𝗻 𝗚𝗶𝘁𝗛𝘂𝗯.𝗰𝗼𝗺 RCE on github.com using a single git push.: wiz.io/blog/github-rc…. 🤖 𝗙𝗶𝗻𝗱𝗶𝗻𝗴 𝗭𝗲𝗿𝗼-𝗗𝗮𝘆𝘀 𝘄𝗶𝘁𝗵 𝗔𝗻𝘆 𝗠𝗼𝗱𝗲𝗹 Niels Provos leveraging IronCurtain (and its vuln-discovery workflow) to find vulnerabilities: provos.org/p/finding-zero…. 🤖 𝗪𝗵𝘆 𝗠𝘆𝘁𝗵𝗼𝘀 𝗱𝗼𝗲𝘀𝗻'𝘁 𝗺𝗮𝘁𝘁𝗲𝗿 (𝗳𝗼𝗿 𝘂𝘀) A great write-up from liveoverflow on why small models may be a better solution: hacktron.ai/blog/why-mytho…. ␖ 𝗛𝗔𝗣𝗿𝗼𝘅𝘆 𝗛𝗧𝗧𝗣/𝟯 -> 𝗛𝗧𝗧𝗣/𝟭 𝗗𝗲𝘀𝘆𝗻𝗰: 𝗖𝗿𝗼𝘀𝘀-𝗣𝗿𝗼𝘁𝗼𝗰𝗼𝗹 𝗦𝗺𝘂𝗴𝗴𝗹𝗶𝗻𝗴 𝘃𝗶𝗮 𝗮 𝗦𝘁𝗮𝗻𝗱𝗮𝗹𝗼𝗻𝗲 𝗤𝗨𝗜𝗖 𝗙𝗜𝗡 (𝗖𝗩𝗘-𝟮𝟬𝟮𝟲-𝟯𝟯𝟱𝟱𝟱) It's rare to see this level of details in a blog post. Too Long, Must Read: r3verii.github.io/cve/2026/04/14….

@coffeefiend52 Congrats!

I just completed @Pentesterlab's Green Badge!

Coding agents made experimentation free. That changes how appsec teams should buy tools. New blog post from @snyff: pentesterlab.com/blog/vibe-befo…

🤍white🤍 another one !!!! I just completed @Pentesterlab's White Badge!!!

@T4T4R1S Congrats! Keep it up!

وكمان واحده I just completed @Pentesterlab's HTTP Badge!!!

New badge: JavaScript Sandbox Escape! The first 4 labs are live. If you ship anything that evaluates untrusted or model-generated JavaScript, this badge is for you: pentesterlab.com/badges/javascr…

𝗥𝗲𝘀𝗲𝗮𝗿𝗰𝗵 𝗪𝗼𝗿𝘁𝗵 𝗥𝗲𝗮𝗱𝗶𝗻𝗴 - 𝗪𝗲𝗲𝗸 𝟭𝟲, 𝟮𝟬𝟮𝟲 Better late than never... 🤖 𝗟𝗲𝘀𝘀𝗼𝗻𝘀 𝗟𝗲𝗮𝗿𝗻𝗲𝗱 𝗙𝗿𝗼𝗺 𝗥𝗜𝗧𝗦𝗘𝗖 𝗖𝗧𝗙 CTF in the age of AI. A great read for people running CTF competitions: sylvie.fyi/posts/ritsec-2…. 😼 𝗙𝗮𝗶𝗹 𝗢𝗽𝗲𝗻, 𝗚𝗮𝗺𝗲 𝗢𝘃𝗲𝗿: 𝗧𝘂𝗿𝗻𝗶𝗻𝗴 𝗮 𝗢𝗻𝗲-𝗟𝗶𝗻𝗲 𝗧𝗼𝗺𝗰𝗮𝘁 𝗙𝗶𝘅 𝗶𝗻𝘁𝗼 𝗨𝗻𝗮𝘂𝘁𝗵𝗲𝗻𝘁𝗶𝗰𝗮𝘁𝗲𝗱 𝗥𝗖𝗘 A cool entry point for deserialization in Apache Tomcat's cluster. striga.ai/research/tomca…. 🤖 𝗜 𝗟𝗲𝘁 𝗖𝗹𝗮𝘂𝗱𝗲 𝗢𝗽𝘂𝘀 𝗪𝗿𝗶𝘁𝗲 𝗮 𝗖𝗵𝗿𝗼𝗺𝗲 𝗘𝘅𝗽𝗹𝗼𝗶𝘁 A week, $2,283 in API costs and 20 hours of human work... hacktron.ai/blog/i-let-cla…. 🤖 𝗢𝘂𝗿 𝗲𝘃𝗮𝗹𝘂𝗮𝘁𝗶𝗼𝗻 𝗼𝗳 𝗖𝗹𝗮𝘂𝗱𝗲 𝗠𝘆𝘁𝗵𝗼𝘀 𝗣𝗿𝗲𝘃𝗶𝗲𝘄’𝘀 𝗰𝘆𝗯𝗲𝗿 𝗰𝗮𝗽𝗮𝗯𝗶𝗹𝗶𝘁𝗶𝗲𝘀 AISI reviewing the capabilities of Mythos... aisi.gov.uk/blog/our-evalu…. 🤖 𝗦𝘆𝘀𝘁𝗲𝗺 𝗢𝘃𝗲𝗿 𝗠𝗼𝗱𝗲𝗹: 𝗭𝗲𝗿𝗼-𝗗𝗮𝘆 𝗗𝗶𝘀𝗰𝗼𝘃𝗲𝗿𝘆 𝗮𝘁 𝘁𝗵𝗲 𝗝𝗮𝗴𝗴𝗲𝗱 𝗙𝗿𝗼𝗻𝘁𝗶𝗲𝗿 Small models can find 0-days too! Great write-up with an open-source tool to prove it: aisle.com/blog/system-ov….

@raslanco_ Congrats!

I just completed @Pentesterlab's Recon Badge!!!

@Cyber_Wolfe01 @Yassh_twts Congratulations!!

I just completed @Pentesterlab's Recon Badge!!! Thanks to @Yassh_twts for motivating me to do this!

@Yassh_twts Congrats!

I just completed @Pentesterlab's HTTP Badge!!!

@T4T4R1S 🎉🎉🎉

وكمان واحده I just completed @Pentesterlab's PCAP badge!!!

@raslanco_ Congrats!!

I just completed @Pentesterlab's API Badge!!!

I just completed @Pentesterlab's Recon Badge!!!