PentesterLab

💥🐹 4 new Go Code Review Labs just dropped! 🐹💥 Read the code, peek at the diff, find the bug. Sharpen your skills: pentesterlab.com/badges/golang-…

𝗥𝗲𝘀𝗲𝗮𝗿𝗰𝗵 𝗪𝗼𝗿𝘁𝗵 𝗥𝗲𝗮𝗱𝗶𝗻𝗴 - 𝗪𝗲𝗲𝗸 𝟭𝟯, 𝟮𝟬𝟮𝟲 Only one entry but definitely worth reading! ☁️ 𝗥𝗲𝗺𝗼𝘁𝗲 𝗖𝗼𝗺𝗺𝗮𝗻𝗱 𝗘𝘅𝗲𝗰𝘂𝘁𝗶𝗼𝗻 𝗶𝗻 𝗚𝗼𝗼𝗴𝗹𝗲 𝗖𝗹𝗼𝘂𝗱 𝘄𝗶𝘁𝗵 𝗦𝗶𝗻𝗴𝗹𝗲 𝗗𝗶𝗿𝗲𝗰𝘁𝗼𝗿𝘆 𝗗𝗲𝗹𝗲𝘁𝗶𝗼𝗻 This one is a real tour de force: flatt.tech/research/posts….

@GVilaniya Congrats!

I just completed @Pentesterlab's API Badge!!!

@GVilaniya Congrats!!

I just completed @Pentesterlab's Brown Badge!!!

Inspired by CVE-2026-1195, make sure you check out our latest lab: JWT: Refresh Token Bypass 🔗 pentesterlab.com/exercises/jwt-…

@P4R4D0X14 Congrats!

I just completed @Pentesterlab's Essential Badge!!!

@GVilaniya Congrats!! 🎉

I just completed @Pentesterlab's Orange Badge!!!

Few years ago, someone learned JWT hacking on @PentesterLab and created one of the tools many people now use when testing JWTs. They did the hard work. I love what this says about @PentesterLab: teaching that helps people move beyond copying payloads and build their own tools.

AVideo's sort handler used real_escape_string on user-controlled ORDER BY column names. But real_escape_string only escapes string literals... SQL identifiers like column names aren't protected at all. The fix: restricting allowed characters for column names and restrict sort direction to ASC/DESC. A textbook reminder that escaping is context-dependent.

A typo that gives you root 😳 == instead of = in Froxlor's email validation. Comparison, not assignment. Validation never runs. Admin email field accepts pipe characters. Those pipes reach a root shell via the Let's Encrypt cron job. CVE-2026-26279

𝗥𝗲𝘀𝗲𝗮𝗿𝗰𝗵 𝗪𝗼𝗿𝘁𝗵 𝗥𝗲𝗮𝗱𝗶𝗻𝗴 - 𝗪𝗲𝗲𝗸 𝟭𝟮, 𝟮𝟬𝟮𝟲 AI doing research, AI killing CTF 🤖 𝗧𝗲𝘀𝘁𝗶𝗻𝗴 𝗔𝗜 𝗳𝗼𝗿 𝗩𝘂𝗹𝗻𝗲𝗿𝗮𝗯𝗶𝗹𝗶𝘁𝘆 𝗥𝗲𝘀𝗲𝗮𝗿𝗰𝗵: 𝟰 𝗔𝗽𝗽𝗿𝗼𝗮𝗰𝗵𝗲𝘀 & 𝗪𝗵𝗲𝗿𝗲 𝗜 𝗙𝗮𝗶𝗹𝗲𝗱 If you can only read one thing this week, make it this article: xclow3n.github.io/post/7. 🛠️ 𝗛𝘆𝗼𝗸𝗲𝘁𝘀𝘂 – 𝗦𝗼𝗹𝘃𝗶𝗻𝗴 𝘁𝗵𝗲 𝗩𝗲𝗻𝗱𝗼𝗿 𝗗𝗲𝗽𝗲𝗻𝗱𝗲𝗻𝗰𝘆 𝗣𝗿𝗼𝗯𝗹𝗲𝗺 𝗶𝗻 𝗥𝗘 Reversing Java and C# applications just became a lot easier thanks to the SearchLight Cyber team (ex: Assetnote): slcyber.io/research-cente…. 🐧 𝗦𝗮𝘀𝗵𝗶𝗸𝗼 Sashiko is an agentic Linux kernel code review system that monitors public mailing lists to thoroughly evaluate proposed Linux kernel changes. sashiko.dev. 💀 𝗖𝗧𝗙 𝗶𝘀 𝗱𝗲𝗮𝗱* A good rant on the impact of AI on CTF... k3ng.xyz/blog/ctf-is-de….

I just completed @Pentesterlab's Green Badge!!!

@GVilaniya Congrats!!

I just completed @Pentesterlab's Authentication / Authorization Badge!!!

Back in the day I used to do code reviews to actually learn stuff… now I’m just doing them like quick little brain teasers 😄 Big shoutout to @PentesterLab for keeping my puzzle game strong.

I just completed @Pentesterlab's Golang Code Review Badge!!!

I just completed @Pentesterlab's Essential Badge!!!