PentesterLab

💥🐹 4 new Go Code Review Labs just dropped! 🐹💥 Read the code, peek at the diff, find the bug. Sharpen your skills: pentesterlab.com/badges/golang-…

𝗥𝗲𝘀𝗲𝗮𝗿𝗰𝗵 𝗪𝗼𝗿𝘁𝗵 𝗥𝗲𝗮𝗱𝗶𝗻𝗴 - 𝗪𝗲𝗲𝗸 𝟮𝟱, 𝟮𝟬𝟮𝟲 It looks like this week’s theme is complexity... 🐴 𝗗𝗶𝗲𝘁𝗿𝗶𝗰𝗵𝗚𝗲𝗯𝗲𝗿𝘁 / 𝗽𝗼𝗻𝘆𝘁𝗮𝗶𝗹 This is not directly security-related, but I think there is a strong security lesson here. One of the problems with AI-generated code is not just that it may introduce bugs. It also tends to introduce surface area: extra dependencies, extra abstractions, extra wrappers, and extra “future-proofing” for a future that will probably never happen. Ponytail is interesting because it attacks this problem from the opposite direction. It is a small Rust tool focused on reducing code bloat. I think this is worth stealing for security code review workflows. Before asking an agent to find vulnerabilities, run something like ponytail first and reduce the amount of code that needs to be trusted. Less code is not automatically secure code, but unnecessary code is almost always unnecessary attack surface. github.com/DietrichGebert…. 🤯 𝗰𝘂𝗿𝗹 𝘀𝘂𝗺𝗺𝗲𝗿 𝗼𝗳 𝗯𝗹𝗶𝘀𝘀 curl is doing something I suspect more critical open-source projects will have to think about: for July 2026, they will not accept or process vulnerability reports. It is easy to react with “but attackers will not take a holiday.” True. But maintainers are not machines either. The uncomfortable part is that AI makes it cheaper to produce vulnerability reports, but it does not make it equally cheap for a maintainer to verify them, understand the impact, write the fix, write the advisory, coordinate the release, and carry the responsibility if they get it wrong. This feels like another version of XKCD 2347: the internet depends on small groups of people doing high-pressure work for everyone else. AI may increase the pressure before it reduces it. daniel.haxx.se/blog/2026/06/1…. ⛓️ 𝗖𝗵𝗮𝗶𝗻𝗶𝗻𝗴 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗕𝘂𝗴𝘀 𝗶𝗻 𝗗𝗶𝘀𝗰𝘂𝘇! 𝗫𝟱.𝟬: 𝗳𝗿𝗼𝗺 𝗥𝗮𝗰𝗲 𝗖𝗼𝗻𝗱𝗶𝘁𝗶𝗼𝗻 𝘁𝗼 𝗣𝗿𝗲-𝗔𝘂𝘁𝗵 𝗥𝗖𝗘 This is the kind of research I really like because the interesting part is not one magical bug. It is the chain. The exploit path combines several things that, in isolation, may look manageable: key reuse across contexts, a database backup/import feature, a race condition, CAPTCHA automation, and finally an admin-only LFI that becomes RCE. The important lesson is that the application did not fail in one place. It failed in the assumptions between places. This is also why good code review is hard to automate with a checklist. The dangerous question is not only “is this function vulnerable?” It is “where else is this token accepted?”, “what happens while this table is being recreated?”, “can a value that was meant to be a username later become part of a session structure?”, and “which admin-only bug stops being admin-only once another part of the system breaks?” That is where a lot of high-impact security research lives: between components. karmainsecurity.com/chaining-bugs-…. 🤖 𝗕𝘂𝗶𝗹𝗱𝗶𝗻𝗴 𝗮 𝗛𝗮𝗰𝗸𝗯𝗼𝘁 𝗳𝗼𝗿 𝗕𝘂𝗴 𝗕𝗼𝘂𝗻𝘁𝗶𝗲𝘀 — 𝗔𝘂𝘁𝗵 𝗧𝗲𝘀𝘁𝗶𝗻𝗴 𝗦𝘂𝗯𝗮𝗴𝗲𝗻𝘁 𝗦𝗲𝘁𝘂𝗽 This blog post is a great starting point for anyone wondering how to start building a hackbot for bug bounty or general AppSec testing. The useful part is that it does not start with a vague “use AI to hack things” idea. It walks through a concrete setup: giving the agent browser access, creating a dedicated auth testing sub-agent, and scoping that sub-agent around a specific class of testing. That is probably the right way to begin. Not one giant agent that tries to test everything, but smaller agents with narrower responsibilities. Where it gets interesting is what happens after this first version works. Once you have an agent that can interact with an application, you quickly run into a lot of real engineering problems: making sure it only tests the right target, preventing it from following links to another domain, handling shared state between accounts, avoiding rate limits, dealing with 2FA, test inboxes, password reset flows, account lockouts, and making sure two agents do not break each other’s sessions. That is why I think this is a good starting point rather than a complete solution. The first step is getting an agent to do useful work. The next step is building all the boring but critical infrastructure around it: scope enforcement, account isolation, logging, reproducibility, and safety checks. This is where AppSec automation is going to get interesting. The model is only one part of the system. The real work is in the harness around it. @Appsec_pt/building-a-hackbot-for-bug-bounties-auth-testing-subagent-setup-02cc9cb89196" target="_blank" rel="nofollow noopener">medium.com/@Appsec_pt/bui…. 𝗖𝗼𝗱𝗲 𝗥𝗲𝘃𝗶𝗲𝘄 𝗯𝗮𝗱𝗴𝗲 If this week’s links make you want to get better at reading code and finding vulnerabilities by understanding how applications actually work, check out our Code Review badge. It is built around real-world patterns, CVEs, and the kind of issues that do not show up by just grepping for dangerous functions. pentesterlab.com/badges/coderev…

𝗥𝗲𝘀𝗲𝗮𝗿𝗰𝗵 𝗪𝗼𝗿𝘁𝗵 𝗥𝗲𝗮𝗱𝗶𝗻𝗴 - 𝗪𝗲𝗲𝗸 𝟮𝟰, 𝟮𝟬𝟮𝟲 This is why we can't have nice things... 🪲 𝗝𝘂𝗽𝘆𝘁𝗲𝗿 𝗘𝗻𝘁𝗲𝗿𝗽𝗿𝗶𝘀𝗲 𝗚𝗮𝘁𝗲𝘄𝗮𝘆 Another great write-up from the elttam team. As always, it’s well explained, with enough details to understand both the issue and the process they followed to get there. I also like this one because it shows how something that looks “only” like user-controlled configuration can become a much bigger issue once it reaches Kubernetes and privileged execution paths. elttam.com/blog/jupyter-e…. 🤖 𝗠𝗲𝗮𝘀𝘂𝗿𝗶𝗻𝗴 𝗟𝗟𝗠𝘀’ 𝗶𝗺𝗽𝗮𝗰𝘁 𝗼𝗻 𝗡-𝗱𝗮𝘆 𝗲𝘅𝗽𝗹𝗼𝗶𝘁𝘀 How much time do models need to create exploits for N-day vulnerabilities? A really interesting comparison of Anthropic models’ efficiency at building exploits for known vulnerabilities. Another signal, if you needed one, that your time-to-patch needs to shrink dramatically. red.anthropic.com/2026/n-days/. 🎆 𝗕𝘆𝗽𝗮𝘀𝘀𝗶𝗻𝗴 𝗮 𝟯 𝗹𝗮𝘆𝗲𝗿 𝗦𝗩𝗚 𝘀𝗮𝗻𝗶𝘁𝗶𝘇𝗲𝗿: 𝗦𝘁𝗼𝗿𝗲𝗱 𝗫𝗦𝗦 𝗶𝗻 𝗠𝗼𝘇𝗶𝗹𝗹𝗮 Some great content that reads like a course in application security: what was happening, why it was wrong, how to fix it, and the impact of the fix. I especially like the part where the sanitizer is called, but the sanitized output is not actually used. It’s such a good example of why code review is not about spotting the function name you want to see. You need to follow the data and check that the thing being validated or sanitized is the thing that gets stored or rendered. profile-chi-jade.vercel.app/writing/spring…. ⚒️ 𝗛𝗮𝗰𝗸𝗶𝗻𝗴 𝗚𝗼𝗼𝗴𝗹𝗲 𝘄𝗶𝘁𝗵 𝗔.𝗜. 𝗳𝗼𝗿 $𝟱𝟬𝟬,𝟬𝟬𝟬 How much time and effort should you invest in a bug bounty target? This post gives a pretty good answer. It’s not just “use AI and bugs fall out”. It’s more about building a process around a hard target, mapping a huge attack surface, collecting the right inputs, and using AI to help scale parts of the work. A great write-up if you’re interested in how people find vulnerabilities in targets where the easy bugs disappeared a long time ago. brutecat.com/articles/hacki…. 🤖 𝗦𝘁𝗮𝘁𝗲𝗺𝗲𝗻𝘁 𝗼𝗻 𝘁𝗵𝗲 𝗨𝗦 𝗴𝗼𝘃𝗲𝗿𝗻𝗺𝗲𝗻𝘁 𝗱𝗶𝗿𝗲𝗰𝘁𝗶𝘃𝗲 𝘁𝗼 𝘀𝘂𝘀𝗽𝗲𝗻𝗱 𝗮𝗰𝗰𝗲𝘀𝘀 𝘁𝗼 𝗙𝗮𝗯𝗹𝗲 𝟱 𝗮𝗻𝗱 𝗠𝘆𝘁𝗵𝗼𝘀 𝟱 Well, well, well, if it isn’t the consequences of your actions... After marketing Mythos as powerful enough to need special access and safeguards, Anthropic has now been asked to suspend access to Fable and Mythos for foreign nationals, including foreign-national Anthropic employees. They complied by blocking access to all customers. Any geopolitical AI expert probably had a busy weekend. anthropic.com/news/fable-myt…. 🗞️ 𝗟𝗮𝘀𝘁 𝘄𝗲𝗲𝗸 @𝗣𝗲𝗻𝘁𝗲𝘀𝘁𝗲𝗿𝗟𝗮𝗯 I spent the week working on new content and updating our Security Code Review in Golang for Developers Training (pentesterlab.com/live-training) for an upcoming private session.

Thanks to @PentesterLab for sending the stickers so quickly — shipped after just one day Also, huge thanks for @Hacker0x01 For PentesterLab Pro license . Really appreciated! #stickers #AppSec

@jundybaba Keep it up!

I just completed @Pentesterlab's Essential Badge!!! one step at a time

Thanks to @PentesterLab , i received the stickers. These are amazing! #stickers #AppSec

Specially thanks to @PentesterLab @snyff

A surprising number of people learn web security before they learn how the web works. We've added 4 new labs to our Web Fundamentals badge: 💻 Client-side code 🖥️Server-side code 🗄️ Databases 🔑 Sessions No hacking required. Just the foundations.

𝗥𝗲𝘀𝗲𝗮𝗿𝗰𝗵 𝗪𝗼𝗿𝘁𝗵 𝗥𝗲𝗮𝗱𝗶𝗻𝗴 - 𝗪𝗲𝗲𝗸 𝟮𝟯, 𝟮𝟬𝟮𝟲 Golang and Weak Skill Scanners 🔐 𝗟𝗲𝘁’𝘀 𝘁𝗮𝗹𝗸 𝗮𝗯𝗼𝘂𝘁 𝗲𝗻𝗰𝗿𝘆𝗽𝘁𝗲𝗱 𝗿𝗲𝗮𝘀𝗼𝗻𝗶𝗻𝗴 A cryptographic look at the encrypted reasoning blobs that get passed back and forth when using the OpenAI and Anthropic APIs. I like this because it does what good security research should do: explain why the mechanism exists, build realistic threat models around it, and then actually test them instead of stopping at speculation: blog.cryptographyengineering.com/2026/05/29/foo…. 👏 𝗚𝗼𝗹𝗮𝗻𝗴 𝗰𝗼𝗱𝗲 𝗿𝗲𝘃𝗶𝗲𝘄 𝗻𝗼𝘁𝗲𝘀 𝗜𝗜 Once again, elttam delivers! I’m a huge fan of little programming-language gotchas because they give you an edge as a code reviewer. These are exactly the kinds of details that turn "looks fine" into "wait, what actually happens here?". If you’re writing or reviewing Go, make sure you read this one: elttam.com/blog/golang-co…. 🤖 𝗧𝗵𝗲 𝘀𝗼𝗿𝗿𝘆 𝘀𝘁𝗮𝘁𝗲 𝗼𝗳 𝘀𝗸𝗶𝗹𝗹 𝗱𝗶𝘀𝘁𝗿𝗶𝗯𝘂𝘁𝗶𝗼𝗻 Trail of Bits bypassed multiple scanners with the kind of tricks every supply-chain security person should already be worried about: hidden files, bytecode, prompt injection, and "trust me bro" explanations. The good news is that they published the skills on GitHub, so get ready for vendors to claim they can now detect them all: blog.trailofbits.com/2026/06/03/the…. 🗞️ 𝗟𝗮𝘀𝘁 𝘄𝗲𝗲𝗸 @𝗣𝗲𝗻𝘁𝗲𝘀𝘁𝗲𝗿𝗟𝗮𝗯 Last week, we released 5 new labs in our JavaScript Sandbox Escape badge (pentesterlab.com/badges/javascr…). Make sure you check them out!

If you are in Belgium 🇧🇪 and want some stickers: pentesterlab.com/stickers/belgi…

Another 5 labs in our JavaScript Sandbox Escape Badge: pentesterlab.com/badges/javascr… !!!

Thank you @PentesterLab I love the stickers, kisses from France 😚

merci @PentesterLab :))) j'aime trop les insectes

📢 Competition alert! Find our awesome @MalwareVillage team at @BSidesVancouver and play our new CTF (PANIC) 👾 The winner of each difficulty level will win a free 1-Month subscription to @PentesterLab! 🥳 A huge thank you to @PentesterLab for the collab 🤝

I just completed @Pentesterlab's Essential Badge!!!

Thank you @PentesterLab for the stickers, Greetings from france

@warthogtk 😊😊😊

Merci beaucoup @PentesterLab !!! Super content de mes magnifiques stickers 😉

@awazez 🎉🎉🎉

Received and put on my Mac ! Thanks @PentesterLab