PentesterLab
@PentesterLab
Followers
196K
Following
12K
Media
296
Statuses
11K
We make learning web hacking and security easier. Online systems, code review, videos & courses that can be used to understand, test and exploit bugs!
Melbourne, Victoria
Joined December 2011
π₯πΉ 4 new Go Code Review Labs just dropped! πΉπ₯ Read the code, peek at the diff, find the bug. Sharpen your skills:
pentesterlab.com
The Golang Code Review Badge is our badge dedicated to code review in Golang. It covers the discovery of weaknesses and vulnerabilities using source code review.
3
10
70
π€ Ask your LLM for receipts: What I learned teaching Claude C++ crash triage A short braindump from Halvar Flake on the lessons learned from triaging crashes using Claude:
0
0
1
Research Worth Reading Week 50/2025: SAML bypasses & LLM-assisted crash triage. π The Fragile Lock: Novel Bypasses for SAML Authentication Ruby SAML falls again. An extraordinary exploit by the PortSwigger team:
portswigger.net
TLDR This post shows how to achieve a full authentication bypass in the Ruby and PHP SAML ecosystem by exploiting several parser-level inconsistencies: including attribute pollution, namespace confusi
1
2
19
Welcome back to Slytherin! π We just released 3 new labs in our python^w Slytherin code review badge: real CVEs, sneaky bugs, and plenty of chances to sharpen your dark code arts.. Grab your wand here:
pentesterlab.com
The Python Code Review Badge is our badge dedicated to code review in Python. It covers the discovery of weaknesses and vulnerabilities using source code review.
0
1
7
I just completed @Pentesterlab's PCAP badge!!!
1
1
7
I just completed @Pentesterlab's Unix Badge!!!
0
1
5
π§ How to Research & Reverse Web Vulnerabilities 101 One of my favourite hobbies (CVE analysis) is covered in this blog post from the ProjectDiscovery team:
projectdiscovery.io
Introduction This blog serves as a detailed methodology guide for analyzing, reversing, and researching web vulnerabilities, particularly those with CVEs assigned. The content outlines repeatable...
0
2
4
βοΈ Bypassing WAFs for Fun and JS Injection with Parameter Pollution A great summary of the current state of HTTP parameter pollution as a way to bypass WAFs:
blog.ethiack.com
Technical deep dive into bypassing a strict Web Application Firewall using HTTP Parameter Pollution, leveraging multi-parameter payload splitting to achieve JavaScript injection and evade detection.
1
1
2
Research Worth Reading Week 49/2025: WAF bypasses, CVE research & constant-time crypto. β° Introducing constant-time support for LLVM to protect cryptographic code Trail of Bits explains their work on adding constant-time support to LLVM so that compiled cryptographic code
blog.trailofbits.com
Trail of Bits developed constant-time coding support for LLVM that prevents compilers from breaking cryptographic implementations vulnerable to timing attacks, introducing the __builtin_ct_select...
2
2
5
