Louis Nyffenegger
@snyff.pentesterlab.com
Founder/CEO/Trainer/Researcher/CVE archeologist
@PentesterLab. Security engineer. Bugs are my own, not of my employer...
@PentesterLab. Security engineer. Bugs are my own, not of my employer...
Reposted by Louis Nyffenegger
Really awesome preso from @snyff.pentesterlab.com @pentesterlab.com over at BSides Perth. Jam packed with patterns, approaches, tips and tricks to level up finding bugs in code. #bsides #bsidesperth
October 19, 2025 at 2:33 AM
Really awesome preso from @snyff.pentesterlab.com @pentesterlab.com over at BSides Perth. Jam packed with patterns, approaches, tips and tricks to level up finding bugs in code. #bsides #bsidesperth
I’ve spent 2 solid hours doing bug bounty and I still haven’t made $200k.
Can someone tell me what I’m doing wrong?
#bugbountytips
Can someone tell me what I’m doing wrong?
#bugbountytips
April 20, 2025 at 11:09 PM
I’ve spent 2 solid hours doing bug bounty and I still haven’t made $200k.
Can someone tell me what I’m doing wrong?
#bugbountytips
Can someone tell me what I’m doing wrong?
#bugbountytips
Reposted by Louis Nyffenegger
AI-generated code is reshaping secure code review—fewer trivial bugs, but more hidden threats.
Read more in our new blog post:
pentesterlab.com/blog/secure-...
What do you think?
Read more in our new blog post:
pentesterlab.com/blog/secure-...
What do you think?
How AI-Generated Code Is Changing Secure Code Review
Learn how AI-generated code impacts secure code review and application security. Discover why AI excels at catching common vulnerabilities but needs human expertise for complex bugs.
pentesterlab.com
February 24, 2025 at 10:49 PM
AI-generated code is reshaping secure code review—fewer trivial bugs, but more hidden threats.
Read more in our new blog post:
pentesterlab.com/blog/secure-...
What do you think?
Read more in our new blog post:
pentesterlab.com/blog/secure-...
What do you think?
Reposted by Louis Nyffenegger
Think teaching devs to hack is risky?
In reality, a bit of hacking knowledge helps them spot vulnerabilities early and build stronger apps.
Discover why having devs with a 'hacker mindset' is a win for security:
pentesterlab.com/blog/why-dev...
In reality, a bit of hacking knowledge helps them spot vulnerabilities early and build stronger apps.
Discover why having devs with a 'hacker mindset' is a win for security:
pentesterlab.com/blog/why-dev...
I Don’t Want My Devs to Become Hackers! - PentesterLab's Blog
Discover why encouraging developers to learn ethical hacking boosts security, reduces bugs, and fosters a proactive security culture in your organization.
pentesterlab.com
February 13, 2025 at 6:21 PM
Think teaching devs to hack is risky?
In reality, a bit of hacking knowledge helps them spot vulnerabilities early and build stronger apps.
Discover why having devs with a 'hacker mindset' is a win for security:
pentesterlab.com/blog/why-dev...
In reality, a bit of hacking knowledge helps them spot vulnerabilities early and build stronger apps.
Discover why having devs with a 'hacker mindset' is a win for security:
pentesterlab.com/blog/why-dev...
From now on, I'll call any snippet of vulnerable code shared on Social Media as
"Security Code Review Porn"
It gives the wrong expectations about what real code review actually involves.
"Security Code Review Porn"
It gives the wrong expectations about what real code review actually involves.
February 7, 2025 at 2:44 AM
From now on, I'll call any snippet of vulnerable code shared on Social Media as
"Security Code Review Porn"
It gives the wrong expectations about what real code review actually involves.
"Security Code Review Porn"
It gives the wrong expectations about what real code review actually involves.
Reposted by Louis Nyffenegger
Articles worth reading discovered last week:
🤝 blog.doyensec.com/2025/01/30/o...
☠️ www.feistyduck.com/newsletter/i...
📚 pathonproject.com/zb/?871f0933...
And as always, it’s in our blog: pentesterlab.com/blog/researc...
#PentesterLabWeekly
🤝 blog.doyensec.com/2025/01/30/o...
☠️ www.feistyduck.com/newsletter/i...
📚 pathonproject.com/zb/?871f0933...
And as always, it’s in our blog: pentesterlab.com/blog/researc...
#PentesterLabWeekly
Common OAuth Vulnerabilities · Doyensec's Blog
Common OAuth Vulnerabilities
blog.doyensec.com
February 2, 2025 at 9:50 PM
Articles worth reading discovered last week:
🤝 blog.doyensec.com/2025/01/30/o...
☠️ www.feistyduck.com/newsletter/i...
📚 pathonproject.com/zb/?871f0933...
And as always, it’s in our blog: pentesterlab.com/blog/researc...
#PentesterLabWeekly
🤝 blog.doyensec.com/2025/01/30/o...
☠️ www.feistyduck.com/newsletter/i...
📚 pathonproject.com/zb/?871f0933...
And as always, it’s in our blog: pentesterlab.com/blog/researc...
#PentesterLabWeekly
I’m excited to share that in a few weeks I’ll be heading to the US for a series of talks and workshops focused on security code review and JWT—and I’ll be bringing some
@pentesterlab.com swag along too!
@pentesterlab.com swag along too!
January 29, 2025 at 11:33 PM
I’m excited to share that in a few weeks I’ll be heading to the US for a series of talks and workshops focused on security code review and JWT—and I’ll be bringing some
@pentesterlab.com swag along too!
@pentesterlab.com swag along too!
Reposted by Louis Nyffenegger
🚀 Level up your #CyberSecurity skills FOR FREE! 🛡️
Earn the Recon Badge with Pentesterlab and master: 🔍 Virtual Hosts 🌐 DNS Recon 🔒 TLS Recon ...and so much more!
Start your journey today
👉 pentesterlab.com/badges/recon
Earn the Recon Badge with Pentesterlab and master: 🔍 Virtual Hosts 🌐 DNS Recon 🔒 TLS Recon ...and so much more!
Start your journey today
👉 pentesterlab.com/badges/recon
PentesterLab: Learn with our Recon Badge
The Recon badge is our set of exercises created to help you learn Reconnaissance. From findings usual files down to DNS and TLS exploration, this badge will help you get better at finding new targets
pentesterlab.com
January 25, 2025 at 12:09 AM
🚀 Level up your #CyberSecurity skills FOR FREE! 🛡️
Earn the Recon Badge with Pentesterlab and master: 🔍 Virtual Hosts 🌐 DNS Recon 🔒 TLS Recon ...and so much more!
Start your journey today
👉 pentesterlab.com/badges/recon
Earn the Recon Badge with Pentesterlab and master: 🔍 Virtual Hosts 🌐 DNS Recon 🔒 TLS Recon ...and so much more!
Start your journey today
👉 pentesterlab.com/badges/recon
Reposted by Louis Nyffenegger
Networking in InfoSec isn’t just about IP addresses and ports—it’s also about people!
Discover how meetups, conferences, and volunteering can open big career doors in InfoSec.
Read more: pentesterlab.com/blog/infosec...
Discover how meetups, conferences, and volunteering can open big career doors in InfoSec.
Read more: pentesterlab.com/blog/infosec...
Networking but not TCP/IP - PentesterLab's Blog
Discover how building real-world connections in the InfoSec community can accelerate your journey into pentesting and cybersecurity. From local meetups and conferences to online communities, this guid...
pentesterlab.com
January 11, 2025 at 11:59 PM
Networking in InfoSec isn’t just about IP addresses and ports—it’s also about people!
Discover how meetups, conferences, and volunteering can open big career doors in InfoSec.
Read more: pentesterlab.com/blog/infosec...
Discover how meetups, conferences, and volunteering can open big career doors in InfoSec.
Read more: pentesterlab.com/blog/infosec...
Someone shared this write-up in the @pentesterlab.com 's discord:
www.wiz.io/blog/nuclei-...
I love this article so much! The content and the analysis are A+
I really like the 🚩 (very similar to pentesterlab.com/blog/another...)
www.wiz.io/blog/nuclei-...
I love this article so much! The content and the analysis are A+
I really like the 🚩 (very similar to pentesterlab.com/blog/another...)
A Signature Verification Bypass in Nuclei (CVE-2024-43405) | Wiz Blog
Wiz's engineering team discovered a high-severity signature verification bypass in Nuclei which could potentially lead to arbitrary code execution.
www.wiz.io
January 5, 2025 at 3:02 AM
Someone shared this write-up in the @pentesterlab.com 's discord:
www.wiz.io/blog/nuclei-...
I love this article so much! The content and the analysis are A+
I really like the 🚩 (very similar to pentesterlab.com/blog/another...)
www.wiz.io/blog/nuclei-...
I love this article so much! The content and the analysis are A+
I really like the 🚩 (very similar to pentesterlab.com/blog/another...)
Reposted by Louis Nyffenegger
Reposted by Louis Nyffenegger
If your New Year’s resolution is to get better at web security code review, don’t miss our upcoming live training. Learn how to find vulnerabilities and strengthen your skills:
pentesterlab.gumroad.com
pentesterlab.gumroad.com
Subscribe to PentesterLab on Gumroad
PentesterLab is an easy and great way to learn security code review and penetration testing. We provide vulnerable systems that can be used to test and understand vulnerabilities.
pentesterlab.gumroad.com
December 31, 2024 at 10:49 PM
If your New Year’s resolution is to get better at web security code review, don’t miss our upcoming live training. Learn how to find vulnerabilities and strengthen your skills:
pentesterlab.gumroad.com
pentesterlab.gumroad.com
Happy New Year!
pentesterlab.com/gift/xDzcB35... (3-month)
pentesterlab.com/gift/UBMtCsi... (3-month)
pentesterlab.com/gift/BWEYEme... (3-month)
pentesterlab.com/gift/xDzcB35... (3-month)
pentesterlab.com/gift/UBMtCsi... (3-month)
pentesterlab.com/gift/BWEYEme... (3-month)
Learn Web Penetration Testing: The Right Way
Learn Web Penetration Testing: The Right Way
pentesterlab.com
December 31, 2024 at 10:48 PM
Happy New Year!
pentesterlab.com/gift/xDzcB35... (3-month)
pentesterlab.com/gift/UBMtCsi... (3-month)
pentesterlab.com/gift/BWEYEme... (3-month)
pentesterlab.com/gift/xDzcB35... (3-month)
pentesterlab.com/gift/UBMtCsi... (3-month)
pentesterlab.com/gift/BWEYEme... (3-month)
Golang: because hackers haven’t given up on SQL injection in 2024...
December 30, 2024 at 12:48 AM
Golang: because hackers haven’t given up on SQL injection in 2024...
🎅
pentesterlab.com/gift/v5kegJq... (3-month)
pentesterlab.com/gift/4VG6RYU... (3-month)
pentesterlab.com/gift/lsgfEwJ... (3-month)
pentesterlab.com/gift/v5kegJq... (3-month)
pentesterlab.com/gift/4VG6RYU... (3-month)
pentesterlab.com/gift/lsgfEwJ... (3-month)
Learn Web Penetration Testing: The Right Way
Learn Web Penetration Testing: The Right Way
pentesterlab.com
December 24, 2024 at 10:41 PM
🎅
pentesterlab.com/gift/v5kegJq... (3-month)
pentesterlab.com/gift/4VG6RYU... (3-month)
pentesterlab.com/gift/lsgfEwJ... (3-month)
pentesterlab.com/gift/v5kegJq... (3-month)
pentesterlab.com/gift/4VG6RYU... (3-month)
pentesterlab.com/gift/lsgfEwJ... (3-month)
I put together a VERY limited (for now) list of web hackers in a Starter pack:
go.bsky.app/9uay4Ad
A lot of people are missing (I will try to add more as I find them) but make sure you follow people already in the list!
go.bsky.app/9uay4Ad
A lot of people are missing (I will try to add more as I find them) but make sure you follow people already in the list!
December 18, 2024 at 12:54 AM
I put together a VERY limited (for now) list of web hackers in a Starter pack:
go.bsky.app/9uay4Ad
A lot of people are missing (I will try to add more as I find them) but make sure you follow people already in the list!
go.bsky.app/9uay4Ad
A lot of people are missing (I will try to add more as I find them) but make sure you follow people already in the list!
Reposted by Louis Nyffenegger
Cross-Site POST Requests Without a Content-Type Header by @lukejahnke
https://nastystereo.com/security/cross-site-post-without-content-type.html
#BBRENewsletter85
https://nastystereo.com/security/cross-site-post-without-content-type.html
#BBRENewsletter85
December 16, 2024 at 3:05 PM
Cross-Site POST Requests Without a Content-Type Header by @lukejahnke
https://nastystereo.com/security/cross-site-post-without-content-type.html
#BBRENewsletter85
https://nastystereo.com/security/cross-site-post-without-content-type.html
#BBRENewsletter85
Reposted by Louis Nyffenegger
❤It is why I am a huge fan and student of @pentesterlab.com and @snyff.pentesterlab.com
😱This lab show me that I was wrong, since several years, recommending to dev teams using a hash of the token as identifier in a revocation list.
🥰Now, I know the correct recommendation to provide.
#appsec #jwt
😱This lab show me that I was wrong, since several years, recommending to dev teams using a hash of the token as identifier in a revocation list.
🥰Now, I know the correct recommendation to provide.
#appsec #jwt
🚨 New Lab Alert!
💡 How NOT to revoke JWTs: Learn how Base64 malleability can be used to bypass weak revocation mechanisms.
Ready to test your skills? 💥
👉 pentesterlab.com/exercises/ap...
#APISecurity #Pentesting
💡 How NOT to revoke JWTs: Learn how Base64 malleability can be used to bypass weak revocation mechanisms.
Ready to test your skills? 💥
👉 pentesterlab.com/exercises/ap...
#APISecurity #Pentesting
PentesterLab: API JWT REVOCATION
This exercise covers how to bypass a weak JWT Revocation Mechanism.
pentesterlab.com
December 14, 2024 at 4:31 PM
❤It is why I am a huge fan and student of @pentesterlab.com and @snyff.pentesterlab.com
😱This lab show me that I was wrong, since several years, recommending to dev teams using a hash of the token as identifier in a revocation list.
🥰Now, I know the correct recommendation to provide.
#appsec #jwt
😱This lab show me that I was wrong, since several years, recommending to dev teams using a hash of the token as identifier in a revocation list.
🥰Now, I know the correct recommendation to provide.
#appsec #jwt
Reposted by Louis Nyffenegger
Want to level up your learning in security? 🚀 Stop scrolling and start reflecting.
'Reading Between the Lines' challenges you to dig deeper:
1️⃣ What can I learn from this?
2️⃣ What patterns apply elsewhere?
3️⃣ Why didn’t I spot this?
The real breakthroughs come when you ask the right questions. 💡
👇
'Reading Between the Lines' challenges you to dig deeper:
1️⃣ What can I learn from this?
2️⃣ What patterns apply elsewhere?
3️⃣ Why didn’t I spot this?
The real breakthroughs come when you ask the right questions. 💡
👇
PentesterLab Blog: Reading Between the Lines: A Guide to Thoughtful Learning in Security
Discover how to extract deeper insights from security content by going beyond surface-level understanding. This post explores a reflective approach to learning, helping you uncover patterns, improve y...
pentesterlab.com
December 12, 2024 at 3:16 AM
Want to level up your learning in security? 🚀 Stop scrolling and start reflecting.
'Reading Between the Lines' challenges you to dig deeper:
1️⃣ What can I learn from this?
2️⃣ What patterns apply elsewhere?
3️⃣ Why didn’t I spot this?
The real breakthroughs come when you ask the right questions. 💡
👇
'Reading Between the Lines' challenges you to dig deeper:
1️⃣ What can I learn from this?
2️⃣ What patterns apply elsewhere?
3️⃣ Why didn’t I spot this?
The real breakthroughs come when you ask the right questions. 💡
👇
These are simple issues, but they illustrate how, by thinking of vulnerabilities as patterns rather than code, you can move from one language to another.
CORS vulnerabilities in Rust 🦀?
Same common mistakes, new language. 🐛
Look out for starts_with(), contains(), and even some interesting ends_with() cases.
Check out our new dive into Rust CORS issues:
pentesterlab.com/blog/rust-co...
#AppSec #RustLang #CodeReview
Same common mistakes, new language. 🐛
Look out for starts_with(), contains(), and even some interesting ends_with() cases.
Check out our new dive into Rust CORS issues:
pentesterlab.com/blog/rust-co...
#AppSec #RustLang #CodeReview
PentesterLab Blog: Exploring CORS Vulnerabilities in Rust: Patterns and Bypasses
In this post, I dive into common CORS vulnerabilities found in Rust, comparing them to similar issues in Go. I also explore a unique strategy I encountered that can be easily bypassed, shedding light ...
pentesterlab.com
December 5, 2024 at 9:57 PM
These are simple issues, but they illustrate how, by thinking of vulnerabilities as patterns rather than code, you can move from one language to another.
Guess who has two thumbs, just found another algorithm confusion vulnerability, and got accepted to speak at @cactuscon.bsky.social on algorithm confusion vulnerabilities?
👍 THIS GUY 👍
👍 THIS GUY 👍
December 5, 2024 at 4:14 AM
Guess who has two thumbs, just found another algorithm confusion vulnerability, and got accepted to speak at @cactuscon.bsky.social on algorithm confusion vulnerabilities?
👍 THIS GUY 👍
👍 THIS GUY 👍