Louis Nyffenegger @snyff.pentesterlab.com

I’ve spent 2 solid hours doing bug bounty and I still haven’t made $200k.

Can someone tell me what I’m doing wrong?

#bugbountytips

20.04.2025 23:09 — 👍 4 🔁 0 💬 1 📌 0

How AI-Generated Code Is Changing Secure Code Review Learn how AI-generated code impacts secure code review and application security. Discover why AI excels at catching common vulnerabilities but needs human expertise for complex bugs.

AI-generated code is reshaping secure code review—fewer trivial bugs, but more hidden threats.

Read more in our new blog post:

pentesterlab.com/blog/secure-...

What do you think?

24.02.2025 22:49 — 👍 0 🔁 1 💬 0 📌 0

I Don’t Want My Devs to Become Hackers! - PentesterLab's Blog Discover why encouraging developers to learn ethical hacking boosts security, reduces bugs, and fosters a proactive security culture in your organization.

Think teaching devs to hack is risky?

In reality, a bit of hacking knowledge helps them spot vulnerabilities early and build stronger apps.

Discover why having devs with a 'hacker mindset' is a win for security:

pentesterlab.com/blog/why-dev...

13.02.2025 18:21 — 👍 2 🔁 1 💬 0 📌 0

From now on, I'll call any snippet of vulnerable code shared on Social Media as

"Security Code Review Porn"

It gives the wrong expectations about what real code review actually involves.

07.02.2025 02:44 — 👍 4 🔁 0 💬 0 📌 0

Common OAuth Vulnerabilities · Doyensec's Blog Common OAuth Vulnerabilities

Articles worth reading discovered last week:

🤝 blog.doyensec.com/2025/01/30/o...
☠️ www.feistyduck.com/newsletter/i...
📚 pathonproject.com/zb/?871f0933...

And as always, it’s in our blog: pentesterlab.com/blog/researc...

#PentesterLabWeekly

02.02.2025 21:50 — 👍 6 🔁 3 💬 0 📌 0

If you’re in the area, here’s my schedule:
* OWASP Bay Area (Feb 11)
* CactusCon in Mesa/Phoenix (Feb 14 & 15)
* OWASP Los Angeles (Feb 18)
* OWASP Orange County (Feb 20)

I’d love to connect—if you’re nearby, please stop by and say hello (and maybe grab some swag)!

29.01.2025 23:33 — 👍 0 🔁 0 💬 0 📌 0

I’m excited to share that in a few weeks I’ll be heading to the US for a series of talks and workshops focused on security code review and JWT—and I’ll be bringing some
@pentesterlab.com swag along too!

29.01.2025 23:33 — 👍 5 🔁 2 💬 1 📌 0

28.01.2025 03:12 — 👍 9 🔁 1 💬 0 📌 0

PentesterLab: Learn with our Recon Badge The Recon badge is our set of exercises created to help you learn Reconnaissance. From findings usual files down to DNS and TLS exploration, this badge will help you get better at finding new targets

🚀 Level up your #CyberSecurity skills FOR FREE! 🛡️

Earn the Recon Badge with Pentesterlab and master: 🔍 Virtual Hosts 🌐 DNS Recon 🔒 TLS Recon ...and so much more!

Start your journey today
👉 pentesterlab.com/badges/recon

25.01.2025 00:09 — 👍 2 🔁 2 💬 0 📌 0

...

22.01.2025 09:35 — 👍 2 🔁 0 💬 1 📌 0

Networking but not TCP/IP - PentesterLab's Blog Discover how building real-world connections in the InfoSec community can accelerate your journey into pentesting and cybersecurity. From local meetups and conferences to online communities, this guid...

Networking in InfoSec isn’t just about IP addresses and ports—it’s also about people!

Discover how meetups, conferences, and volunteering can open big career doors in InfoSec.

Read more: pentesterlab.com/blog/infosec...

11.01.2025 23:59 — 👍 11 🔁 3 💬 0 📌 0

A Signature Verification Bypass in Nuclei (CVE-2024-43405) | Wiz Blog Wiz's engineering team discovered a high-severity signature verification bypass in Nuclei which could potentially lead to arbitrary code execution.

Someone shared this write-up in the @pentesterlab.com 's discord:

www.wiz.io/blog/nuclei-...

I love this article so much! The content and the analysis are A+

I really like the 🚩 (very similar to pentesterlab.com/blog/another...)

05.01.2025 03:02 — 👍 8 🔁 0 💬 0 📌 0

YouTube video by Tiny Club Berlin joernchen - Friday 13th @ 1°C

Have a great weekend and enjoy some tunes:

youtu.be/j_Md8_7mhOU

04.01.2025 13:46 — 👍 6 🔁 3 💬 1 📌 0

Subscribe to PentesterLab on Gumroad PentesterLab is an easy and great way to learn security code review and penetration testing. We provide vulnerable systems that can be used to test and understand vulnerabilities.

If your New Year’s resolution is to get better at web security code review, don’t miss our upcoming live training. Learn how to find vulnerabilities and strengthen your skills:

pentesterlab.gumroad.com

31.12.2024 22:49 — 👍 3 🔁 2 💬 0 📌 0

Learn Web Penetration Testing: The Right Way Learn Web Penetration Testing: The Right Way

Happy New Year!

pentesterlab.com/gift/xDzcB35... (3-month)
pentesterlab.com/gift/UBMtCsi... (3-month)
pentesterlab.com/gift/BWEYEme... (3-month)

31.12.2024 22:48 — 👍 2 🔁 1 💬 0 📌 0

Golang: because hackers haven’t given up on SQL injection in 2024...

30.12.2024 00:48 — 👍 11 🔁 1 💬 1 📌 0

Learn Web Penetration Testing: The Right Way Learn Web Penetration Testing: The Right Way

🎅

pentesterlab.com/gift/v5kegJq... (3-month)
pentesterlab.com/gift/4VG6RYU... (3-month)
pentesterlab.com/gift/lsgfEwJ... (3-month)

24.12.2024 22:41 — 👍 9 🔁 3 💬 2 📌 0

Thank you! ☺️☺️☺️

23.12.2024 06:09 — 👍 1 🔁 0 💬 0 📌 0

Someone replied that I had the wrong handle for James, I fixed it but I cannot find the original message.

Thanks to whoever raised it.

18.12.2024 21:56 — 👍 1 🔁 0 💬 1 📌 0

I put together a VERY limited (for now) list of web hackers in a Starter pack:

go.bsky.app/9uay4Ad

A lot of people are missing (I will try to add more as I find them) but make sure you follow people already in the list!

18.12.2024 00:54 — 👍 31 🔁 14 💬 3 📌 0

Cross-Site POST Requests Without a Content-Type Header by @lukejahnke
https://nastystereo.com/security/cross-site-post-without-content-type.html
#BBRENewsletter85

16.12.2024 15:05 — 👍 2 🔁 1 💬 0 📌 0

❤It is why I am a huge fan and student of @pentesterlab.com and @snyff.pentesterlab.com
😱This lab show me that I was wrong, since several years, recommending to dev teams using a hash of the token as identifier in a revocation list.
🥰Now, I know the correct recommendation to provide.
#appsec #jwt

14.12.2024 16:31 — 👍 7 🔁 2 💬 0 📌 0

PentesterLab Blog: Reading Between the Lines: A Guide to Thoughtful Learning in Security Discover how to extract deeper insights from security content by going beyond surface-level understanding. This post explores a reflective approach to learning, helping you uncover patterns, improve y...

Want to level up your learning in security? 🚀 Stop scrolling and start reflecting.

'Reading Between the Lines' challenges you to dig deeper:
1️⃣ What can I learn from this?
2️⃣ What patterns apply elsewhere?
3️⃣ Why didn’t I spot this?

The real breakthroughs come when you ask the right questions. 💡

👇

12.12.2024 03:16 — 👍 5 🔁 4 💬 1 📌 0

08.12.2024 21:28 — 👍 18 🔁 6 💬 2 📌 1

Yes, just a one off :/

07.12.2024 08:20 — 👍 1 🔁 0 💬 1 📌 0

Learn Web Penetration Testing: The Right Way Learn Web Penetration Testing: The Right Way

pentesterlab.com/gift/oNrufnj...

06.12.2024 22:31 — 👍 3 🔁 1 💬 1 📌 0

I didn't want to spoil the solution

05.12.2024 22:21 — 👍 0 🔁 0 💬 0 📌 0

The real question now is what kind of automation do you have in place to discover this code change/commit 😉

05.12.2024 21:59 — 👍 0 🔁 0 💬 0 📌 0

These are simple issues, but they illustrate how, by thinking of vulnerabilities as patterns rather than code, you can move from one language to another.

05.12.2024 21:57 — 👍 4 🔁 1 💬 1 📌 0

printf 'first**|uname' | ruby hack.rb

05.12.2024 21:53 — 👍 0 🔁 0 💬 2 📌 0

Louis Nyffenegger

Latest posts by snyff.pentesterlab.com on Bluesky

@snyff.pentesterlab.com is following 19 prominent accounts