Profile avatar
snyff.pentesterlab.com
Founder/CEO/Trainer/Researcher/CVE archeologist @PentesterLab. Security engineer. Bugs are my own, not of my employer...
36 posts 874 followers 40 following
Prolific Poster
Conversation Starter
Posts 38 Comments 12

AI-generated code is reshaping secure code reviewโ€”fewer trivial bugs, but more hidden threats. Read more in our new blog post: pentesterlab.com/blog/secure-... What do you think?

submitted 2 days ago โ€ข 0 comments

Think teaching devs to hack is risky? In reality, a bit of hacking knowledge helps them spot vulnerabilities early and build stronger apps. Discover why having devs with a 'hacker mindset' is a win for security: pentesterlab.com/blog/why-dev...

submitted 13 days ago โ€ข 0 comments

From now on, I'll call any snippet of vulnerable code shared on Social Media as "Security Code Review Porn" It gives the wrong expectations about what real code review actually involves.

submitted 20 days ago โ€ข 0 comments

Articles worth reading discovered last week: ๐Ÿค blog.doyensec.com/2025/01/30/o... โ˜ ๏ธ www.feistyduck.com/newsletter/i... ๐Ÿ“š pathonproject.com/zb/?871f0933... And as always, itโ€™s in our blog: pentesterlab.com/blog/researc... #PentesterLabWeekly

submitted 24 days ago โ€ข 0 comments

Iโ€™m excited to share that in a few weeks Iโ€™ll be heading to the US for a series of talks and workshops focused on security code review and JWTโ€”and Iโ€™ll be bringing some @pentesterlab.com swag along too!

submitted 28 days ago โ€ข 1 comment

submitted 30 days ago โ€ข 0 comments

๐Ÿš€ Level up your #CyberSecurity skills FOR FREE! ๐Ÿ›ก๏ธ Earn the Recon Badge with Pentesterlab and master: ๐Ÿ” Virtual Hosts ๐ŸŒ DNS Recon ๐Ÿ”’ TLS Recon ...and so much more! Start your journey today ๐Ÿ‘‰ pentesterlab.com/badges/recon

submitted 33 days ago โ€ข 0 comments

...

submitted 36 days ago โ€ข 1 comment

Networking in InfoSec isnโ€™t just about IP addresses and portsโ€”itโ€™s also about people! Discover how meetups, conferences, and volunteering can open big career doors in InfoSec. Read more: pentesterlab.com/blog/infosec...

submitted 46 days ago โ€ข 0 comments

Someone shared this write-up in the @pentesterlab.com 's discord: www.wiz.io/blog/nuclei-... I love this article so much! The content and the analysis are A+ I really like the ๐Ÿšฉ (very similar to pentesterlab.com/blog/another...)

submitted 53 days ago โ€ข 0 comments

Have a great weekend and enjoy some tunes: youtu.be/j_Md8_7mhOU

submitted 53 days ago โ€ข 1 comment

If your New Yearโ€™s resolution is to get better at web security code review, donโ€™t miss our upcoming live training. Learn how to find vulnerabilities and strengthen your skills: pentesterlab.gumroad.com

submitted 57 days ago โ€ข 0 comments

Happy New Year! pentesterlab.com/gift/xDzcB35... (3-month) pentesterlab.com/gift/UBMtCsi... (3-month) pentesterlab.com/gift/BWEYEme... (3-month)

submitted 57 days ago โ€ข 0 comments

Golang: because hackers havenโ€™t given up on SQL injection in 2024...

submitted 59 days ago โ€ข 1 comment

๐ŸŽ… pentesterlab.com/gift/v5kegJq... (3-month) pentesterlab.com/gift/4VG6RYU... (3-month) pentesterlab.com/gift/lsgfEwJ... (3-month)

submitted 64 days ago โ€ข 2 comments

I put together a VERY limited (for now) list of web hackers in a Starter pack: go.bsky.app/9uay4Ad A lot of people are missing (I will try to add more as I find them) but make sure you follow people already in the list!

submitted 71 days ago โ€ข 3 comments

Cross-Site POST Requests Without a Content-Type Header by @lukejahnke https://nastystereo.com/security/cross-site-post-without-content-type.html #BBRENewsletter85

submitted 72 days ago โ€ข 0 comments

โคIt is why I am a huge fan and student of @pentesterlab.com and @snyff.pentesterlab.com ๐Ÿ˜ฑThis lab show me that I was wrong, since several years, recommending to dev teams using a hash of the token as identifier in a revocation list. ๐ŸฅฐNow, I know the correct recommendation to provide. #appsec #jwt

submitted 74 days ago โ€ข 0 comments

Want to level up your learning in security? ๐Ÿš€ Stop scrolling and start reflecting. 'Reading Between the Lines' challenges you to dig deeper: 1๏ธโƒฃ What can I learn from this? 2๏ธโƒฃ What patterns apply elsewhere? 3๏ธโƒฃ Why didnโ€™t I spot this? The real breakthroughs come when you ask the right questions. ๐Ÿ’ก ๐Ÿ‘‡

submitted 77 days ago โ€ข 1 comment

submitted 80 days ago โ€ข 2 comments

pentesterlab.com/gift/oNrufnj...

submitted 82 days ago โ€ข 1 comment

These are simple issues, but they illustrate how, by thinking of vulnerabilities as patterns rather than code, you can move from one language to another.

submitted 83 days ago โ€ข 1 comment

Guess who has two thumbs, just found another algorithm confusion vulnerability, and got accepted to speak at @cactuscon.bsky.social on algorithm confusion vulnerabilities? ๐Ÿ‘ THIS GUY ๐Ÿ‘

submitted 84 days ago โ€ข 3 comments

Cyber has more certs than /etc/ssl/certs/ca-certificates.crt

submitted 86 days ago โ€ข 2 comments

If you are a new PRO subscriber, make sure you order your set of free stickers!

submitted 87 days ago โ€ข 1 comment

Only content from Australia and New Zealand this week! Is the rest of the world asleep? ๐Ÿ’Ž nastystereo.com/security/rub... ๐Ÿช„ srcincite.io/blog/2024/11... ๐ŸŒ nastystereo.com/security/cro... ๐Ÿ‘บ pulsesecurity.co.nz/articles/mss... ๐Ÿ” tierzerosecurity.co.nz/2024/11/26/d...

submitted 87 days ago โ€ข 0 comments

Encoding isn't magic โœจ: It doesnโ€™t bypass filters or hack systems unless something decodes it. Learn how to avoid this common security misconception: pentesterlab.com/blog/encodin... #AppSec #CyberSecurity #BugBounty

submitted 88 days ago โ€ข 1 comment

Given that simps0n isnโ€™t on Bluesky yet, allow me to repost a link to his excellent weekly ezine ๐Ÿ’Ž Hereโ€™s todayโ€™s edition, "AppSec Ezine - 563rd" ๐Ÿ“š

submitted 89 days ago โ€ข 0 comments

Programming languages should have functions/methods to validate if a hostname or origin are part of a domain... That would kill a *LOT* of vulnerabilities...

submitted 90 days ago โ€ข 2 comments

When you're just minding your own business building code review labs for @pentesterlab.com, and a new vulnerability jumps out at you...

submitted 90 days ago โ€ข 1 comment

@nastystereo.com seems alright at computers...

submitted 91 days ago โ€ข 0 comments

My latest blog post is live! nastystereo.com/security/cro... Read how to send a cross-site POST without including a Content-Type header (without CORS). It even works with navigator.sendBeacon

submitted 92 days ago โ€ข 3 comments

(H|Bl)ack Friday is Back! ๐Ÿ”ฅ๐Ÿ”ฅ๐Ÿ”ฅ Black Friday Special ๐Ÿ”ฅ๐Ÿ”ฅ๐Ÿ”ฅ Get full access to PentesterLab PRO for a year and pay $146.52 instead of $199.99 ๐ŸŽ“๐Ÿ“šโœ๏ธ Student Special โœ๏ธ๐Ÿ“š๐ŸŽ“ Get full access to PentesterLab PRO for three months year and pay $25.99 instead of $34.99

submitted 92 days ago โ€ข 1 comment

I've been meaning to look into this for a while... the year of the latest commit for all the libraries on jwt.io.

submitted 92 days ago โ€ข 0 comments

I loved putting these challenges together. A good mix of simple code review and exploitation. ๐Ÿ˜ˆ ๐“๐ก๐ž ๐๐ž๐ฏ๐ข๐ฅ ๐ข๐ฌ ๐ข๐ง ๐ญ๐ก๐ž ๐๐ž๐ญ๐š๐ข๐ฅ๐ฌ ๐Ÿ˜ˆ

submitted 92 days ago โ€ข 0 comments

I just updated PentesterLab Handle to @pentesterlab.com ...

submitted 93 days ago โ€ข 1 comment

๐Ÿ’ป ๐‡๐š๐œ๐ค ๐ญ๐ก๐ž ๐ฐ๐ž๐› ๐ฐ๐ข๐ญ๐ก ๐œ๐ฎ๐ซ๐ฅ! In this article, we share tricks and handy ways to test web applications using curl. Boost your debugging, automate tasks, and uncover vulnerabilities with ease. ๐Ÿš€ ๐Ÿ“– Read the full guide: pentesterlab.com/blog/tricks-... Happy hacking! #WebHacking #CyberSecurity #Curl

submitted 93 days ago โ€ข 1 comment

I just published a new blog post sharing an improved Deserialization Gadget Chain for Ruby! It builds on the work of others, including Leonardo Giovanni, @ulldma.bsky.social and @vakzz.bsky.social nastystereo.com/security/rub...

submitted 94 days ago โ€ข 0 comments