PentesterLab has the largest collection of hands-on JWT labs. We cover algorithm confusion, jku, kid, x5u and so much more. We also research new attack techniques and review JWT-related CVEs. Here is a great one we came across today...

We're excited to welcome @Pentesterlab as an In-Kind Sponsor of the Bug Bounty Village at DEF CON 33. Their support helps us create a space for hackers to connect, learn, and push boundaries. #BugBounty #DEFCON #BBV #BugBountyVillage

Thank you so much SickSec 🇲🇦 🇵🇸 for the PentesterLab voucher! 🙌🫶

Reviewing CVEs can feel dull, but reading patches is a great way to sharpen your code-review training. Today’s gem (see screenshot 👇): a cookie-signature check that shouted: INVALID SIGNATURE. THE VALID SIGNATURE IS … It leaked the valid signature 🤦‍♂️ One-line fix: stop

Go parsers, Funky Chunks, Template injections... What a week! 📦 w4ke.info/2025/06/18/fun… 🐹blog.trailofbits.com/2025/06/17/une… 💣labs.watchtowr.com/is-b-for-backd… 😴 tantosec.com/blog/2025/06/i… 🛡️

🚀 Added 3 brand-new Go code-review labs to our Golang Code Review badge! Sharpen your eye for subtle bugs and level up your AppSec skills. Dive in here 👉 pentesterlab.com/badges/golang-… #golang #appsec #codereview

𝐉𝐚𝐯𝐚𝐒𝐜𝐫𝐢𝐩𝐭: 𝐛𝐞𝐜𝐚𝐮𝐬𝐞 𝐜𝐨𝐦𝐦𝐨𝐧 𝐬𝐞𝐧𝐬𝐞 𝐢𝐬 𝐨𝐯𝐞𝐫𝐫𝐚𝐭𝐞𝐝…

𝐉𝐚𝐯𝐚𝐒𝐜𝐫𝐢𝐩𝐭: 𝐛𝐞𝐜𝐚𝐮𝐬𝐞 𝐢𝐭 𝐥𝐢𝐭𝐞𝐫𝐚𝐥𝐥𝐲 𝐜𝐚𝐧’𝐭 𝐞𝐯𝐞𝐧.

Another CVE we came across this week as part of our CVE-analysis routine. The impact is probably limited, but the vulnerability is a classic example of parser differential. To give you a bit of background, the file .netrc is used to store credentials. It's mostly used by FTP

And it's live! pentesterlab.com/exercises/cve-…

🐍 New month = new FREE labs! Tackle 3 bite-size Python code-review snippets and level up your bug-spotting skills. Dive in now → pentesterlab.com/my/progress#on… 🔍🆓 #Python #CodeReview

Doing an internal pentest in an unpatched Windows environment.

I just completed @Pentesterlab's essential badge!!!

The biggest shift in AppSec with AI? Dev work looks more like code review. They’re reviewing AI output, not writing every line. Old “write secure code” training isn’t enough. You need to teach them to spot bugs like a reviewer. 👉 pentesterlab.com/live-training/

Can you feel the pain?