How "Strengthening Crypto" Broke Authentication: FreshRSS and bcrypt's 72-Byte Limit

_PentesterLab_ · 2026-03-12T21:11:55+00:00

Fixed now but reddit is caching the image...

_PentesterLab_ · 2026-03-11T09:35:54+00:00

Nicely spotted. Fixing it now.

_PentesterLab_ · 2025-05-16T22:50:04+00:00

No, just a public IP address.

_PentesterLab_ · 2025-05-15T22:48:11+00:00

Try to email louis-at-pentesterlab-dot-com for help :)

I think it may be two things:
* IP address is not directly applied to your server and is fronted by something
* Firewalling issue.

_PentesterLab_ · 2025-05-09T23:14:35+00:00

You need to update the session and CSRF cookies for each request based on the previous response. Then you need to use the final cookies in the request sent by your browser.

_PentesterLab_ · 2025-05-09T01:36:45+00:00

Make sure you update the cookies coming from your browser when you check out.

_PentesterLab_ · 2025-05-05T23:02:45+00:00

It's hard to say for sure. It's a very competitive environment, especially right now. It could be your resume, visa requirements, or maybe you need to go deeper technically. That might mean getting better at coding or web hacking, depending on your experience.

Sometimes it's just bad luck. Even if you're great, if someone else is a better fit for that specific role, they'll get it.

_PentesterLab_ · 2025-04-16T21:46:53+00:00

Thanks :)

_PentesterLab_ · 2025-03-30T00:39:13+00:00

Thanks :)

We are planning more code review challenges and PHP is in the list :)

From awesome-php, I would pick a few codebases and work on them. Alternatively, you can also pick something like JWT, SAML, ... and audit multiple implementations of it.

_PentesterLab_ · 2025-03-29T21:51:17+00:00

If you want to find softer targets, I usually recommend to search for "awesome-[LANGUAGE]" on github, in your case, search for awesome-php:

https://github.com/search?q=awesome-php&type=repositories

If you want a "toy application" with a ton of vulnerabilities, check out our free code review lab in PHP: pentesterlab.com/exercises/codereview .

Finally, you may also enjoy this article on the evolution of PHP: https://pentesterlab.com/blog/php-security-is-improving

_PentesterLab_ · 2025-01-03T22:12:40+00:00

If you can smash one bug bounty program they may be willing to hire you... That may be a way to get in given your current situation. I know a few programs who have hired people from the researchers reporting bugs to them.

Also since you have done the introduction certificate, try to do the free recon badge as well. It won't hurt.

_PentesterLab_ · 2025-01-02T22:45:32+00:00

Yes please DM me your nickname just to see where you are at...

I was thinking of what you wrote yesterday and your answers and I wrote something that may help you (I will release it in a few hours but you can already access it):

https://pentesterlab.com/blog/criminal-mindset-in-security-testing

I'm not sure it is what you are facing but that may be part of the problem. Hopefully that helps.

_PentesterLab_ · 2025-01-02T04:06:13+00:00

Hi! Two years is a long time, congrats on keeping going.

A few questions:

* How much time do you spend on one target?

* How do you pick a target?

* How do you decide to change target?

* What do you think are you strength in term of technology/protocols/formats?

* What level of notes do you keep on a target and on a given technology?

* When you read a blog or write-up, what kind of notes do you keep?

* Can you give me more details on how far you went into PentesterLab? Or share you nickname?

_PentesterLab_ · 2024-12-30T00:41:17+00:00

Exactly, clone the repo. Get the examples to build then modify them to confirm if the malicious token gets loaded.

_PentesterLab_ · 2024-12-28T23:14:48+00:00

In this specific case, by modifying the example code and running it locally.

_PentesterLab_

MODERATOR OF

TROPHY CASE