💡 Although the project is currently on hold due to the OWASP Foundation’s migration to a new CMS (we are waiting for it to go live before strongly updating our content structure), we continue to update and improve the content behind the scenes.

📡 OWASP Secure Headers Project: We have refactored the section on the browser’s "Local Network Access" feature.

#appsec #appsecurity #owasp_shp

📖 owasp.org/www-project-...

In collaboration with a couple of other leaders in the industry we are releasing securitytitles.com - It's an attempt to provide transparency about role levels, expectations and (just for the US market currently, salary ranges). For leaders writing JDs and candidates alike.

GitHub - jub0bs/cors: perhaps the best CORS middleware library for Go perhaps the best CORS middleware library for Go. Contribute to jub0bs/cors development by creating an account on GitHub.

🎉 After a few years of refinement and close to 1 >> 9 commits, I'm pleased to announce the v1 release of my CORS middleware library for Go.

Let me know whether it patches things up between you and CORS!

github.com/jub0bs/cors

#golang #CORS

Defenders Finally Have the Edge - PentesterLab's Blog AI agents are changing vulnerability research, but the real advantage goes to defenders. Attackers face air-gap constraints while defenders get full access to frontier models on their own code. Every ...

Everyone is panicking about AI-generated zero days like it's an attacker story.

It's not.

Defenders can use the best models against their own code right now.

Your progress compounds. Attackers' job gets harder.

pentesterlab.com/blog/defende...

The Cornucopia of Gamified Threat Modeling At the OWASP Cornucopia project, we are done with updating the cards and help pages for the Website...

The Cornucopia of Gamified Threat Modeling

At the OWASP Cornucopia project, we are done with updating the cards and help pages for the Website App Edition v3.0!

dev.to/owasp/the-co...
#appsec #cybersecurity #gamedev #security

heads up: FreeBSD forums hacked. Be caeeful with your email or DMs coming from FreeBSD forum or freebsd{.}org for some time now.

https:// forums {.} freebsd {.} org/

Remote Command Execution in Google Cloud with Single Directory Deletion Introduction Hello, I’m RyotaK (@ryotkak ), a security engineer at GMO Flatt Security Inc. A while ago, I participated in the Google Cloud VRP bugSWAT, a live hacking event organized by Google. During...

𝗥𝗲𝘀𝗲𝗮𝗿𝗰𝗵 𝗪𝗼𝗿𝘁𝗵 𝗥𝗲𝗮𝗱𝗶𝗻𝗴 - 𝗪𝗲𝗲𝗸 𝟭𝟯, 𝟮𝟬𝟮𝟲
Only one entry but definitely worth reading!

☁️ 𝗥𝗲𝗺𝗼𝘁𝗲 𝗖𝗼𝗺𝗺𝗮𝗻𝗱 𝗘𝘅𝗲𝗰𝘂𝘁𝗶𝗼𝗻 𝗶𝗻 𝗚𝗼𝗼𝗴𝗹𝗲 𝗖𝗹𝗼𝘂𝗱 𝘄𝗶𝘁𝗵 𝗦𝗶𝗻𝗴𝗹𝗲 𝗗𝗶𝗿𝗲𝗰𝘁𝗼𝗿𝘆 𝗗𝗲𝗹𝗲𝘁𝗶𝗼𝗻
This one is a real tour de force: flatt.tech/research/pos....

Dear contributors to Voxxed Days Luxembourg's renewed success: the call for your papers, supposedly closed tonight wil be extended by 2 weeks to accomodate latecomers.
A small reminder: 15 min. lunch talks are often under-filled, to test your speaker abilities, this is a perfect opportunity!

Example of execution

To make it visual, I made an example with a fictional function used to compare if two hosts have the same FQDN:

🔬 In Python, the zip() function consider the number of elements of the smallest of the both arrays passed. If the function is used against arrays with different sizes then the items that are parts of the largest array are skipped.

📖 References used:

- pentesterlab.com

#appsec #appsecurity

🧑‍🎓 Learning of the day for me, once again thanks to @pentesterlab.com (for the presentation of the behavior and the code review lab) and Claude (for the detailed explanation).

#appsec #appsecurity

𝗥𝗲𝘀𝗲𝗮𝗿𝗰𝗵 𝗪𝗼𝗿𝘁𝗵 𝗥𝗲𝗮𝗱𝗶𝗻𝗴 - 𝗪𝗲𝗲𝗸 𝟭𝟮, 𝟮𝟬𝟮𝟲
AI doing research, AI killing CTF

🤖 𝗧𝗲𝘀𝘁𝗶𝗻𝗴 𝗔𝗜 𝗳𝗼𝗿 𝗩𝘂𝗹𝗻𝗲𝗿𝗮𝗯𝗶𝗹𝗶𝘁𝘆 𝗥𝗲𝘀𝗲𝗮𝗿𝗰𝗵: 𝟰 𝗔𝗽𝗽𝗿𝗼𝗮𝗰𝗵𝗲𝘀 & 𝗪𝗵𝗲𝗿𝗲 𝗜 𝗙𝗮𝗶𝗹𝗲𝗱
If you can only read one thing this week, make it this article: xclow3n.github.io/post/7.

Le CFP des 10 ans de VoxxedDays Luxembourg est toujours ouvert, ne trainez plus :)
→ voxxedlu2026.cfp.dev#/

Advanced Web Hacking and Security Code Review Training | PentesterLab Learn advanced web hacking and security code review through real-world CVEs, vulnerable code, hands-on exploitation, and detailed technical walkthroughs.

💡 The instruction "()" at the end is important otherwise the code is not executed.

📖 References used:

- pentesterlab.com

🔬 In JavaScript, the instruction "Function(inputString)()" cause the content of "inputString" to be executed. "Function()" is a constructor that creates a new function from a string of code, similar to "eval()", but slightly more contained.

#appsec #appsecurity

Example of execution.

🧑‍🎓 Learning of the day for me thanks to @pentesterlab.com (for the presentation of the behavior and the code review lab) and Claude (for the detailed explanation):

#appsec #appsecurity

𝗥𝗲𝘀𝗲𝗮𝗿𝗰𝗵 𝗪𝗼𝗿𝘁𝗵 𝗥𝗲𝗮𝗱𝗶𝗻𝗴 - 𝗪𝗲𝗲𝗸 𝟭𝟬, 𝟮𝟬𝟮𝟲
A great mix of content this week!

🔒 𝗜𝗿𝗼𝗻𝗖𝘂𝗿𝘁𝗮𝗶𝗻: 𝗔 𝗣𝗲𝗿𝘀𝗼𝗻𝗮𝗹 𝗔𝗜 𝗔𝘀𝘀𝗶𝘀𝘁𝗮𝗻𝘁 𝗕𝘂𝗶𝗹𝘁 𝗦𝗲𝗰𝘂𝗿𝗲 𝗳𝗿𝗼𝗺 𝘁𝗵𝗲 𝗚𝗿𝗼𝘂𝗻𝗱 𝗨𝗽
Niels Provos (from OpenBSD's systrace) is sharing a new tool to sandbox your AI assistant: www.provos.org/p/ironcurtai....

CVE-2026-1731 Metasploit module demo

My first @metasploit-r7.bsky.social module is live! You can now exploit CVE-2026-1731 (BeyondTrust command injection) with the latest version 😎

𝗥𝗲𝘀𝗲𝗮𝗿𝗰𝗵 𝗪𝗼𝗿𝘁𝗵 𝗥𝗲𝗮𝗱𝗶𝗻𝗴 - 𝗪𝗲𝗲𝗸 𝟵, 𝟮𝟬𝟮𝟲
Mostly AI...

💻 𝗕𝗿𝗼𝘄𝘀𝗲𝗿-𝗕𝗮𝘀𝗲𝗱 𝗣𝗼𝗿𝘁 𝗦𝗰𝗮𝗻𝗻𝗶𝗻𝗴 𝗶𝗻 𝘁𝗵𝗲 𝗔𝗴𝗲 𝗼𝗳 𝗟𝗡𝗔
Leveraging Local Network Access to create a port scanner! wiki.notveg.ninja/tools/lna-po....

What you don't see - PentesterLab's Blog More and more, with the progress of coding agents, people are rewriting software.And honestly, it looks easy. You write a good ...

I wrote about what happens when you rewrite mature software with agents. You rebuild the features. You don't rebuild the scars.

vinext: one engineer, one week, $1,100 in tokens. Then plenty of vulnerabilities found within days.

pentesterlab.com/blog/what-yo...

vue de zensical

Zensical : un générateur de sites statiques qui permet de transformer rapidement une documentation Markdown en un site professionnel, personnalisable et multilingue. (Découvert via Mat V. )

👉 Le projet : github.com/zensical/...
👉 En savoir plus : https://zensical.org/

PentesterLab: Learn with our JavaScript Code Review The JavaScript Code Review Badge is our badge dedicated to security code review in JavaScript. It covers the discovery of weaknesses and vulnerabilities using source code review.

6 new code review labs just dropped 🚀
+3 for JavaScript Code Review
+3 for Python Code Review

JS: pentesterlab.com/badges/javas...

Python: pentesterlab.com/badges/pytho...

Overview of one repo

🧑‍🎓 As part of my homework on AI from an AppSec perspective, I have decided to gather all my content on GitHub so that I can share it in case anyone is interested.

📖 Cheat sheet, methodology and tools: github.com/righettod/to...

🔬 R&D: github.com/righettod/po...

#appsec #appsecurity #ai

🔥 OWASP CRS is evolving! Introducing #CRSLang — a new YAML-based rule language replacing Seclang. Cleaner syntax, multi-engine support, bidirectional translation, and a lower barrier for new contributors.
Check it out 👉 coreruleset.org/2026...
#WAF #AppSec #OWASP #ModSecurity

Erratum, it's opened tonight February the 15th 😂
--------------
Erratum, c'est ouvert ce soir le 15 février 😂

Voxxed Days Luxembourg's CFP will be opened from tonight February the 17th at 11:30 PM to March the 29th at midnight.Luxembourg
----------------
L'appel aux orateurs de Voxxed Days sera ouvert à partir de ce soir, le 17 février à 23h30 jusqu'au 29 mars à minuit.
---
voxxedlu2026.cfp.dev

Release Release v2.6.0 · OWASP/cornucopia What's Changed Bump svelte from 5.49.2 to 5.50.0 in /cornucopia.owasp.org by @dependabot[bot] in #2188 Bump postgrex from 0.21.1 to 0.22.0 in /copi.owasp.org by @dependabot[bot] in #2186 Bump wait...

OWASP Cornucopia just release v2.6.0

github.com/OWASP/cornuc...

The new release comes with support for continuing the game session even if players can not continue the game when playing on copi.owasp.org

#owasp #appsec #security #cornucopia

Added a small feature to cspbypass.com to warn the user if unsafe-inline is detected, in which case you typically don’t need to waste time hunting for 3rd-party whitelisted CSP bypasses and go straight to inline scripts / event handlers.

Sqldef : un outil CLI qui permet le "diffing" de deux schémas SQL et de générer automatiquement les instructions de migration nécessaires.

👉 sqldef.github.io/