Dominique Righetto

𝗥𝗲𝘀𝗲𝗮𝗿𝗰𝗵 𝗪𝗼𝗿𝘁𝗵 𝗥𝗲𝗮𝗱𝗶𝗻𝗴 - 𝗪𝗲𝗲𝗸 𝟭𝟬, 𝟮𝟬𝟮𝟲
A great mix of content this week!

🔒 𝗜𝗿𝗼𝗻𝗖𝘂𝗿𝘁𝗮𝗶𝗻: 𝗔 𝗣𝗲𝗿𝘀𝗼𝗻𝗮𝗹 𝗔𝗜 𝗔𝘀𝘀𝗶𝘀𝘁𝗮𝗻𝘁 𝗕𝘂𝗶𝗹𝘁 𝗦𝗲𝗰𝘂𝗿𝗲 𝗳𝗿𝗼𝗺 𝘁𝗵𝗲 𝗚𝗿𝗼𝘂𝗻𝗱 𝗨𝗽
Niels Provos (from OpenBSD's systrace) is sharing a new tool to sandbox your AI assistant: www.provos.org/p/ironcurtai....

CVE-2026-1731 Metasploit module demo

My first @metasploit-r7.bsky.social module is live! You can now exploit CVE-2026-1731 (BeyondTrust command injection) with the latest version 😎

𝗥𝗲𝘀𝗲𝗮𝗿𝗰𝗵 𝗪𝗼𝗿𝘁𝗵 𝗥𝗲𝗮𝗱𝗶𝗻𝗴 - 𝗪𝗲𝗲𝗸 𝟵, 𝟮𝟬𝟮𝟲
Mostly AI...

💻 𝗕𝗿𝗼𝘄𝘀𝗲𝗿-𝗕𝗮𝘀𝗲𝗱 𝗣𝗼𝗿𝘁 𝗦𝗰𝗮𝗻𝗻𝗶𝗻𝗴 𝗶𝗻 𝘁𝗵𝗲 𝗔𝗴𝗲 𝗼𝗳 𝗟𝗡𝗔
Leveraging Local Network Access to create a port scanner! wiki.notveg.ninja/tools/lna-po....

What you don't see - PentesterLab's Blog More and more, with the progress of coding agents, people are rewriting software.And honestly, it looks easy. You write a good ...

I wrote about what happens when you rewrite mature software with agents. You rebuild the features. You don't rebuild the scars.

vinext: one engineer, one week, $1,100 in tokens. Then plenty of vulnerabilities found within days.

pentesterlab.com/blog/what-yo...

vue de zensical

Zensical : un générateur de sites statiques qui permet de transformer rapidement une documentation Markdown en un site professionnel, personnalisable et multilingue. (Découvert via Mat V. )

👉 Le projet : github.com/zensical/...
👉 En savoir plus : https://zensical.org/

PentesterLab: Learn with our JavaScript Code Review The JavaScript Code Review Badge is our badge dedicated to security code review in JavaScript. It covers the discovery of weaknesses and vulnerabilities using source code review.

6 new code review labs just dropped 🚀
+3 for JavaScript Code Review
+3 for Python Code Review

JS: pentesterlab.com/badges/javas...

Python: pentesterlab.com/badges/pytho...

Overview of one repo

🧑‍🎓 As part of my homework on AI from an AppSec perspective, I have decided to gather all my content on GitHub so that I can share it in case anyone is interested.

📖 Cheat sheet, methodology and tools: github.com/righettod/to...

🔬 R&D: github.com/righettod/po...

#appsec #appsecurity #ai

🔥 OWASP CRS is evolving! Introducing #CRSLang — a new YAML-based rule language replacing Seclang. Cleaner syntax, multi-engine support, bidirectional translation, and a lower barrier for new contributors.
Check it out 👉 coreruleset.org/2026...
#WAF #AppSec #OWASP #ModSecurity

Erratum, it's opened tonight February the 15th 😂
--------------
Erratum, c'est ouvert ce soir le 15 février 😂

Voxxed Days Luxembourg's CFP will be opened from tonight February the 17th at 11:30 PM to March the 29th at midnight.Luxembourg
----------------
L'appel aux orateurs de Voxxed Days sera ouvert à partir de ce soir, le 17 février à 23h30 jusqu'au 29 mars à minuit.
---
voxxedlu2026.cfp.dev

Release Release v2.6.0 · OWASP/cornucopia What's Changed Bump svelte from 5.49.2 to 5.50.0 in /cornucopia.owasp.org by @dependabot[bot] in #2188 Bump postgrex from 0.21.1 to 0.22.0 in /copi.owasp.org by @dependabot[bot] in #2186 Bump wait...

OWASP Cornucopia just release v2.6.0

github.com/OWASP/cornuc...

The new release comes with support for continuing the game session even if players can not continue the game when playing on copi.owasp.org

#owasp #appsec #security #cornucopia

Added a small feature to cspbypass.com to warn the user if unsafe-inline is detected, in which case you typically don’t need to waste time hunting for 3rd-party whitelisted CSP bypasses and go straight to inline scripts / event handlers.

Sqldef : un outil CLI qui permet le "diffing" de deux schémas SQL et de générer automatiquement les instructions de migration nécessaires.

👉 sqldef.github.io/

MORE LABS IN OUR JAVASCRIPT CODE REVIEW BADGE:

pentesterlab.com/badges/javas...

Thank you very much for this amazing free software 🙏

Important Clarification: Notepad++ Security Incident (Indicators of Compromise provided by our former hosting provider is included):
notepad-plus-plus.org/news/clarifi...

Master Web Hacking and Security Code Review! Master advanced penetration testing and deep security code review through real-world CVEs, detailed vulnerability analysis, and expert-led code reviews. Ideal for professionals seeking expert-level un...

📖 References used:

- pentesterlab.com
- www.regular-expressions.info

Execution of the POC performed.

🧑‍🎓 Learning of the day for me thanks to @pentesterlab.com and Claude.

🔬 For the regular expression "[A-z]":

In a character class [X-Y], it matches all characters with ASCII codes from X to Y inclusive. So [A-z] means all ASCII characters from 65 (A) to 122 (z).

#appsec #appsecurity

Notepad++ Hijacked by State-Sponsored Hackers
Security Update - Resolution of Notepad++ Update Server Compromise
notepad-plus-plus.org/news/hijacke...

GitHub - jub0bs/cors: perhaps the best CORS middleware library for Go perhaps the best CORS middleware library for Go. Contribute to jub0bs/cors development by creating an account on GitHub.

🎉 I've just released v0.11.0 of jub0bs/cors, my CORS middleware library for Go!

Bar any surprises, this will be the last minor release before v1.

github.com/jub0bs/cors

⚠️ OWASP websites/projects/chapters migration. · OWASP www-project-secure-headers · Discussion #273 Hi, We (@riramar and myself) created this discussion to share/track with the OSHP community, in a open way, an important coming changes in the OSHP. The context 📍 The OWASP foundation has decided t...

📡 OWASP Secure Headers Project: The OWASP Foundation has decided to migrate its content to a new CMS. As a result, OSHP content is frozen for the duration of the migration. You can find more information and explanations in the discussion below.

github.com/OWASP/www-pr...

#owasp_shp

Love web & AI security research? Want to do it full time on-site with myself, Gareth Heyes & Zak Fedotkin? Join the PortSwigger Research team - we're hiring!

apply.workable.com/portswigger/...

CVE-2026-23993: JWT authentication bypass in HarbourJwt via “unknown alg” I didn't know Harbour even existed as a language when I found this bug. The fun part is that I also ...

🔥 CVE-2026-23993: HarbourJwt JWT auth bypass via unknown alg.

Not just alg=none: unsupported alg => empty signature, so forged token header.payload. passes.

Write-up + fix: pentesterlab.com/blog/cve-202...

📖 References used:

- developer.mozilla.org/en-US/docs/W...
- pentesterlab.com/exercises/sv...
- portswigger.net/web-security...
- www.fortinet.com/blog/threat-...

POC performed.

🧑‍🎓 Learning of the day for me: I discovered that browsers (at least Chromium) display an SVG image even if the specified content type is set to XML. The contained JS script is also executed.

#appsec #appsecurity

Overview of the page.

📡 OWASP Secure Headers Project: We have added information and examples regarding the Trusted Types feature of the Content-Security-Policy header.

📖 owasp.org/www-project-...

#appsec #appsecurity #owasp_shp

GitHub - C4illin/ConvertX: 💾 Self-hosted online file converter. Supports 1000+ formats ⚙️ 💾 Self-hosted online file converter. Supports 1000+ formats ⚙️ - C4illin/ConvertX

🔥 Hot Repo！ 🔥 (100+ new stars)

📦 C4illin / ConvertX
⭐ 13,699 (+159)
🗒 TypeScript

💾 Self-hosted online file converter. Supports 1000+ formats ⚙️

logo

docker-android : une image Docker minimaliste permettant de faire tourner un émulateur Android avec KVM.

👉 github.com/HQarroum/...

GitHub - BurntSushi/ripgrep: ripgrep recursively searches directories for a regex pattern while respecting your gitignore ripgrep recursively searches directories for a regex pattern while respecting your gitignore - BurntSushi/ripgrep

Best news I've discovered today is that ripgrep is also available for Windows and you can install it with winget (winget install ripgrep). ripgrep is like the grep utility in Linux, but a bit faster, it also accepts grep's params github.com/burntsushi/r...

📚 Les guides de l’ANSSI sont sur #MesServicesCyber !

🖥️ Alors que le site de l’ANSSI évolue, MesServicesCyber se transforme pour vous simplifier l’accès aux conseils et recommandations de l’ANSSI, et de ses partenaires.

Rendez-vous sur :
🔗 messervices.cyber.gouv.fr/catalogue/?m...