The Lab

Real attacks. Real code. No fluff.

A feed of writeups, CVE breakdowns, YouTube videos, and Snake Bytes episodes. Bookmark it or follow on YouTube, whichever you prefer.

How Hackers Bypass Paywalls? (Real Techniques)

Demonstration of how hackers bypass paid subscriptions through real-world hacking techniques and how you can apply these techniques for ethical hacking and bug bounty hunting.

Mar 29, 2026 · YouTubeWatch

Bug Bounty Guide: XXE Injection Explained with Real Reports

From the basics of external entity injection to weaponizing it in live bug bounty programs.

May 2, 2025 · YouTubeWatch

This Is How Hackers Own Any MCP Server!

In this video, I demonstrate how hackers can exploit this vulnerability to take over any MCP server, giving them access to your data and systems. I'll break down the attack step-by-step and show you how to protect yourself.

Mar 29, 2026 · YouTubeWatch

This One Line Hacked NPM

Medusa explores how a maintainer account hijack led to malicious code being injected into the popular Axios HTTP library. The investigation reveals a sophisticated supply chain attack that utilized a fake dependency to compromise developer systems.

Apr 2, 2026 · YouTubeWatch

This XSS Somehow Turned Into Account Takeover!

A simple XSS vulnerability escalates far beyond expectations, eventually leading to full account takeover. This video breaks down the entire exploit chain, including the WAF bypass and how each step connects.

Mar 29, 2026 · YouTubeWatch

I Broke a Chatbot Using This Trick

In this video, I solve the OWASP Juice Shop chatbot challenge by exploiting an SSTI (Server-Side Template Injection) vulnerability. You’ll see how the chatbot can be bypassed and broken using simple techniques, along with a clear walkthrough of the process.

Mar 29, 2026 · YouTubeWatch

Can I Hack My Way to a Date? (CTF Challenge)

Explores how common web vulnerabilities like authentication bypass, poor input validation, and misconfigurations can be exploited

Feb 22, 2026 · YouTubeWatch

Learning Web & API Hacking? Watch This First 👀

A proper Web & API Security roadmap is coming 🔥Follow for the full guide 👀

Dec 30, 2025 · XWatch

What if dev keys were committed to Git?

Learn how to spot committed dev keys — API keys, AWS creds, and private keys that could lead to serious bounty finds.

Oct 4, 2025 · XWatch

Hunting API Keys in JavaScript Files: A Bug Hunter’s Guide

Discover exposed API keys in JavaScript files, understand why they leak, and learn practical techniques to hunt and exploit them efficiently.

Sep 13, 2025 · MediumRead

How We Found a $3,000 IDOR Vulnerability in a Delivery App

The bug was hiding in a predictable order ID. Full disclosure, full write-up, paid out on HackerOne.

Jun 14, 2025 · MediumRead

Penligent: Pentesting Workflow, Reviewed

Deep-dive walkthrough of Penligent, how it fits the pentester loop, and where it speeds up real-world engagements.

May 18, 2025 · YouTubeWatch

Grafana CVE-2025-4123: How XSS + Open Redirect Led to Full Account Takeover

This video breaks down the full exploit chain behind CVE-2025-4123 in Grafana, from client-side path traversal and open redirect to SSRF and XSS, leading to full account takeover.

May 17, 2025 · YouTubeRead

Safeline WAF: Defending Against Real Attacks

Product demo of Safeline, the open-source WAF. What it catches, what it misses, and where it fits.

Apr 20, 2025 · YouTubeWatch

All PortSwigger Web Cache Deception Labs Explained

A complete lab-by-lab walkthrough of the Web Cache Deception series, with payloads and fix notes.

Mar 19, 2025 · YouTubeWatch

Shannon AI: Red-Teaming the Model

A walkthrough review of Shannon AI's security posture, prompt injection, and the rough edges.

Feb 25, 2025 · YouTubeWatch

OAuth 2.0 Flows Explained with Okta and OAuth Playground

Authorization code, implicit, PKCE, client credentials, demystified with hands-on tools.

Feb 8, 2025 · YouTubeWatch

X-VPN: How It Stacks Up on Security

Sponsored review of X-VPN with the security angle pulled forward. Encryption, leaks, and trust.

Jan 30, 2025 · YouTubeWatch

NordProtect: Consumer Security, Tested

Walkthrough of NordProtect with a focus on what a security-literate user actually cares about.

Dec 10, 2024 · YouTubeWatch

Dependency Confusion, the Supply Chain Attack Nobody Saw Coming

How internal package names leaked into public registries and why this class of bug is still live.

Nov 28, 2024 · SpotifyListen

Exploiting XSS with JavaScript/JPEG Polyglots

A deep dive into polyglot files, images that are also valid scripts, and how they bypass filters.

Sep 4, 2024 · MediumRead

JWT authentication bypass via 'X-HTTP-Method-Override' Header

ESPv2 contains an authentication bypass vulnerability. API clients can craft a malicious X-HTTP-Method-Override header value to bypass JWT authentication in specific cases.

May 17, 2023 · YouTubeRead

Follow the Lab on YouTube.

42,000+ security pros already get the next breakdown in their feed. Subscribe to join them.

Follow the Lab on YouTube