Good post — with accompanying code — on PHP.Watch on how to tighten the almighty curl: Limit Curl Protocols Do not enable automatic redirects unless absolutely necessary If redirects are enabled enabled, limit allowed protocols (if different from #1 above) If redirects are enabled, set a strict limit Set a strict time-out Do not disable …
Tag Archives: security
The Lava Lamps That Help Keep The Internet Secure
At the headquarters of Cloudflare, in San Francisco, there’s a wall of lava lamps: the Entropy Wall. They’re used to generate random numbers and keep a good bit of the internet secure: here’s how. How geeky! 🤩
PHPUnit: A Security Risk?
The author of PHPUnit was a bit surprised when he received a mail stating that PHPUnit was a security risk and hackers could remotely execute PHP code through a file named eval-stdin.php that ships used to ship with PHPUnit. // eval-stdin.php eval ('?>'. \file_get_contents('php://input')); Even though the eval-stdin.php file itself indeed was vulnerable, it never …
Beware when merging Pull Requests with a changed lockfile
When watching a diff that contains a lockfile (say: a yarn.lock for example) on GitHub, GitHub doesn’t always show the differences (see screenshot above) as the changes in such files tend to be quite big. And even if it were to show the changes, does one really take a close look into it? With this …
Continue reading “Beware when merging Pull Requests with a changed lockfile”
Securing React Native Applications
In this article, we will focus on the security side of the framework. We will be dividing the article into the following sections: Securing app to server connection Securing local data Advanced integrity checks Securing React Native Applications →
Princesses make terrible passwords
From the Firefox Blog: When the Disney+ streaming service rolled out, millions of people flocked to set up accounts. And within a week, thousands of poor unfortunate souls reported that their Disney passwords were hacked. According to media reports, some Disney+ account holders have lost their account access while hackers have sold their logins online. …
Learn about security by hacking a fake bank using a real hacking method
Cool interactive site showing your how to perform a Server Side Request Forgery hack, based on a true incident: The following interactive tutorial is a reconstruction of Capital One’s data breach incident that exposed the records of almost 106 million customers. Paige Thompson is accused of breaking into a Capital One server and gaining access …
Continue reading “Learn about security by hacking a fake bank using a real hacking method”
Unsafe SQL functions in Laravel
Recently the folks from Spatie released a security update for their laravel-query-builder package. Turns out it was vulnerable to SQL Injection. At the core of the vulnerability is the fact that Laravel offers a shorthand for querying only certain fields of JSON data, but that these do not get escaped when converted to a json_extract …
The curious case of the Raspberry Pi in the network closet
Christian Haschek: Last week I got a message from a co-worker notifying me there was a Raspberry Pi connected to our network. I asked my IT colleagues and they were as baffled as I was. I heard of people getting paid to put things like this in places they shouldn’t and for this reason I …
Continue reading “The curious case of the Raspberry Pi in the network closet”
The problem with usernames
In “Let’s talk about usernames” James Bennett – author of django-registration – digs deeper into an at first seemingly simple thing such as usernames and how to keep ‘m safe and unique. And no, you can’t make it by just doing a a simple comparison. You’ll have to think of more than that if you …