Why aren’t we using SSH for everything?

ssh http://t.co/E7Ilc0B0BC pic.twitter.com/CqYBR1WYO4 — Andrey Petrov (@shazow) December 13, 2014 If we can write a chatroom on top of SSH, why don’t we use it for more things? Interesting read packed with dozens of facts about the SSH protocol and why we should use it for more things. Why aren’t we using SSH for everything? […]

PHP Roave Security Advisories

$ composer require roave/security-advisories:dev-master $ # following commands will fail: $ composer require symfony/symfony:2.5.2 $ composer require zendframework/zendframework:2.3.1 This package ensures that your PHP application doesn’t have installed dependencies with known security vulnerabilities. This package does not provide any API or usable classes: its only purpose is to prevent installation of software with known and […]

How I Hacked Facebook with a Word Document

An XML External Entity (XXE) vulnerability was found on the Facebook Careers page by Mohamed Ramadan. The OWASP XXE Definition reads: An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a […]

Yik Yak Messaging App Vulnerability

Yik Yak’s HTTPS communication for iOS is actually fine […] so what’s the problem? […] The vulnerability begins in the fact that Yik Yak’s sole means of user identification is one string; the userID. There are no passwords. […] Yik Yak, like many apps, does not only communicate with its own server API. It makes […]

It’s All About Time: Timing attacks in PHP

$query = "SELECT * FROM users WHERE id = ?"; $stmt = $pdo->prepare($query); $stmt->execute([$_POST[‘id’]]); $user = $stmt->fetchObject(); if ($user && password_verify($_POST[‘password’], $user->password)) { return true; } return false; There is information leak here: If you try different user names, it will take a different amount of time depending on if the username is there or […]

Migrating your WordPress website from HTTP to HTTPS

In light of #https2015 I flipped the switch on bram.us earlier today: from today forth bram.us is only accessible over HTTPS. If you run a news site, or any site at all, we’d like to issue a friendly challenge to you. Make a commitment to have your site fully on HTTPS by the end of […]