PHP HTTP Public-Key-Pinning Builder

HTTP Public-Key-Pinning Builder aims to make it easy to build HTTP Public-Key-Pinning headers in your PHP projects. As so: <?php use \ParagonIE\HPKPBuilder\HPKPBuilder; $hpkp = HPKPBuilder::fromFile('/path/to/source.json'); $hpkp->sendHPKPHeader(); { "hashes": [ { "algo": "sha256", "hash": "hwGEkxDWJ2oHtKv6lsvylKvhotXAAZQR1e0nq0eb2Vw=" }, { "algo": "sha256", "hash": "0jum0Eiu4Eg6vjn3zTmyd/RobfN6e4EagFQcz6E5ZKI=" } ], "include-subdomains": false, "max-age": 5184000, "report-only": false, "report-uri": null } HTTP Public-Key-Pinning Builder →HTTP …

WordPress 4.2 Stored XSS

Earlier this week WordPress 4.1.3. It fixed an XSS exploit discovered by a former student of mine. This week a new exploit – even in the new WordPress versions, including 4.2 – was uncovered. Current versions of WordPress are vulnerable to a stored XSS. An unauthenticated attacker can inject JavaScript in WordPress comments. If triggered …

SecurityHeaders.com

Run a free test of a website’s HTTP headers and learn how it performs from a security perspective! Checks for the following headers and their values: Access Control Allow Origin Content Security Policy Cross Domain Meta Policy NoSniff Server Information Strict Transport Security UTF-8 Character Encoding X-Frame-Options X-Powered-By X-XSS-Protection SecurityHeaders.com →

Moonpig vulnerability

Decoding the auth header we get *redacted*:*redacted*, that’s not my username or password – these are static credentials sent with every request. The only identifiable piece of information left is the URL parameter customerId. […] Every API request is like this, there’s no authentication at all and you can pass in any customer ID to …

Why aren’t we using SSH for everything?

ssh http://t.co/E7Ilc0B0BC pic.twitter.com/CqYBR1WYO4 — Andrey Petrov (@shazow) December 13, 2014 If we can write a chatroom on top of SSH, why don’t we use it for more things? Interesting read packed with dozens of facts about the SSH protocol and why we should use it for more things. Why aren’t we using SSH for everything? …

PHP Roave Security Advisories

$ composer require roave/security-advisories:dev-master $ # following commands will fail: $ composer require symfony/symfony:2.5.2 $ composer require zendframework/zendframework:2.3.1 This package ensures that your PHP application doesn’t have installed dependencies with known security vulnerabilities. This package does not provide any API or usable classes: its only purpose is to prevent installation of software with known and …

How I Hacked Facebook with a Word Document

An XML External Entity (XXE) vulnerability was found on the Facebook Careers page by Mohamed Ramadan. The OWASP XXE Definition reads: An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a …