Yik Yak Messaging App Vulnerability

Yik Yak’s HTTPS communication for iOS is actually fine […] so what’s the problem? […] The vulnerability begins in the fact that Yik Yak’s sole means of user identification is one string; the userID. There are no passwords. […] Yik Yak, like many apps, does not only communicate with its own server API. It makes …

It’s All About Time: Timing attacks in PHP

$query = "SELECT * FROM users WHERE id = ?"; $stmt = $pdo->prepare($query); $stmt->execute([$_POST[‘id’]]); $user = $stmt->fetchObject(); if ($user && password_verify($_POST[‘password’], $user->password)) { return true; } return false; There is information leak here: If you try different user names, it will take a different amount of time depending on if the username is there or …

Migrating your WordPress website from HTTP to HTTPS

In light of #https2015 I flipped the switch on bram.us earlier today: from today forth bram.us is only accessible over HTTPS. If you run a news site, or any site at all, we’d like to issue a friendly challenge to you. Make a commitment to have your site fully on HTTPS by the end of …

Securing Sessions in PHP

I set out to combine all the best practice I could find into a single Session handler, to help protect against the common attack vectors. Since PHP 5.4, you are able to set the Session handler based on a class instance that extends the default SessionHandler class. Make the session cookie only available over HTTP, …

SSL Config Generator

Just choose the web server / web front you’re using (Apache, Nginx, HAProxy) + whether you want to support only modern, intermediate, or old versions of browsers and a proper configuration will be generated. <VirtualHost *:443> … SSLEngine on SSLCertificateFile /path/to/signed_certificate SSLCertificateChainFile /path/to/intermediate_certificate SSLCertificateKeyFile /path/to/private/key SSLCACertificateFile /path/to/all_ca_certs # modern configuration, tweak to your needs SSLProtocol …

Why Google is Hurrying the Web to Kill SHA-1

Something like 90% of websites that use SSL encryption use an algorithm called SHA-1 to protect themselves from being impersonated. This guarantees that when you go to green lock for facebook.com, you’re visiting the real Facebook and not giving your password to an attacker. Unfortunately, SHA-1 is dangerously weak, and has been for a long …

Damn Vulnerable iOS Application

Damn Vulnerable iOS App (DVIA) is an iOS application that is damn vulnerable. Its main goal is to provide a platform to mobile security enthusiasts/professionals or students to test their iOS penetration testing skills in a legal environment. This application covers all the common vulnerabilities found in iOS applications (following OWASP top 10 mobile risks) …