PHP Roave Security Advisories

$ composer require roave/security-advisories:dev-master $ # following commands will fail: $ composer require symfony/symfony:2.5.2 $ composer require zendframework/zendframework:2.3.1 This package ensures that your PHP application doesn’t have installed dependencies with known security vulnerabilities. This package does not provide any API or usable classes: its only purpose is to prevent installation of software with known and …

How I Hacked Facebook with a Word Document

An XML External Entity (XXE) vulnerability was found on the Facebook Careers page by Mohamed Ramadan. The OWASP XXE Definition reads: An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a …

Yik Yak Messaging App Vulnerability

Yik Yak’s HTTPS communication for iOS is actually fine […] so what’s the problem? […] The vulnerability begins in the fact that Yik Yak’s sole means of user identification is one string; the userID. There are no passwords. […] Yik Yak, like many apps, does not only communicate with its own server API. It makes …

It’s All About Time: Timing attacks in PHP

$query = "SELECT * FROM users WHERE id = ?"; $stmt = $pdo->prepare($query); $stmt->execute([$_POST[‘id’]]); $user = $stmt->fetchObject(); if ($user && password_verify($_POST[‘password’], $user->password)) { return true; } return false; There is information leak here: If you try different user names, it will take a different amount of time depending on if the username is there or …

Migrating your WordPress website from HTTP to HTTPS

In light of #https2015 I flipped the switch on bram.us earlier today: from today forth bram.us is only accessible over HTTPS. If you run a news site, or any site at all, we’d like to issue a friendly challenge to you. Make a commitment to have your site fully on HTTPS by the end of …

Securing Sessions in PHP

I set out to combine all the best practice I could find into a single Session handler, to help protect against the common attack vectors. Since PHP 5.4, you are able to set the Session handler based on a class instance that extends the default SessionHandler class. Make the session cookie only available over HTTP, …

SSL Config Generator

Just choose the web server / web front you’re using (Apache, Nginx, HAProxy) + whether you want to support only modern, intermediate, or old versions of browsers and a proper configuration will be generated. <VirtualHost *:443> … SSLEngine on SSLCertificateFile /path/to/signed_certificate SSLCertificateChainFile /path/to/intermediate_certificate SSLCertificateKeyFile /path/to/private/key SSLCACertificateFile /path/to/all_ca_certs # modern configuration, tweak to your needs SSLProtocol …

Why Google is Hurrying the Web to Kill SHA-1

Something like 90% of websites that use SSL encryption use an algorithm called SHA-1 to protect themselves from being impersonated. This guarantees that when you go to green lock for facebook.com, you’re visiting the real Facebook and not giving your password to an attacker. Unfortunately, SHA-1 is dangerously weak, and has been for a long …