$ composer require roave/security-advisories:dev-master $ # following commands will fail: $ composer require symfony/symfony:2.5.2 $ composer require zendframework/zendframework:2.3.1 This package ensures that your PHP application doesn’t have installed dependencies with known security vulnerabilities. This package does not provide any API or usable classes: its only purpose is to prevent installation of software with known and …
Tag Archives: security
How I Hacked Facebook with a Word Document
An XML External Entity (XXE) vulnerability was found on the Facebook Careers page by Mohamed Ramadan. The OWASP XXE Definition reads: An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a …
Continue reading “How I Hacked Facebook with a Word Document”
Clubbing Seals
“Seal providers” offer a service which allows website owners to show their customers that their website is secure, and therefore safe to use. […] The website owner can include a seal on his website, which links to the seal provider, and shows the security of the sealed website is A-ok. Now, does having such a …
Yik Yak Messaging App Vulnerability
Yik Yak’s HTTPS communication for iOS is actually fine […] so what’s the problem? […] The vulnerability begins in the fact that Yik Yak’s sole means of user identification is one string; the userID. There are no passwords. […] Yik Yak, like many apps, does not only communicate with its own server API. It makes …
It’s All About Time: Timing attacks in PHP
$query = "SELECT * FROM users WHERE id = ?"; $stmt = $pdo->prepare($query); $stmt->execute([$_POST[‘id’]]); $user = $stmt->fetchObject(); if ($user && password_verify($_POST[‘password’], $user->password)) { return true; } return false; There is information leak here: If you try different user names, it will take a different amount of time depending on if the username is there or …
Continue reading “It’s All About Time: Timing attacks in PHP”
Migrating your WordPress website from HTTP to HTTPS
In light of #https2015 I flipped the switch on bram.us earlier today: from today forth bram.us is only accessible over HTTPS. If you run a news site, or any site at all, we’d like to issue a friendly challenge to you. Make a commitment to have your site fully on HTTPS by the end of …
Continue reading “Migrating your WordPress website from HTTP to HTTPS”
Securing Sessions in PHP
I set out to combine all the best practice I could find into a single Session handler, to help protect against the common attack vectors. Since PHP 5.4, you are able to set the Session handler based on a class instance that extends the default SessionHandler class. Make the session cookie only available over HTTP, …
HTTPS Everywhere
SSL Config Generator
Just choose the web server / web front you’re using (Apache, Nginx, HAProxy) + whether you want to support only modern, intermediate, or old versions of browsers and a proper configuration will be generated. <VirtualHost *:443> … SSLEngine on SSLCertificateFile /path/to/signed_certificate SSLCertificateChainFile /path/to/intermediate_certificate SSLCertificateKeyFile /path/to/private/key SSLCACertificateFile /path/to/all_ca_certs # modern configuration, tweak to your needs SSLProtocol …
Why Google is Hurrying the Web to Kill SHA-1
Something like 90% of websites that use SSL encryption use an algorithm called SHA-1 to protect themselves from being impersonated. This guarantees that when you go to green lock for facebook.com, you’re visiting the real Facebook and not giving your password to an attacker. Unfortunately, SHA-1 is dangerously weak, and has been for a long …
Continue reading “Why Google is Hurrying the Web to Kill SHA-1”