Bypass authentication with existing username and arbitrary password

In this post I will explain how we easily can bypass authentication with existing username and arbitrary password Often developers thinks that as long as they don’t check for a valid password in the query, but does it in the code instead, it cannot be bypassed with sql injection. This together with poor hashing like md5…

Share
Read More

Request header SQL injection with netcat and burp suite

The scope of this tutorial is not to teach SQL injection. It’s only to give you an idea on an efficient approach for executing SQL injections using the request headers. It expected that you, the reader, has at least some basic knowledge about request headers, SQL injection and command line interface. If you need to…

Share
Read More

XSS through Exif headers

This is a quick explination on how to perform XSS through Exif headers on a website. So, cross-site scripting is nothing new to people, but most people think that just because a website doesn’t have any visible xss vulnerabilities through forms, or url parameters doesn’t mean that it’s not vulnerable. In this tutorial I’m going…

Share
Read More

PHP CGI exploit

This is an old tutorial I wrote back in late September 2013 on a forum, and I decided to add it here. This PHP CGI exploit has been patched in newer versions, but it’s still something worthy of knowing because it is so extremely easy to use. First some details regarding this vulnerability The bug…

Share
Read More

Unicode email and url filter in PhalconPHP

Previously I wrote two functions to add unicode support to email and url sanitation in PHP. This is something that is lacking from PHP itself and from any other framework I’ve tried, and PhalconPHP is no different, so I did what I normally do when I test unicode support…

Share
Read More

Two step password hashing with hmac and bcrypt

The approach explained in this post is the same standard used by the Mozilla security team. Many people might see this as an overkill or think that “my application is so small that I don’t need it”. No matter the scale of your application, as long as you have your system available in the world…

Share
Read More

Stronger cryptography in PHP

Making a random string in PHP is an easy task. One of the fastest ways is this.

But this does not provide strong cryptographical randomness. To do this we have to write our own functions. This might look “scary” to some people, but it’s really not hard at all. The first thing we will…

Share
Read More

How to migrate hashed passwords

So, you have realized that the way you have hashed your users password needs to be updated, but you don’t want to cause any extra trouble for your users by forcing them to change password. From my previous experience this is one of the main reasons why people are so hesitant of updating their stored…

Share
Read More

Regular expressions and unicode character properties

Unicode has brought headaches to developers all around the world. It has caused countless hours of trial and error, sleepless nights and probably a decent amount of hair loss as well. After fine tuning complex patterns it turns out that it doesn’t really work any ways. If you have ever had to work with regular…

Share
Read More

Improved email and url sanitation

Many people just uses PHP’s native functionality blindly thinking that everything will work smoothly, but that isn’t the case. PHP provides the FILTER_SANITIZE_EMAIL and FILTER_SANITIZE_URL filters to use with the filter functions. The problem here is that they also strip unicode characters, meaning that if you’re sanitizing a unicode url you will destroy it. So…

Share
Read More