How to migrate hashed passwords

So, you have realized that the way you have hashed your users passwords needs to be updated, but you don’t want to cause any extra trouble for your users by forcing them to change password. In this article I will explain how you can migrate hashed passwords without your users knowing because their password remains the same.

From my previous experience this is one of the main reasons why people are so hesitant of updating their stored hashes. They are afraid what their users will say. So this fear actually in many cases causes systems to remain insecure, and the day they get breached they regret that nothing was done earlier while the users information is leaking all over the internet. Continue reading

Over The Wire Natas Level 0 – 4

Over The Wire is a collection of different war games. The games ranges from beginner to advanced, and is a really nice place to learn about security.

The war game Natas focuses on web application vulnerabilities, and has a total of 26 levels. To advance to the next level you need to solve the current level you’re on.

This article will explain level 0 to 4. So if you don’t want to spoil the solution, you should stop reading now.

Continue reading

Exploit PHP mail() to get remote code execution

While searching around the web for new nifty tricks I stumbled across this post about how to get remote code exeution exploiting PHP’s mail() function.

Update: After some further thinking and looking into this even more, I’ve found that my statement about this only being possible in really rare cases was wrong. Since this can also be exploited in other scenarios which is much more common than I first thought. So, instead of removing content, I added a strike through on the statements that’s no longer valid, and updated with a 2nd scenario explanation.

First, I must say that this is only going to happen under some really rare circustances. Never the less, it’s really something to think about and keep an eye out for. I will explain an example scenario which I think could be a real life scenario later in this article.

So, when that’s said, let’s have a look at what this is all about. Continue reading

Welcome

Ok, so this is the famous first post. I’m not going to make it a long one. It’ll just be a quick summary of what you can expect to find here.

First, who am I?

I’m a father of two, living with my fiance in Norway. During the day I work as a web application developer, and during the night I’m a hobby security researcher and penetration tester.

To find out more about me and what I do, please read the about section.

Now, why this blog?

I wanted a place where I can put all my crap that someone else might find interesting. I’ll write about research I do, vulnerabilities I find, etc. So if you’re not really interested in these things, then this blog will most likely bore the crap out of you!

The end

I said it wasn’t going to be a long post, and I kept my promise. Have a nice day!