2015 Dec 21, 7:02
2015 Dec 13, 2:34
![]()
Imagine a world where FBI director Comey talked about guns the way he talks about cryptography
2015 Oct 14, 6:11 2015 Apr 11, 10:58 2015 Jan 15, 10:10 2012 Aug 30, 5:00
I was the 546th person to complete Stripe's web security CTF and again had a ton of fun applying my theoretical knowledge of web security
issues to the (semi-)real world. As I went through the levels I thought about what red flags jumped out at me (or should have) that I could apply to future code reviews:
|
Level
|
Issue
|
Code Review Red Flags
|
|
0
|
Simple SQL injection
|
No encoding when constructing SQL command strings. Constructing SQL command strings instead of SQL API
|
|
1
|
extract($_GET);
|
No input validation.
|
|
2
|
Arbitrary PHP execution
|
No input validation. Allow file uploads. File permissions modification.
|
|
3
|
Advanced SQL injection
|
Constructing SQL command strings instead of SQL API.
|
|
4
|
HTML injection, XSS and CSRF
|
No encoding when constructing HTML. No CSRF counter measures. Passwords stored in plain text. Password displayed on site.
|
|
5
|
Pingback server doesn't need to opt-in
|
n/a - By design protocol issue.
|
|
6
|
Script injection and XSS
|
No encoding while constructing script. Deny list (of dangerous characters). Passwords stored in plain text. Password displayed on site.
|
|
7
|
Length extension attack
|
Custom crypto code. Constructing SQL command string instead of SQL API.
|
|
8
|
Side channel attack
|
Password handling code. Timing attack mitigation too clever.
|
More about each level in the future.
code-review coding csrf html internet programming script security sql stripe technical web xss 2012 Jun 7, 9:12
So this is another Stuxnet by Israel/US?
The analysis reinforces theories that researchers from Kaspersky Lab, CrySyS Lab, and Symantec published almost two weeks ago. Namely, Flame could only have been developed with the backing of a
wealthy nation-state. … “It’s not a garden-variety collision attack, or just an implementation of previous MD5 collisions papers—which would be difficult enough,” Matthew Green, a professor
specializing in cryptography in the computer science department at Johns Hopkins University, told Ars. “There were mathematicians doing new science to make Flame work.”
technical security web internet md5 cryptography flame 2011 Jul 18, 2:38Neat idea: "When the user wants to visit a blacklisted site, the client establishes an encrypted HTTPS connection to a non-blacklisted web server outside the censor’s network, which could be a normal
site that the user regularly visits... The client secretly marks the connection as a Telex request by inserting a cryptographic tag into the headers. We construct this tag using a mechanism called
public-key steganography... As the connection travels over the Internet en route to the non-blacklisted site, it passes through routers at various ISPs in the core of the network. We envision that
some of these ISPs would deploy equipment we call Telex stations."
internet security tools censorship technical 2011 Jun 20, 11:25A cautionary tale in chart form: lesson is make sure you can always upgrade your hashing algorithm or don't have security dependencies on hashing algorithms.
reference hash encryption security table technical humor 2010 Jun 1, 6:46"Metalink describes download locations (mirrors), cryptographic hashes, and other information. Clients can transparently use this information to reliably transfer files."
technical internet download web url xml metalink 2010 Apr 21, 6:51Adds SHA 256 & 512 to HTTP instance digest: 'The IANA registry named "Hypertext Transfer Protocol (HTTP) Digest Algorithm Values" defines values for digest algorithms used by Instance Digests in
HTTP. Instance Digests in HTTP provide a digest, also known as a checksum or hash, of an entire representation of the current state of a resource. This document adds new values to the registry and
updates previous values.'
hash cryptography http instance-digest sha security technical ietf rfc standard 2009 Dec 7, 5:15"Yahoo isn’t happy that a detailed menu of the spying services it provides law enforcement agencies has leaked onto the web." ... "Cryptome also published lawful data-interception guides for Cox
Communications, SBC, Cingular, Nextel, GTE and other telecoms and service providers. But of all those companies, it appears to be Yahoo’s lawyers alone who have issued a DMCA takedown notice to
Cryptome demanding the document be removed."
privacy security copyright yahoo dmca internet web surveillance 2009 Aug 14, 6:20"This paper presents efficient off-line anonymous e-cash schemes where a user can withdraw a wallet containing coins each of which she can spend unlinkably."
money future reference research economics cryptography technical system:filetype:pdf system:media:document 2008 Oct 27, 1:39Rubber-hose cryptanalysis is first defined by Marcus J. Ranum on Oct 15 1990: "..unless you resort to the rubber-hose technique of cryptanalysis. (in which a rubber hose is applied forcefully and
frequently to the soles of the feet until the key to the cryptosystem is discovered, a process that can take a surprisingly short time and is quite computationally inexpensive)"
humor cryptography rubber-hose security 2008 Oct 14, 11:14Similar in concept to the Pirate Bay suggestion of encrypting all TCP/IP connections if both server and client support it: "Obfuscated TCP is a transport layer protocol that adds opportunistic
encryption. It's designed to hamper and detect large-scale wiretapping and corruption of TCP traffic on the Internet."
internet tcp encryption security google privacy opensource cryptography network ssl 2008 Jul 10, 4:44More on IPETEE w/ some of the politics and commentary. "The Pirate Bay has ambitious plans to bring end-to-end encryption to all network activity..."
article encryption privacy security ip cryptography 2008 Jul 10, 4:43"The goal is to implement IP-transport encryption in a way that is transparent both to the IP-layer (including nodes in the network path) and to the applications that benefit from the encryption."
Seems like a good idea to me.
cryptography encryption internet privacy security ip wiki
Ran into Alex Halderman recently. He casually said "we found a weakness in
Diffie-Hellman." My jaw dropped. GO READ. https://freedom-to-tinker.com/blog/haldermanheninger/how-is-nsa-breaking-so-much-crypto/ …
The NSA does not have "an absolute right to gain access to every way in which two
people may choose to communicate." http://arstechnica.com/tech-policy/2015/04/nsa-dreams-of-smartphones-with-split-crypto-keys-protecting-user-data/ …
David Risney
@David_Risney :
"This is the kind of vulnerability that makes applied cryptographers cry tears of joy."
- 
Imagine a world where FBI director Comey talked about guns the way he talks about cryptography
Some rights reserved