Community

Want to join us? Connect with Twitter and introduce yourself.

Latest Comments

1.Etaigbenu Canaan said:

This is a really good article. Thanks

Posted In The Truth about Sessions.

Mon, 02 May 2016 at 13:15:42 GMT


2.Dominic Mayers said:

Well, I like that it strips newline after a closing tag, but I have no idea why it does not do it when it matters the most: the last closing tag in an included file.

caller.php:

<?php header('Content-Type:text/plain'); ?>
 
Hello<?php include "toinclude.php"; ?>World!

toinclude.php:

<?php echo " "; ?>

with a new line after the ?>, which is stripped here, will output:

Hello

world!

It's strange that it strips it every where else, but not at the end of an included file.

Posted In PHP Stripping Newlines.

Wed, 27 Apr 2016 at 21:54:38 GMT


3.Kvasin Leonid said:

Hello!

I was looking for this information, thanks for the post!

192.168.1.1

Posted In Cross-Site Request Forgeries.

Thu, 14 Apr 2016 at 15:00:20 GMT


4.atif said:

A very good post with the use of multisort function. To read other basic types of sorting functions visit Blog of Cloudways.

Posted In Sorting Multi-Dimensional Arrays in PHP.

Tue, 24 Nov 2015 at 11:12:04 GMT


5.Tashreefshareef said:

Well written and done a great job indeed. But, there are several ways through which one attack the users such as hacking into once router as mentioned here >>

How to Know if Your Router is Hacked

Posted In Cross-Site Request Forgeries.

Tue, 03 Nov 2015 at 14:01:46 GMT


6.Swati said:

Its nice.

MySQL_real_escape_string: break out particular characters in a string for utilize in an SQL expression/statement.

You can obtain more information of it.

http://www.phpandsql.com/how-to-use..._string-in-php/

Posted In addslashes() Versus mysql_real_escape_string().

Fri, 19 Jun 2015 at 11:38:43 GMT


7.Chris Shiflett said:

Julio, can you share a screen shot or a paste or something that shows what's happening?

Also, this post might be helpful:

http://shiflett.org/blog/2008/aug/i...nd-hacking-http

Posted In SERVER_NAME Versus HTTP_HOST.

Fri, 15 May 2015 at 21:44:26 GMT


8.Julio Potier said:

Hello

Each time i try to hack the host header in a request, each time the server response is "400 Bad Request", tested on 8 differents websites hosting.

So, what is the setting that allow me to do this kind of request? It seems that @thibaut said about VHOST is the thing but not sure, and if yes, again, what is the configuration to do your tests?

Thanks

Posted In SERVER_NAME Versus HTTP_HOST.

Sun, 19 Apr 2015 at 23:58:28 GMT


9.Maria Antonietta said:

Thank you very much Chris!

You avoided me hours of headaches!

Posted In Sorting Multi-Dimensional Arrays in PHP.

Tue, 10 Feb 2015 at 11:38:41 GMT


10.Ben Ramsey said:

Is there a broken content negotiation example somewhere that everyone is using?

I've been playing around with the mimeparse library and converting it to use Composer, as well as conform to PSR standards. See: https://github.com/ramsey/mimeparse (shameless plug)

After re-reading your post, I decided to give this a try, using your second Accept line (with the quality parameter on application/json):

<?php
 
$accept = 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8,application/json;q=0.0';
 
$quality = \Bitworking\Mimeparse::quality('application/json', $accept);

Oddly enough, $quality comes out as the value 1, rather than 0, as one would expect.

Bingo!

This library has been around for a while; has versions in Python, Ruby, Erlang, Java, JavaScript, and PHP; and I suspect it is either widely used or widely imitated. I went back to the HTTP spec to see if a value of 0 or 0.0 is considered invalid or undefined, and it's clearly not (from RFC 2616, section 3.9):

A weight is normalized to a real number in the range 0 through 1, where 0 is the minimum and 1 the maximum value. If a parameter has a quality value of 0, then content with this parameter is `not acceptable' for the client.

This is clearly a bug in the library, which is also in my version of the library right now, until I fix it (or get a pull request). :-)

Posted In The Accept Header.

Tue, 17 Jul 2012 at 01:21:36 GMT


11.Jesus Bejarano said:

I am right now into Nicholas C.Zakas's book javascript for web developers , 964 pages, but is a excellent encyclopedia, you should try it out

Posted In JavaScript Study Guide.

Wed, 04 Jul 2012 at 16:19:21 GMT


12.Bob Lerner said:

Rather shocked that leakedin not only doesn't use a password field for the password, that it also doesn't serve over SSL either.

In the even that my password wasn't on this list, then shoulder surfers, back-button pressers, or man-in-the-middle attackers could sure get it then.

Posted In LeakedIn.

Fri, 22 Jun 2012 at 16:49:14 GMT


13.Paul Reinheimer said:

Hook us up Chris!

Posted In Link Blog and Planet Chris.

Wed, 20 Jun 2012 at 13:29:55 GMT


14.Karl Barnes said:

There is a great deal of information on usort and array_multisort but your example made their usage crystal clear - thanks!

Posted In Sorting Multi-Dimensional Arrays in PHP.

Mon, 18 Jun 2012 at 22:52:40 GMT


15.Elisavet Triant said:

Well, asking people for their passwords, even if it's legit isn't a very good idea.

What I did was to change my password anyway in LinkedIn and THEN check to see if it was leaked. Your form says it wasn't.

Posted In LeakedIn.

Wed, 13 Jun 2012 at 07:18:11 GMT


16.Marek Janouš said:

Mine was not leaked nor cracked according to leakedin.org, yet I still got the e-mail from LinkedIn, saying they believe it was included “in the post” (though not cracked).

Posted In LeakedIn.

Tue, 12 Jun 2012 at 09:47:06 GMT


17.Ian Coleman said:

Thanks Chris!

This has become a SERIOUS problem, the hackers HAVE a corresponding email addresses to my cracked password!! My only use of the email address I used for linked in one other place, twitter. Stupidly my twitter and linkedin accouts also had the same password which I didn't realise until this morning, as my twitter account was accessed by a 3rd party who tweeted spam tweets to a russian based .ru site.

Either via the linkedIn data dump, or by other means, the group clearly have matched email addresses with passwords! Now I have to check everything to make sure there isn't somewhere else I've used that email address/password combo.

Thanks for shedding light in this, linkedin certainly aren't

Posted In LeakedIn.

Mon, 11 Jun 2012 at 13:54:50 GMT


18. said:

Mine was leaked but not cracked.

Anyway I changed it.

Posted In LeakedIn.

Mon, 11 Jun 2012 at 09:18:49 GMT


19.Eponymous Bosch said:

Thanks Chris for this very helpful blog. I too was reluctant to post my password so I used a php script on xampp to hash it, then used findstr from the Windows 2003 Resource Kit to search the combo_not.txt file. Sure enough, there was my hashed password!

Posted In LeakedIn.

Mon, 11 Jun 2012 at 09:05:07 GMT


20.Avalonica Sativa said:

What is the answer to Philip Herbert's query above? When you go from form page to form page?

Posted In Cross-Site Request Forgeries.

Sun, 10 Jun 2012 at 20:10:44 GMT


21.Shelton Research Grp said:

I typed in some entries from the 10 worst passwords leaked and it says I am safe - WTH? Did they remove those entries?

Posted In LeakedIn.

Sat, 09 Jun 2012 at 15:54:52 GMT


22.Michael Hraba said:

Friendly question for layman....

You enter your password, and all within my browser, without anything transmitted, and no one seeing it, my password transforms into a bunch of stuff.... and then it checks it?

Slow non-techie people want to join in, too. =)

Posted In LeakedIn.

Fri, 08 Jun 2012 at 21:33:01 GMT


23.Vince Work said:

Thanks for removing getclicky--an acknowledgment of the security risk mentioned in comment #57, perhaps? However, there are still glaring issues with leakedin.org.

leakedin.org is transmitting unsalted SHA1 hashes over cleartext HTTP.

Ask yourself this. What did hackers obtain from LinkedIn and post on an online forum--the whole source of this controversy?

Answer: unsalted SHA1 hashes.

Now, what does leakedin.org risk leaking?

Answer: More unsalted SHA1 hashes.

To offer a solution by compounding the problem is just not right. Please reconsider.

Posted In LeakedIn.

Fri, 08 Jun 2012 at 19:08:17 GMT


24. said:

@Amarendra Godbole: Doesn't matter that the password is hashed client side. There's no difference between sending the hash over the wire in clear text and the hash existing in the leaked file. The leaked file doesn't contain any passwords in clear text either. If you're concerned about your hash existing in this file, you should be concerned about sending it across the wire in the clear as well.

@Chris Morrow: Leaked means the hash was leaked when the file was leaked. Cracked means that the hash has been reversed into a password. It's possible to be leaked but not cracked because hash algorithms are one way. You can generate a hash from some text but there is no algorithmic way to get the text from the hash. In order to crack the passwords given the hashes one has to brute force (i.e. guess) the passwords. Clever folks have created specialized programs to make cracking these hashes more efficient, including Rainbow Tables. For a deeper understanding see http://netsecurity.about.com/od/hackertools/a/Rainbow-Tables.htm.

Posted In LeakedIn.

Fri, 08 Jun 2012 at 18:17:10 GMT


25.Michael Rasmussen said:

@Olli Erinko - You can tunnel and log in from two places at a time. I'm routinely accessing my bank account from net locations ~2700km apart within 20 minutes.

Posted In LeakedIn.

Fri, 08 Jun 2012 at 14:50:12 GMT


Join Us

Connect with Twitter to join us!

All Members