Community

Want to join us? Connect with Twitter and introduce yourself.

Latest Comments

1.Tommy Tom said:

The top link is dead, here is (I think) an alternate link

http://adaptivepath.org/ideas/ajax-...b-applications/

Posted In Ajax Is Not an Acronym.

Fri, 02 Dec 2016 at 13:52:58 GMT


2.Vincent Wansink said:

Beware that storing the session in the database can be a huge performance hit if you're using the session a lot and have high traffic.

It's great if you're only storing authentication and userid for example, but if you're using it to remember state and parameters for every page, then a high number of users will quickly chew up your CPU cycles.

Posted In Storing Sessions in a Database.

Thu, 27 Oct 2016 at 19:56:27 GMT


3.Chris Shiflett said:

Just noticed another one:

http://mds.is/

Posted In URL Sentences.

Tue, 20 Sep 2016 at 03:19:42 GMT


4.Chris Shiflett said:

Julio, can you share a screen shot or a paste or something that shows what's happening?

Also, this post might be helpful:

http://shiflett.org/blog/2008/aug/i...nd-hacking-http

Posted In SERVER_NAME Versus HTTP_HOST.

Fri, 15 May 2015 at 21:44:26 GMT


5.Julio Potier said:

Hello

Each time i try to hack the host header in a request, each time the server response is "400 Bad Request", tested on 8 differents websites hosting.

So, what is the setting that allow me to do this kind of request? It seems that @thibaut said about VHOST is the thing but not sure, and if yes, again, what is the configuration to do your tests?

Thanks

Posted In SERVER_NAME Versus HTTP_HOST.

Sun, 19 Apr 2015 at 23:58:28 GMT


6.Maria Antonietta said:

Thank you very much Chris!

You avoided me hours of headaches!

Posted In Sorting Multi-Dimensional Arrays in PHP.

Tue, 10 Feb 2015 at 11:38:41 GMT


7.Ben Ramsey said:

Is there a broken content negotiation example somewhere that everyone is using?

I've been playing around with the mimeparse library and converting it to use Composer, as well as conform to PSR standards. See: https://github.com/ramsey/mimeparse (shameless plug)

After re-reading your post, I decided to give this a try, using your second Accept line (with the quality parameter on application/json):

<?php
 
$accept = 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8,application/json;q=0.0';
 
$quality = \Bitworking\Mimeparse::quality('application/json', $accept);

Oddly enough, $quality comes out as the value 1, rather than 0, as one would expect.

Bingo!

This library has been around for a while; has versions in Python, Ruby, Erlang, Java, JavaScript, and PHP; and I suspect it is either widely used or widely imitated. I went back to the HTTP spec to see if a value of 0 or 0.0 is considered invalid or undefined, and it's clearly not (from RFC 2616, section 3.9):

A weight is normalized to a real number in the range 0 through 1, where 0 is the minimum and 1 the maximum value. If a parameter has a quality value of 0, then content with this parameter is `not acceptable' for the client.

This is clearly a bug in the library, which is also in my version of the library right now, until I fix it (or get a pull request). :-)

Posted In The Accept Header.

Tue, 17 Jul 2012 at 01:21:36 GMT


8.Jesus Bejarano said:

I am right now into Nicholas C.Zakas's book javascript for web developers , 964 pages, but is a excellent encyclopedia, you should try it out

Posted In JavaScript Study Guide.

Wed, 04 Jul 2012 at 16:19:21 GMT


9.Bob Lerner said:

Rather shocked that leakedin not only doesn't use a password field for the password, that it also doesn't serve over SSL either.

In the even that my password wasn't on this list, then shoulder surfers, back-button pressers, or man-in-the-middle attackers could sure get it then.

Posted In LeakedIn.

Fri, 22 Jun 2012 at 16:49:14 GMT


10.Paul Reinheimer said:

Hook us up Chris!

Posted In Link Blog and Planet Chris.

Wed, 20 Jun 2012 at 13:29:55 GMT


11.Karl Barnes said:

There is a great deal of information on usort and array_multisort but your example made their usage crystal clear - thanks!

Posted In Sorting Multi-Dimensional Arrays in PHP.

Mon, 18 Jun 2012 at 22:52:40 GMT


12.Elisavet Triant said:

Well, asking people for their passwords, even if it's legit isn't a very good idea.

What I did was to change my password anyway in LinkedIn and THEN check to see if it was leaked. Your form says it wasn't.

Posted In LeakedIn.

Wed, 13 Jun 2012 at 07:18:11 GMT


13.Marek Janouš said:

Mine was not leaked nor cracked according to leakedin.org, yet I still got the e-mail from LinkedIn, saying they believe it was included “in the post” (though not cracked).

Posted In LeakedIn.

Tue, 12 Jun 2012 at 09:47:06 GMT


14.Ian Coleman said:

Thanks Chris!

This has become a SERIOUS problem, the hackers HAVE a corresponding email addresses to my cracked password!! My only use of the email address I used for linked in one other place, twitter. Stupidly my twitter and linkedin accouts also had the same password which I didn't realise until this morning, as my twitter account was accessed by a 3rd party who tweeted spam tweets to a russian based .ru site.

Either via the linkedIn data dump, or by other means, the group clearly have matched email addresses with passwords! Now I have to check everything to make sure there isn't somewhere else I've used that email address/password combo.

Thanks for shedding light in this, linkedin certainly aren't

Posted In LeakedIn.

Mon, 11 Jun 2012 at 13:54:50 GMT


15. said:

Mine was leaked but not cracked.

Anyway I changed it.

Posted In LeakedIn.

Mon, 11 Jun 2012 at 09:18:49 GMT


16. said:

Thanks Chris for this very helpful blog. I too was reluctant to post my password so I used a php script on xampp to hash it, then used findstr from the Windows 2003 Resource Kit to search the combo_not.txt file. Sure enough, there was my hashed password!

Posted In LeakedIn.

Mon, 11 Jun 2012 at 09:05:07 GMT


17.Avalonica Sativa said:

What is the answer to Philip Herbert's query above? When you go from form page to form page?

Posted In Cross-Site Request Forgeries.

Sun, 10 Jun 2012 at 20:10:44 GMT


18. said:

I typed in some entries from the 10 worst passwords leaked and it says I am safe - WTH? Did they remove those entries?

Posted In LeakedIn.

Sat, 09 Jun 2012 at 15:54:52 GMT


19.Michael Hraba said:

Friendly question for layman....

You enter your password, and all within my browser, without anything transmitted, and no one seeing it, my password transforms into a bunch of stuff.... and then it checks it?

Slow non-techie people want to join in, too. =)

Posted In LeakedIn.

Fri, 08 Jun 2012 at 21:33:01 GMT


20.Vince Work said:

Thanks for removing getclicky--an acknowledgment of the security risk mentioned in comment #57, perhaps? However, there are still glaring issues with leakedin.org.

leakedin.org is transmitting unsalted SHA1 hashes over cleartext HTTP.

Ask yourself this. What did hackers obtain from LinkedIn and post on an online forum--the whole source of this controversy?

Answer: unsalted SHA1 hashes.

Now, what does leakedin.org risk leaking?

Answer: More unsalted SHA1 hashes.

To offer a solution by compounding the problem is just not right. Please reconsider.

Posted In LeakedIn.

Fri, 08 Jun 2012 at 19:08:17 GMT


21. said:

@Amarendra Godbole: Doesn't matter that the password is hashed client side. There's no difference between sending the hash over the wire in clear text and the hash existing in the leaked file. The leaked file doesn't contain any passwords in clear text either. If you're concerned about your hash existing in this file, you should be concerned about sending it across the wire in the clear as well.

@Chris Morrow: Leaked means the hash was leaked when the file was leaked. Cracked means that the hash has been reversed into a password. It's possible to be leaked but not cracked because hash algorithms are one way. You can generate a hash from some text but there is no algorithmic way to get the text from the hash. In order to crack the passwords given the hashes one has to brute force (i.e. guess) the passwords. Clever folks have created specialized programs to make cracking these hashes more efficient, including Rainbow Tables. For a deeper understanding see http://netsecurity.about.com/od/hackertools/a/Rainbow-Tables.htm.

Posted In LeakedIn.

Fri, 08 Jun 2012 at 18:17:10 GMT


22.Michael Rasmussen said:

@Olli Erinko - You can tunnel and log in from two places at a time. I'm routinely accessing my bank account from net locations ~2700km apart within 20 minutes.

Posted In LeakedIn.

Fri, 08 Jun 2012 at 14:50:12 GMT


23.Olli Erinko said:

Well, my password wasn't on the list of cracked passwords.

Though, the day LinkedIn leak was announced (actually just a few hours after), my GMail account was accessed from China (I'm around.. 7000 kilometers from there, no way I could get there within the 5 minutes of me accessing it from here and someone accessing it from there).

I suppose I could call myself lucky for Googles protective measures (the account was locked instantly, and required me to re-enable it with my mobile phone).

In other words, I'm not so sure that the list found on various forums is a complete list of all leaked passwords.

Posted In LeakedIn.

Fri, 08 Jun 2012 at 13:31:13 GMT


24.Kashish Jain said:

My Password is safe and is not on the list. Thank you for informing.

With Regards

Kashish Jain

Posted In LeakedIn.

Fri, 08 Jun 2012 at 11:24:27 GMT


25. said:

@Amarendra Godbole

What was that GetClicky stuff in the javascript earlier? It's gone now but was there. Just because the code "looks safe" now does not mean it was safe two hours ago.

This is the problem. Client-side javascript is changing and the end-user has no idea. It could have changed again while I bothered to type this.

Best practices should still always apply. I'm sure the authors of this blog agree completely.

Posted In LeakedIn.

Fri, 08 Jun 2012 at 06:36:54 GMT


Join Us

Connect with Twitter to join us!

All Members