A blog about tech, programming, security, and various other subjects.




Found 16 results for your search query or tag selection. Clear search.
To curl|bash or not to curl|bash  Tags: software, security.
People have a lot to say about how terrible piping from curl to bash is. These are the reasons people give:

1. It executes arbitrary code on your system!

I'm sure these people never ran a .exe file in their life.

2. The download could cut off mid-file and turn "rm /opt/something" into "rm /opt"!

Valid point! This is why we commonly wrap the installer as a big function, and call it in the end. If you care, you can even inspect the source to see if it does this, and if the software is on Github or something (curl|bash-using software usually is) or has nice developers, you can just let them know or send a pull request.

3. The code is not signed! If it was from the repositories, it would be signed.
Local File Inclusion by one misplaced character  Tags: security, websites.
"Uh-oh," I thought, as a good friend alerted me to a local file inclusion vulnerability in a site that I recently made. It's still in beta, not public yet, but still. How could this happen? I wrote code to prevent this!

The site has a ?page=mypage parameter that you could modify into anything, and it would just include the page instead of restricting it to existing and allowed pages. An absolute beginner's mistake, and I had thought of it, and secured it. Just not tested it.

I went to look at the code.

if (in_array($_GET['page'], array('about', 'contact', true))) {

    require($_GET['page'] . '.php');
}
Can you spot the error?
Encrypting passwords  Tags: security, webdevelopment, programming, websites.
It's so easy to bash Adobe for encrypting passwords instead of hashing them. The entire security community did, and of course they were right. Encryption is by definition reversible, so it was stupid of Adobe to encrypt passwords instead of hashing them, right? Right?

Or maybe not. As time passes and not a single password from an Adobe user has been leaked, aside from the ones solved in crossword puzzles, I was starting to doubt our judgment.
Are you affected by Adobe's hack?  Tags: websites, security.
I wrote a tool that checks whether your email address and password were among the ones hacked at Adobe. It won't be online forever, just for a few days I think.

You can find it here: https://lucb1e.com/credgrep

The reason it won't be online forever is because it needs a daemon to run. Searching a 10GB file is not trivial, so instead of searching it for everyone individually I wrote a program that does it in the background (daemon). Whenever someone adds a search, it is added to the database.
What is XSS and how to protect your website  Tags: webdevelopment, security, programming.
Alternative title: How do XSS attacks work and how can you exploit it.
To secure things you must know how they work, right? ;) The post mainly focuses on how it works and how to protect your website though, so let's dive right into it.

First of all, XSS means cross-site scripting. The name is a bit misleading since it isn't necessarily cross-site, it's basically just inserting scripts at places where other users will unknowingly trigger them to run.


Next page / Older posts
 
lucb1e.com

Circle on Google+
Follow at Twitter


Tagcloud:
AI apps chat computers databases datetime e-mail hardware keyboard keyboards lol me music my blog my server networking nostalgia other privacy programming randomthought real life school security social networks software spam tutorials webdevelopment webhosting websites Windows writing
Contact Me (test)