Comments for Web App Security

Comments for Web App Security http://www.idontplaydarts.com PHP & LAMP Stack Security Tue, 31 Jan 2012 14:07:48 +0000 hourly 1 Comment on Extending Burp Suite to solve reCAPTCHA by travis http://www.idontplaydarts.com/2012/01/extending-burp-suite-to-solve-recaptcha/#comment-1379 travis Tue, 31 Jan 2012 14:07:48 +0000 http://www.idontplaydarts.com/?p=717#comment-1379 This looks awesome. In my testing I haven't come across any applications using captcha as of late but when I do encounter one I'll make sure to try this technique. Thanks for putting this together. You just got a new follower. This looks awesome. In my testing I haven’t come across any applications using captcha as of late but when I do encounter one I’ll make sure to try this technique. Thanks for putting this together. You just got a new follower.

]]> Comment on Decrypting suhosin sessions and cookies. by Phil http://www.idontplaydarts.com/2011/11/decrypting-suhosin-sessions-and-cookies/#comment-1372 Phil Thu, 26 Jan 2012 21:22:02 +0000 http://www.idontplaydarts.com/?p=650#comment-1372 As you say, chmod the ini file with the suhosin secret key in so it is only readable as root and ensure that Suhosin is set to use the user agent as part of the encryption string. For defence in depth you can use open_basedir to prevent PHP from directly accessing the sessions directory :) As you say, chmod the ini file with the suhosin secret key in so it is only readable as root and ensure that Suhosin is set to use the user agent as part of the encryption string. For defence in depth you can use open_basedir to prevent PHP from directly accessing the sessions directory :)

]]> Comment on Decrypting suhosin sessions and cookies. by Steffen Müller http://www.idontplaydarts.com/2011/11/decrypting-suhosin-sessions-and-cookies/#comment-1370 Steffen Müller Thu, 26 Jan 2012 13:41:14 +0000 http://www.idontplaydarts.com/?p=650#comment-1370 Awesome article. Thanks for explaining this topic and for providing a decrypter tool. However, what's your conclusion to make encryption more safe? Do you think this is possible at all? At least the .ini-file containing the cryptkey should be readable by root only (chmod 400) otherwise the cryptkey can be read when bad guys gain access to filesystem. Awesome article. Thanks for explaining this topic and for providing a decrypter tool.

However, what’s your conclusion to make encryption more safe? Do you think this is possible at all?
At least the .ini-file containing the cryptkey should be readable by root only (chmod 400) otherwise the cryptkey can be read when bad guys gain access to filesystem.

]]> Comment on Scanning the internal network using SimpleXML by am http://www.idontplaydarts.com/2011/02/scanning-the-internal-network-using-simplexml/#comment-1335 am Mon, 23 Jan 2012 17:49:41 +0000 http://www.idontplaydarts.com/?p=72#comment-1335 ps: you should add an option to subscribe to comments via email. would be really useful! ps: you should add an option to subscribe to comments via email. would be really useful!

]]> Comment on Scanning the internal network using SimpleXML by am http://www.idontplaydarts.com/2011/02/scanning-the-internal-network-using-simplexml/#comment-1334 am Mon, 23 Jan 2012 17:48:48 +0000 http://www.idontplaydarts.com/?p=72#comment-1334 that's even more interesting:)) that’s even more interesting:))

]]> Comment on Scanning the internal network using SimpleXML by Phil http://www.idontplaydarts.com/2011/02/scanning-the-internal-network-using-simplexml/#comment-1330 Phil Mon, 23 Jan 2012 09:55:00 +0000 http://www.idontplaydarts.com/?p=72#comment-1330 Nice spot - post updated now, looks like you can use php filters to read binary files as well :) Nice spot – post updated now, looks like you can use php filters to read binary files as well :)

]]> Comment on Scanning the internal network using SimpleXML by am http://www.idontplaydarts.com/2011/02/scanning-the-internal-network-using-simplexml/#comment-1328 am Mon, 23 Jan 2012 06:57:18 +0000 http://www.idontplaydarts.com/?p=72#comment-1328 what have you updated i don't see.... On php you have to use file:////etc/passwd. what have you updated i don’t see…. On php you have to use file:////etc/passwd.

]]> Comment on Scanning the internal network using SimpleXML by am http://www.idontplaydarts.com/2011/02/scanning-the-internal-network-using-simplexml/#comment-1327 am Mon, 23 Jan 2012 06:55:04 +0000 http://www.idontplaydarts.com/?p=72#comment-1327 i've managed to read files using php:) i’ve managed to read files using php:)

]]> Comment on Scanning the internal network using SimpleXML by Phil http://www.idontplaydarts.com/2011/02/scanning-the-internal-network-using-simplexml/#comment-1321 Phil Sun, 22 Jan 2012 21:03:52 +0000 http://www.idontplaydarts.com/?p=72#comment-1321 Good spot, I've updated the post. If the parser supports it then its a good idea to try LFI - I found file://etc/passwd works on most Java implementations but the file syntax doesn't appear to work with ASP.NET / PHP. Good spot, I’ve updated the post. If the parser supports it then its a good idea to try LFI – I found file://etc/passwd works on most Java implementations but the file syntax doesn’t appear to work with ASP.NET / PHP.

]]> Comment on Scanning the internal network using SimpleXML by am http://www.idontplaydarts.com/2011/02/scanning-the-internal-network-using-simplexml/#comment-1316 am Sun, 22 Jan 2012 12:26:11 +0000 http://www.idontplaydarts.com/?p=72#comment-1316 this is an interesting topic. are you sure the first 2 errors are because of invalid xml synthax? It looks 2 me that those 2 remote files are non-existent....one redirects, the other is a 404. Also, it should be tested if local files could be read. this is an interesting topic.
are you sure the first 2 errors are because of invalid xml synthax? It looks 2 me that those 2 remote files are non-existent….one redirects, the other is a 404.

Also, it should be tested if local files could be read.

]]>