Let's say you have a file like this:
<?php
declare(strict_types=1);
class Foo
{
protected $x;
public function __construct(array $x = [])
Scott paragonie-scott
paragonie-scott
/ run_with_mbstring_func_overload.php
Created
February 9, 2016 22:23
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| scott@debian ~ $ php -dmbstring.func_overload=2 sammy_test.php | |
| bool(true) | |
| scott@debian ~ $ php sammy_test.php | |
| bool(false) |
Example code for How to Safely Store a Password in 2016.
paragonie-scott
/ 1_changelog.md
Created
February 19, 2016 00:00
— forked from joepie91/1_changelog.md
Remove Wired's "ad-blocker veil"
- February 19, 2016: Initial release.
GitHub Gist doesn't send notifications when people leave a comment, so shoot me an e-mail at [email protected]. I'll gladly fix it. Fuck advertising.
paragonie-scott
/ gist:c7a73fd0f759e451cf07
Created
March 8, 2016 02:22
— forked from sarciszewski/gist:88a7ed143204d17c3e42
Javascript CSPRNG for Integers
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function secure_rand(min, max) { | |
| var rval = 0; | |
| var range = max - min; | |
| if (range < 2) { | |
| return min; | |
| } | |
| var bits_needed = Math.ceil(Math.log2(range)); | |
| if (bits_needed > 53) { | |
| throw new Exception("We cannot generate numbers larger than 53 bits."); |
paragonie-scott
/ WhatsAppSaudi.txt
Created
July 13, 2016 19:10
WhatsApp Blocking Encrypted Calls to All Saudi Numbers
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Suppose I have a friend named Alice. Alice has registered to WhatsApp with a | |
| Saudi number but resides in Europe. We chat over WhatsApp regularly. We are both | |
| using the latest version of WhatsApp for Android (2.16.155). | |
| However, Alice is unable to receive or initiate WhatsApp calls, even though she | |
| is in Europe and is using European WiFi. If you can test this, I suggest you do. | |
| Get a Saudi phone number, register to WhatsApp, and then fly to France and make | |
| a call. You will encounter the same result even if you're on French WiFi. | |
| WhatsApp claims that "the Saudis are blocking the initial handshake [for |
Would you (or the company you represent) consider paying money for an extension/plugin for whatever platform you currently use that fixes security faux pas?
For example:
- WordPress doesn't securely store passwords.
- Drupal only uses emulated prepared statements.
- Magento has _____ (will fill in after it's public).
- Most CMS projects don't offer secure automatic updates. (WordPress's implementation is insecure. Drupal is working on it.)
paragonie-scott
/ SVG Fails.md
Last active
May 8, 2020 03:49
image/svg+xml considered harmful: an open letter to [email protected]
Filed an issue to address this particular concern.
Thanks joepie91 for finding the folks responsible and getting the conversation started.
Currently, SVG is a security foot-cannon that allows attackers to upload a Stored XSS payload when a user views the image directly. Example.
paragonie-scott
/ hash-or-encrypt.md
Last active
September 22, 2016 20:18
Via Twitter
Authors consider SQLi as main attack vector. Hashed token mitigate r/o SQLi, encrypted mitigate r/w SQLi
That actually doesn't buy you anything. Consider the following table schema:
CREATE TABLE reset_tokens (
tokenid BIGSERIAL PRIMARY KEY,
selector TEXT,
I want to build an app that stops harassment and other forms of unsolicited bullshit.
- I don't want any money for it.
- I don't want to serve ads.
- I just want it to perform one simple task and get out of the user's way.
A mobile app (Android and/or iOS) that only allows trusted callers to go through.