Security
PHP md5
var_dump(md5('QNKCDZO') == md5('s878926199a'));
// true
Example
If I only use md5 to hash password,
then I can login with both 'QNKCDZO' and 's878926199a'.
var_dump(md5('QNKCDZO'));
// 0e830400451993494058024219903391
var_dump(md5('s878926199a'));
// 0e545993274517709034328855841020
WHY?
PHP is weak typing.
When using '==', it treats the result as numerical strings.
'0e830400451993494058024219903391' would be 0,
and also '0e545993274517709034328855841020',
for they are both started with '0e'.
var_dump(md5('QNKCDZO') === md5('s878926199a'));
// false
hash_equals(md5('QNKCDZO'), md5('s878926199a'));
Solution
Use '===' and it will check types.
Or you can use 'hash_equals' function which is timing attack safe.
Broken Access Control
Example
Change value of cookie, then login to another account.
Example
Cookie v.s. Session
- Cookie
- Saved at browser
- Send to server each time
- Users can modify it by themselves
- Session
- Saved on server
- Can be only accessed by server
View cookie
F12 > Storage
Public Data
SITCON 2018: 校園駭客-看你學號() return 你家住址;
Powerful Google
What can you get?
- A part of one's identity number
- Full name
You
妹子(?)
What can you get?
- Class and seat number
- Student ID
What can you do?
- Student ID
- school email
- ck1071234@gl.ck.tp.edu.tw
- 10731234@m2.csghs.tp.edu.tw
- d10730101@gapps.fg.tp.edu.tw
- school email
CK?
Calculate Identity Number
Calculate Identity Number
A12345XXXX
Known Numbers
Can be calculated
000~999 = Total 1000 combinations
What can you get?
- Full identity number
- PE grade
- Height, weight etc.
What can you get?
- address
- birthday
- grade
- family members
- embarrassing self intro
Thanks for listening!
Security
By Tony Yang
Security
INFOR Class
- 196