Hanno's blog

Entries tagged as code

Related tags

c addresssanitizer asan bufferoverflow clang gcc gentoo linux memorysafety php programming security sizeof useafterfree csrf breach cookies crime english freesoftware freewvs heist https moodle s9y samesite serendipity time tls web websecurity xss 23c3 27c3 3d 3ddrucker adobe amusementpark asia ati backnang base64 bash beijing berlin beryl bios blob bonn camera canon ccc cellular chdk chemnitz china chromium cinderella cinelerra clt codecs compiz compizfusion composite compression console copyright creativecommons css cve ddwrt debian desktop developingworld digitalcamera disney disneyland driver dvd eltorito evince exe fake ffmpeg film firefox firmware france freeculture freiegesellschaft freifunk frequencies frequency froscon froscon2007 fsf fsfe gaia games gargoyle ghost gimp glibc gnome google googleearth graphics grub gsm hardware heartbleed homebrew ibm ico icons icoutils iso itu ixus jugendumweltbewegung jukss karlsruhe kde königswusterhausen kpdf laptop lenovo lessig license lpi lpic lspci lsusb lug memdisk messe microsoft mobilephones movie musik nancy nessus nouveau nvidia ökologie okular olpc openbsc openbts openexpo opengl opensourceexpo openssl openstreetmap openvas osmocombb pciids pdf phoronix poppler presse privacy rapidprototyping rar realmedia realvideo redhat reprap retrogames reverseengineering rmll router rv30 rv40 science sciencefiction script sfd shellshock shijingshan siegburg simcity society softwarefreedomday sqlinjection stepmania sumatrapdf sunras syslinux talk theory thesource theunarchiver thinkpad travel trip2011 tuxmas unar usbids video videoediting vulnerability wii wiibrew wiki windows windowsrefund wiretapping wos wos4 wrestool xorg afra spam vortrag webapps wordpress apache browser content-security-policy cookie core coredump crash csp developer distributions drupal gallery grsecurity infoleak mantis mysql pdo segfault session sniffing squirrelmail ssl stacktrace symlink webhosting webroot webserver 4k aiglx entropia gpn gpn5 hacker ruby xgl 0days adguard aead aes algorithm altushost android antivir antivirus aok apt auskunftsanspruch axfr azure barcamp berserk bias bigbluebutton bleichenbacher blog bodensee botnetz braunschweig bsi bsideshn bugbounty bundesdatenschutzgesetz bundestrojaner bundesverfassungsgericht busby bypass ca cacert cbc cccamp11 certificate cfb chcounter chrome clamav clickjacking cloudflare cmi cms conflictofinterest crypto cryptography darmstadt datenschutz deb dell deolalikar diffiehellman dingens diploma diplomarbeit dns domain easterhegg edellroot eff email encryption eplus facebook fedora fileexfiltration firewall forwardsecrecy freak ftp fuzzing gajim git gnupg gnutls gobi gpg gsoc gstreamer hackerone hacking hannover hash helma http informationdisclosure internetscan ircbot itsecurity jabber javascript jodconverter joomla kaspersky key keyexchange komodia leak libreoffice luckythirteen malware maninthemiddle math md5 mephisto milleniumproblems mitm modulobias mozilla mpaa mplayer mrmcd mrmcd100b mrmcd101b multimedia napster netfiltersdk newspaper nist nss ntp ntpd observatory onlinedurchsuchung openleaks openpgp otr owncloud packagemanagement padding panda papierlos password passwordalert passwort passwörter pgp phishing pnp poodle privdog protocolfilters provablesecurity pss python rand random rc2 rhein rpm rsa rsapss rss salinecourier schlüssel server sha1 sha2 sha256 sha512 shellbot sicherheit signatures slides smime snallygaster sni staatsanwaltschaft study stuttgart subdomain superfish support taz thesis tlsdate toendacms transvalid überwachung ubuntu unicef unicode update updates userdir utf-8 verschlüsselung virus vlc vulnerabilities webmontag wiesbaden windowsxp x509 xine xmpp xsa zerodays zugangsdaten zzuf acid3 html midori mod_rewrite webdesign webkit webstandards okte

Thursday, October 18. 2007

freewvs released

One of the biggest threats in computer security today are web applications. There's a vast number of issues found in popular web apps, mostly cross site scripting, cross site request forgery and sql injection. For a long time I had the idea of a tool scanning through webroots and looking for popular web applications, comparing them with a database of their latest security issues. In the past weeks, I finaly managed to get some code done.

It's a quite simple python-script (don't cry about the source quality, I haven't done real coding for ages), together with a database of some popular applications. I'm looking forward to hear feedback. The usage is simple, just do something like this:
freewvs /home/joe/websites/foo /home/guest/websites/bar
Typical output looks like this:
WebsiteBaker 2.4.3 (2.6.5) CVE-2007-0527 /home/hanno/freewvs/test/websitebaker
Drupal 5.1 (5.3) CVE-2007-5416 /home/hanno/freewvs/test/drupal
PhpWebGallery 1.5.1 () CVE-2007-5012 /home/hanno/freewvs/test/phpwebgallery
Mostly self explaining. The found app at the beginning, the version where the issue was fixed in brackets, the CVE-ID (or some other vulnerability id, in doubt an URL) and the path.

The biggest work to do is probably to get more applications added to the database and to keep the database updated. It's format is pretty self-explaining, so I'm waiting for your patches.

Get it here: https://freewvs.schokokeks.org/

Posted by Hanno Böck in Code, English, Linux, Security at 19:04 | Comments (3) | Trackbacks (0)

Defined tags for this entry: code, csrf, freesoftware, freewvs, security, web, xss

Friday, September 29. 2006

PHP braindamage

Okay, I knew PHP isn't the most well-designed language in the world. I knew it grew up from a hobbyist language and that it is used for things today it never was meant for. I knew that it's function names sometimes aren't very intuitive.
But today I started to hate it. Now, beside various other strange things, this one let's me wonder which drugs the person that implemented this was consuming:

PHP is, by design, syntactical similar to C, meaning it has curly brackets, same comment syntax, same syntax for if, for and other basic commands. Now, one would probably think that a function named the same in C and PHP would do the same. Or at least something similar.
Due to the fact that C is very low-level, it has a function called sizeof() that gives you the amount of bytes a variable type uses in memory. E. g., an integer is the basic type of the current architecture, not always the same size (4 byte on i386, 8 byte on amd64). With sizeof() you can get the size of the type.
Now, I was looking for a function to get the number of elements in an array. I searched and found, well, sizeof(). Which I couldn't really believe. Due to the abstract structure of PHP, it seemed quite impossible to me to have something like sizeof() in php. It really gives you the number of elements in an array.

Posted by Hanno Böck in Code, English at 02:40 | Comments (6) | Trackbacks (0)

Defined tags for this entry: c, code, php, programming, sizeof

(Page 1 of 1, totaling 2 entries)

About me

You can find my web page with links to my work as a journalist at https://hboeck.de/.

You may also find my newsletter about climate change and decarbonization technologies interesting.

Hanno Böck
mail: hanno@hboeck.de

Hanno on Mastodon

Impressum

Creative Commons

Unless noted otherwise, all content is CC Zero / public domain

Frontpage
Datenschutz / Privacy