Articles I've written

Stealing session ids with phpinfo() and how to stop it

Stealing session ids from phpinfo() output has been a known technique for some time, and is used to bypass the HttpOnly attribute, which prohibits JavaScript from accessing a cookie marked as such (e.g. PHPSESSID). I just now thought of a solution that allows you to keep your phpinfo(): we'll simply censor the sensitive data, making phpinfo() lose some of its value to the attacker.

(read more…)

Using JavaScript to modify URLs and hide fbclid
November 7, 2018

Roughly two weeks ago, Facebook started adding a tracking parameter, fbclid (Facebook click id?), to all external links users share. And I didn't like it so I'm hiding it.

(read more…)

Adding features & deleting code, or How I joined Report URI
June 30, 2018

I joined Report URI, the real-time security reporting tool, a year ago. In fact, my first code change was June 27, 2017. Since then I've added 709,402 more lines. And deleted 1,981,599 lines.

(read more…)

This is how you respond to a disclosure
December 22, 2017

I've reported Stored XSS vulnerability and it was triaged, fixed, tested and deployed in less than an hour. On Friday. Before Christmas.

(read more…)

All articles