Let’s play a game: what is the deadly bug here?

This short php code contains a critical vulnerability. In this video I will explain in detail what I think while analysing it.

Original source of challenge:
Link to tweet:

-=[ ❤️ Support ]=-

→ per Video:
→ per Month:

-=[ 🐕 Social ]=-


Similar Posts

44 thoughts on “Let’s play a game: what is the deadly bug here?
  1. The fact that hash_hmac doesn't exit the code on such an error is actually shameful. What is the use of having it return a NULL value and return? The sole purpose of it providing a secure string is just absent then? In that case, a function without an actual function.

  2. Dude! more than 650 messages.. I checked like 50 and I think that just Arthur said something interesting.. I hate this entertainment culture. Look, you cannot pass an array just like that.. and it's a post method. I don't touch php since IDK 10 years maybe.. I don't even have it installed on the PC and I apply for jobs occasionally LOL Anyway I'm pretty sure the value will be parsed as a string. To be honest I don't care I won't install php again. But yeah nice video good job

  3. I had paused the video at the beginning and came up with a completely different answer: the !== likely stops upon the first mismatching character, leading to a timing side-channel. (The time it takes for the server to reject your request increases with the number of correct characters in the submitted HMAC, so characters in the correct HMAC can be learned one-at-a-time by seeing which next character results in the highest average response time.)

  4. I was completely bamboozled until i remembered that PHP is the language with cryptographic primitives that ** themselves for no good reason.

    These are the kinds of things that put PHP on the blacklist for me. I'm not that fond of the stylistic aspects of the language — that's my original reason for dropping it. But even if I was willing to put up with that, I would need major reform of the standard library to be willing to touch it.

    The strict types feature in PhP is a step, but it's nowhere near enough. Things like the inconsistent handling of null bytes in strings make me constantly worry that code which looks perfectly sensible will explode for no good reason.

    I'd also need a corresponding reform in the PHP ecosystem in order to do much of significance — many of the "big players" in the ecosystem have awful track records. How much of that was really inherited from the language and standard library? How long would it take for them to actually transition to this hypothetical, sensible version of PHP?

  5. Amazing video man i have been learning a lot in this lock down this is all because of you and John Thanks a lot for making videos and spreading knowledge amazing work . Lots of respect to all those who share knowledge…..

  6. Interesting to note its still exploitable without using the array trick if the SECRET env var isn't set: which actually may be the case during a short window on a production build pipeline.
    When SECRET isnt set, NULL will be used in the first hash_hmac call. So you can determine the $secret as its just the MAC of (nonce + NULL). Then use that $secret to generate a real HMAC for whatever $host you want. e.g: $_POST['nonce'] = '55'; $_POST['hmac'] = '95b9691bb4d6df1c99b7f9773a6db21641cec445c0f9f13def69802e098d8545'; $_POST['host'] = ';id';

  7. hi
    i have the knowledge of ceh and sans 542 and i know owasp top ten but, real world have a big difference with courses examples
    so please tell me where i can gain some good experience that help me in real hacking
    i need every resource (book,video,…)
    please this is more than a dream for me its a goal

Leave a Reply

Your email address will not be published. Required fields are marked *