In this post, we will go through the process of deep copying a PHP variable in user land (i.e., in pure PHP) step by step, describing the challenges facing every step, resolving them and going forward. (TL;DR: check this Github gist for the final solution) The Challenges There are three particular challenges for solving the deep copy problem in PHP: Some things simply can not be copied (e.g., resources like file handles, and objects like MySQLi instances) References are invisible in PHP. They …
Category: Security
If you’re here because you were at my Black Hat USA 2014 Taintless talk, and you wanted to solve that challenge; here’s a clearer image of my t-shirt: The presentation and …
This post is about Sharif CERT (APA) center’s recent CTF (10 dec 2012), which is one of a kind in Iran. Most CTFs are a few days long since there …
PHP Serialization has a fatal flaw which allows for pollution of the scope and global context of an application, as well as running arbitrary code in some scenarios if sources …
I participated in the Stripe CTF Web Attacks and thus far it was the most well designed CTF I have ever encountered (and I have participated in a couple dozen). This …
While I was thinking about certain ways of summarizing CSRF prevention for OWASP PHP Security Cheat Sheet – mixing taint tracking with different request criteria – I found a certain type of …
I just finished my Bachelor’s thesis with the topic “Secure Web Application Framework”, unfortunately it’s in Persian, thus only Persian readers can enjoy it. It’s about 200 pages, which about …
The next Monday, 21st Farvardin (Jalali) I’ll be having a speaking session at Tarbiat Moalem (aka Kharazmi) University, set up by my dearly respected professor, Dr. Ehsan Malekian. I’ll be …
This is intended to be a theoretical/practical tutorial on how to use email certificates to encrypt and digitally sign your emails. There are approximately 2 million emails transferred every hour, …
This one is intended to be an educational/tutorial post on how I hacked an MMORPG web browser Persian game known as Removed From Text and along with it, the well …