AppSec Blog: Author - Johannes Ullrich

My Top 6 Honeytokens

A few years ago, I was looking for a new developer to join our team. Of course, the hard part was to find a developer that was up to the task. I don't believe much of what people say in their resumes, so I rather had them show me a site they coded and give … Continue reading My Top 6 Honeytokens


How can I tell if my password is encrypted?

For most websites, we don't have the source code available. As a user, we more or less trust the site is doing "the right thing", or well, we just use a throw away password that we accept to be compromised. Sometimes, it is obvious. For example the site is sending you your password in the … Continue reading How can I tell if my password is encrypted?


An Encrypted Password Experiment

Jason's blog post ("How Not to Do Website User Registration") certainly attracted a lot of comments! I think articles like this exceed my expectations about this blog. Back before we had "blogs", we had the Internet Storm Center diaries, which are still going strong. I always felt that the best diaries are the diaries that … Continue reading An Encrypted Password Experiment


Logging Cookies and Ambushing Lazy Pentesters.

Logging is probably one of the dry topics in application security. Without logs, debugging or even incident handling is soo much more exciting! One of the little Apache tricks I learned is to log cookie information in your Apache log. The cookie typically includes the session ID, which then links to a particular user. So … Continue reading Logging Cookies and Ambushing Lazy Pentesters.


A Proposal for a PHP "UserData" Class

The title of this blog is "Application Security Street Fighting". It is based on an idea I am pursuing for a while now. The goal is to come up with a set of simple and reproducible techniques to secure applications. Personally, I favor coding in unstructured languages like Perl and PHP for all the wrong … Continue reading A Proposal for a PHP "UserData" Class