Cryptographically secure rand() replacement

Posted on November 14, 2013 in Cryptography • Tagged with Cryptography, Php, Security, Programming • 5 min read

If you are a programmer, you sometimes find yourself in the need for random numbers. There are many possible use cases:

  • Generate data for unit-tests.
  • Build secure passwords or keys as input for ciphers like AES, Twofish and its colleagues.
  • Simulating the real world for modelling applications.
  • A prominent use case: Lot's of gambling sites depend on good random number generators.

Now if you code in PHP, there are quite some different ways to obtain random numbers. There is the rand ( int $min , int $max ) function for instance: It yields a random number within the range specified by the $min and $max parameters.

The documentation states that this approach isn't particularly secure and shouldn't be used for applications that need to feed algorithms with cryptographically secure random data. Then there's mt_rand ( int $min , int $max ) that apparently creates better random values. Certainly not suitable for crypto purposes as well.
There were/are quite some applications concerned with security bugs because of using rand() or mt_rand() for passwords, encryption keys, session cookies, CSRF tokens and the like. See also this link to a related discussion on

But because of convenience of the $min, $max interfaces of …

Continue reading

A tale of a twofold broken wordpress captcha plugin

Posted on November 04, 2013 in Programming • Tagged with Captcha, Security, Programming, Exploit • 17 min read

Last Edit (Effective: 7th November 2013)

It seems like the plugin authors updated the security of the plugin. All the bottom blog entry deals with version 3.8.7. In this new paragraph, I will look whether these recent updates to version 3.8.8 added the necessary security to prevent conducting an...

  • Attack vector one: Parsing the captcha logic.
  • Attack vector two: Reversing the decode() function and just reading the solution from the hidden fields.

Let's get started:

At line 942 of the plugin code (The start of the function that generates the captcha) we see that the password isn't longer a static clear text password, it is built dynamically every 24 hours with the function cptch_generate_key(), that I will show here for your convenience:

// Functionality of the captcha logic work for custom form
if ( ! function_exists( 'cptch_display_captcha_custom' ) ) {
    function cptch_display_captcha_custom() {
        global $cptch_options, $cptch_time;

        if ( ! isset( $cptch_options['cptch_str_key'] ) )
            $cptch_options = get_option( 'cptch_options' );
        if ( $cptch_options['cptch_str_key']['key'] == '' || $cptch_options['cptch_str_key']['time'] < time() - ( 24 * 60 * 60 ) )
        $str_key = $cptch_options['cptch_str_key']['key'];

Let's see if the new …

Continue reading

No 2. - flash-album-gallery: persistent XSS exploitet with help of XSRF leading to remote code execution.

Posted on July 27, 2013 in Programming • Tagged with Exploit, Programming, Bug, Security, Xss, Rce • 12 min read

DOWNLOADS: 840,714

The following blog post addresses a critical (chain) of security issues in the version 3.01 of flash-album-gallery
which eventually leads to remote code execution. The exploit is not completely automatically and needs a minimal amount
of social engineering. Nevertheless I rate the danger at a medium/high level {Probably even worse than a fully automatable SQL injection).

First of all, I need to say that the plugin code lacks a fair amount of secure programming techniques and has inherent design flaws as far
as I can say this [I am not a software engineer, I do security as a hobby]. Assumingly, this is a direct result of heterogenous and
evolutionary growth of the software.
I researched flash-album-gallery mainly in June 2013 and after some weeks I found a CSRF vulnerability in combination with
a stored XSS. But on the same time I was preparing to contact the author and reveal my findings, I noticed a new version and
the bug seemed to be found by an independent researcher. See below the lines Fix: vulnerability with albums and Fix: XSS bugs reported by Ken …

Continue reading

No 1. - wp-members: Interesting peristant XSS leading to remote code execution.

Posted on March 15, 2013 in Security • Tagged with Security, Programming • 8 min read

Hey you there!

Type: Stored cross site scripting
Risk: Medium to high
Affecting: Vendor site:


It has been quite some time since I took concern of my blog, although I would have had some content ready (maybe even worth) to be published. Around six weeks ago, I rummaged (wow - new word!) through endless lines of wordpress plugin code, in the hope to get my hands on some low hanging fruits (In the likely case you don't have a clue what I am talking about: I was searching for easyily detectable security bugs in plugin applications written for wordpress). After analysing for several hours the architecture and design of a randomly chosen target - wp-members, a plugin providing the site owner with the functionality to password protect content on his wordpress site - I was able to detect a pretty nasty bug.

The bug

Alongside with the access restriction mechanism, the plugin furthermore allows users to register. The potential user is presented a nice form, which would transfer an array of registration data to the web server when submitted. Considering this, there is only one possibile location for a sink source and therefore …

Continue reading

Another wordpress catpcha implementation

Posted on January 25, 2013 in Learning • Tagged with Programming, Learning, Security • 6 min read

Hey dear readership and dudelmatz :)

I'm kinda overworked and planned quite a while ago to release my own little captcha implementation to prevent this massive bulk of spam comments I receive on a daily base: It's obnoxious to scroll through this sheer amount of spam comments and delete them. You can't just masstrash them, because you might miss a legit comment and therefore you need to check every single one. I assume the spammer embrace this expected behaviour of a blogger, and therefore exploit it.

So I needed to put a stop to this violation of my spare time and I created my own captcha. Of course, I first searched for a working and already existing solution (and I am sure there are many which are better then what I came up with), but the one I used is basically crap

Its plugin description states:

Captcha plugin allows you to protect your website from spam using math logic which can be used for login, registration, reseting password, comments forms.

And yeah as I feared this simple elegant captcha is worthless, because math logic is a joke to parse and solve by computers (=>spamscripts). I was pissed and in a mood …

Continue reading - A simple python module to parse google search results.

Posted on January 06, 2013 in Programming • Tagged with Google, Scraping, Programming, Security • 14 min read

UPDATE on 18th February 2014:

This python module has now its own github repository!

The plugin can extract

  • All links
  • Link titles
  • The description/caption below the links

and has the following features:

  • Advanced proxy support for SOCKS4/4a/5 and HTTP PROXY
  • Multithreading
  • XPATH parsing
  • Supports almost all search parameters

Please note that this is by no means a permanent version! Heavy structural changes will be implemented in the near future (I'll experiment with asynchronous networking for instance). But on this site, I will always host a working version with instructions how to use it, such that visitors can always use the script!

1. Edit (07.01.2013):

  • Using requests instead of urllib
  • Added random User Agents for every new search.
  • Cleaned the code
  • Implemented foundation to combine with proxychains

Original Blog Post

Sample output after searching for 'cats are not cute' (sorry) with 100 results per page on 3 ascending pages: results.txt

I always was in need of a fast and reliable working python module to query the google search engine. The google API is rubbish, because they just give you maximally 36 results. This is completly inacceptable!

So, I looked further and found …

Continue reading