Essential PHP Security and MD5 Reversing
I’ve just finished reading Chris Shiflett’s Essential PHP Security, and I have to say that it’s a great book. It’s very small—weighing in at only 109 pages (including the appendices and index)—but I think Chris feels this is its main draw. Indeed, it’s a quick and easy read, but that doesn’t mean it’s lacking in thoughtful and careful attention to detail—on the contrary. Rather, Chris has created a very concise and easy-to-read guide to Web application security. The language is clear, as are the examples.
For anyone who’s ever attended one of Chris’s talks on PHP security, this is the ultimate companion. For those who haven’t had the privilege of sitting in on his talks, this book is everything that you’re missing.
It’s available on Amazon.
Now, for some fun, I used the Rednoize MD5 database mentioned in Chapter 3 of Essential PHP Security to create a little AJAX application to create MD5 hashes of strings, as well as check for the existence of a hash in the MD5 database. According to the Rednoize blog, there are over 2 million MD5 hashes stored with their counterparts in the database. In addition, I’m using Paul Johnston’s JavaScript MD5 library to handle the string-to-MD5 conversion on the client side (rather than sending an extra request to the server).
Now, on the Rednoize MD5 site, when you enter a string (as opposed to an MD5 hash) that does not exist in the database, it automatically creates a hash of that string and adds it to the database. Thus, you should beware if you enter your own passwords, for then, your passwords and their corresponding MD5 hashes will be in the database. My implementation does not do this, however. If the string entered is not exactly 32 alpha-numeric characters, then it will not try to retrieve a value for it from the MD5 database.
If you want, give my little MD5 reversal application a try.
UPDATE: The MD5 database does not appear to store string values longer than 32 characters; it appears to truncate strings at 32 characters and save the MD5 hash of the truncated string. So, be sure all your passwords are > 32 characters. ;-)
UPDATE (6 Nov ’05): I’ve moved my MD5 hash lookup application to http://md5.benramsey.com/, where it will live on a permanent basis.
8 Comments
glad to see that you are back on writing about PHP security ...
Glad to hear you liked the book! :-)
Hi
Did Chris Shiflett really mention my site in his book ?
If so, amazing .. have to buy this one ;)
I am realy not impressed of your AJAX Md5 thing.
1. - its buggy on firefox (response has no properties - http://benramsey.com/code/md5/ : 41)
2. - its not working very well at all.
i entered "6254b8c64145b9493d470cd08ddbceaa", it has not found the value although its in my database (http://md5.rednoize.com/?q=....
Greets
Marcel Oelke
http://puRe.rednoize.com/
Oh ...
and you should realy use the XML interface (http://md5.rednoize.com/?xm...
or the plain text interface (http://md5.rednoize.com/?p&...
I am using the XML interface, actually. You can take a look at my code to see what I'm doing; the source is right there.
As for point #2, I've fixed this. I was using
ctype_alnum()to filter responses, and this clearly doesn't work when it comes to spaces, etc.And I'm not sure what you mean by "buggy on firefox" and "response has no properties." All I ever use is Firefox, and I'm not seeing the problems you speak of.
Okay, here's the procedure:
1. Open http://benramsey.com/code/md5/ in firefox 1.07
2. Enter "555" into the Hash to reverse input field.
3. Press the button "Reverse Hash"
4. Result: A javascript error: response has no properties
Sourcefile: http://benramsey.com/code/md5/
Line: 41
The two lines are:
"var response = request.responseXML;
var root = response.documentElement;"
But dont ask me whats wrong ;)
And no, you dont use the XML interface of http://md5.rednoize.com. At least what i see in the code:
request.open('get', 'md5.php?q=' + escape(md5));
to use the xml interface use
request.open('get', 'md5.php?xml&q=' + escape(md5));
and change the way the response is parsed. This would make your whole thing faster.
Anyway, thanks for your intrest in my site. i am quite happy that it gets so much attention (what i never expected)
That's odd. I see what you're talking about; however, it only appears to occur if the input field still has the focus when you click on the button. Otherwise, it works just fine. The onblur event on the field works, and the onclick event on the button works (so long as the field doesn't have the focus). I'll have to see what I can figure out.
As for the code, you're looking at the wrong source code. A browser's XMLHttpRequest object won't fetch a file from a domain other than that of the parent resource. This is for obvious security reasons. Thus, I'm requesting the md5.php script on my own site, which, in turn, makes a request to your XML interface.
The source code I'm referring to is available here:
http://benramsey.com/code/s...
Cool...interesting site (md5.rednoize.com).
Speaking of web / application security, there are lots of books coving the topic. Although I haven't read Essential PHP Security, and am sure it's good for those of us programming in PHP (and other languages), I'd recommend these security-oriented (more "general purpose" or "programming-language-independent", perhaps?) books:
<ul>
<li>Building Secure Software (http://www.amazon.com/gp/pr...
<li>Innocent Code: A Security Wake-up Call for Web Programmers (http://www.amazon.com/gp/pr...
</li>
</ul>