"That's the best password ever!"
Good security policies should have an upper bound on password length, but also those upper bounds should maybe be like 100 characters or so. There's a couple reasons for this. First being is that hashing does take some…
Ostensibly you could subtract "Shmem"[1] in /proc/meminfo from the cached value... maybe? Do agree it's not the best UX and utilities should probably do a better job at showing that [1]:…
This is only really a problem if you accept overcommit as a force of nature that can't be changed or tweaked (you can still do address space reservation without needing overcommit) If you don't, it becomes rather easy…
> The “cached” memory includes tmpfs and ramfs for seemingly no reason. If you're curious why that is by the way, it's because that's actually how these are implemented (tmpfs/ramfs is just a mount to a filesystem where…
> ...Ghidra Ah, MS07-052[1] ("code execution leads to code execution") strikes again. These sorts of "if you allow arbitrary code to be executed, code will be executed" "vulnerability" reports seem evergreen [1]:…
> a version of SQLite that has a severe vulnerability Calling CVE-2025-70873 a severe vulnerability is a bit overplaying it imo. The vulnerability requires that you allow an attacker to import an arbitrary ZIP file I…
It simply doesn't mitigate CSRF by itself
In the Discord case they can just call the `getToken()` function. It's not on `window`, but it's trivial to find. The mitigation is rough on systems where SIGKILL happens early and often. Presumably this is why Discord…
Gonna play devil's advocate here I think to some extent CORS and SOP are a bit equivocated somewhat intentionally... i.e. CORS is a used as a shorthand for SOP because CORS is a more well known term, especially in its…
With an variable length array of structs, you can set all the fields all to 0 at the cost of an extra member at the end. In the cases where this is, the structures are such that (either intentionally or by consequence)…
Reminds me of an article[1] that described how he cut GTA Online loading times by 70% because strlen was getting called for effectively every character in a string [1]:…
> True. However it's not impossible to mitigate that: https://news.ycombinator.com/item?id=48563286 It's not a perfect mitigation for session stealing, isn't available in all cases, requires custom code to implement,…
The problem here is that null kinda is consequential of intentional design of the type system itself. In this way, I do think that null was discovered, rather than invented. Remember, C is a kinda "portable assembler"…
If you exclude all of the flaws of one implementation and include all of the flaws of another, then of course you can say one is better than the other. But that's not a fair comparison of implementations CSRF has…
The only difference between the cookie scenario and localstorage scenario here is that you're reading "storage/default/<domain>/ls/data.sqlite" It's even conveniently grouped by domain There's no magic hardening going…
> First time I'm hearing that frameworks require disabling HttpOnly. They effectively do in the case where you're using local storage because they need to grab the session token from somewhere. The thing about HttpOnly…
For those curious, here are the relevant specified fields along with the relevant standards (both IETF, OIDC, etc) JWT: https://www.iana.org/assignments/jwt/jwt.xhtml JOSE: https://www.iana.org/assignments/jwt/jwt.xhtml
> - HttpOnly fights XSS which is impossible to execute with modern frontend frameworks. Eh. Frontend frameworks tend to make successful XSS much worse because they tend to require disabling HttpOnly for not very good…
If the attacker can already execute code as you unrestricted, then you've kinda already lost. Local storage isn't any better in this regard
JOSE can still have problems if it's secure when implemented properly. A lot of API surfaces for them can kinda suck. If secure when held right was equivalent to good, then that would apply also to stuff like X.509…
A lot of times local storage is much less secure than using cookies. Cookies have about 20 years of infra built around it (HttpOnly, SameSite, Secure, etc). There's some weird parts about cookies, but local storage…
For those curious what CL is (I had to look it up myself): it means change list[1]. Guessed from context that it was like "diff in PR/MR" or something but hadn't seen this acronym before [1]:…
Apparently people did this with the DirectX "3D Tunnel" demo as well[1] back over 20 years ago. Also there was one "that checked if you were printing a specific string used by a popular benchmark program. If so, then it…
Worth noting that in the US mains is split phase so we get in 240 V with 2 supply lines (large appliances can use 240 V) that give us 2 120 V lines
"That's the best password ever!"
Good security policies should have an upper bound on password length, but also those upper bounds should maybe be like 100 characters or so. There's a couple reasons for this. First being is that hashing does take some…
Ostensibly you could subtract "Shmem"[1] in /proc/meminfo from the cached value... maybe? Do agree it's not the best UX and utilities should probably do a better job at showing that [1]:…
This is only really a problem if you accept overcommit as a force of nature that can't be changed or tweaked (you can still do address space reservation without needing overcommit) If you don't, it becomes rather easy…
> The “cached” memory includes tmpfs and ramfs for seemingly no reason. If you're curious why that is by the way, it's because that's actually how these are implemented (tmpfs/ramfs is just a mount to a filesystem where…
> ...Ghidra Ah, MS07-052[1] ("code execution leads to code execution") strikes again. These sorts of "if you allow arbitrary code to be executed, code will be executed" "vulnerability" reports seem evergreen [1]:…
> a version of SQLite that has a severe vulnerability Calling CVE-2025-70873 a severe vulnerability is a bit overplaying it imo. The vulnerability requires that you allow an attacker to import an arbitrary ZIP file I…
It simply doesn't mitigate CSRF by itself
In the Discord case they can just call the `getToken()` function. It's not on `window`, but it's trivial to find. The mitigation is rough on systems where SIGKILL happens early and often. Presumably this is why Discord…
Gonna play devil's advocate here I think to some extent CORS and SOP are a bit equivocated somewhat intentionally... i.e. CORS is a used as a shorthand for SOP because CORS is a more well known term, especially in its…
With an variable length array of structs, you can set all the fields all to 0 at the cost of an extra member at the end. In the cases where this is, the structures are such that (either intentionally or by consequence)…
Reminds me of an article[1] that described how he cut GTA Online loading times by 70% because strlen was getting called for effectively every character in a string [1]:…
> True. However it's not impossible to mitigate that: https://news.ycombinator.com/item?id=48563286 It's not a perfect mitigation for session stealing, isn't available in all cases, requires custom code to implement,…
The problem here is that null kinda is consequential of intentional design of the type system itself. In this way, I do think that null was discovered, rather than invented. Remember, C is a kinda "portable assembler"…
If you exclude all of the flaws of one implementation and include all of the flaws of another, then of course you can say one is better than the other. But that's not a fair comparison of implementations CSRF has…
The only difference between the cookie scenario and localstorage scenario here is that you're reading "storage/default/<domain>/ls/data.sqlite" It's even conveniently grouped by domain There's no magic hardening going…
> First time I'm hearing that frameworks require disabling HttpOnly. They effectively do in the case where you're using local storage because they need to grab the session token from somewhere. The thing about HttpOnly…
For those curious, here are the relevant specified fields along with the relevant standards (both IETF, OIDC, etc) JWT: https://www.iana.org/assignments/jwt/jwt.xhtml JOSE: https://www.iana.org/assignments/jwt/jwt.xhtml
> - HttpOnly fights XSS which is impossible to execute with modern frontend frameworks. Eh. Frontend frameworks tend to make successful XSS much worse because they tend to require disabling HttpOnly for not very good…
If the attacker can already execute code as you unrestricted, then you've kinda already lost. Local storage isn't any better in this regard
JOSE can still have problems if it's secure when implemented properly. A lot of API surfaces for them can kinda suck. If secure when held right was equivalent to good, then that would apply also to stuff like X.509…
A lot of times local storage is much less secure than using cookies. Cookies have about 20 years of infra built around it (HttpOnly, SameSite, Secure, etc). There's some weird parts about cookies, but local storage…
For those curious what CL is (I had to look it up myself): it means change list[1]. Guessed from context that it was like "diff in PR/MR" or something but hadn't seen this acronym before [1]:…
Apparently people did this with the DirectX "3D Tunnel" demo as well[1] back over 20 years ago. Also there was one "that checked if you were printing a specific string used by a popular benchmark program. If so, then it…
Worth noting that in the US mains is split phase so we get in 240 V with 2 supply lines (large appliances can use 240 V) that give us 2 120 V lines