Comments on: Essential PHP Security and MD5 Reversing

By: Trond

Trond — Mon, 28 Nov 2005 15:45:21 +0000

Cool…interesting site (md5.rednoize.com).

Speaking of web / application security, there are lots of books coving the topic. Although I haven’t read Essential PHP Security, and am sure it’s good for those of us programming in PHP (and other languages), I’d recommend these security-oriented (more “general purpose” or “programming-language-independent”, perhaps?) books:

Building Secure Software (http://www.amazon.com/gp/product/020172152X)

Innocent Code: A Security Wake-up Call for Web Programmers (http://www.amazon.com/gp/product/0470857447)

By: Ben Ramsey

Ben Ramsey — Sat, 29 Oct 2005 02:12:27 +0000

That’s odd. I see what you’re talking about; however, it only appears to occur if the input field still has the focus when you click on the button. Otherwise, it works just fine. The onblur event on the field works, and the onclick event on the button works (so long as the field doesn’t have the focus). I’ll have to see what I can figure out.

As for the code, you’re looking at the wrong source code. A browser’s XMLHttpRequest object won’t fetch a file from a domain other than that of the parent resource. This is for obvious security reasons. Thus, I’m requesting the md5.php script on my own site, which, in turn, makes a request to your XML interface.

The source code I’m referring to is available here:
http://benramsey.com/code/source.php?file=md5/md5.php

By: puRe

puRe — Fri, 28 Oct 2005 23:53:40 +0000

Okay, here’s the procedure:
1. Open http://benramsey.com/code/md5/ in firefox 1.07
2. Enter “555” into the Hash to reverse input field.
3. Press the button “Reverse Hash”
4. Result: A javascript error: response has no properties
Sourcefile: http://benramsey.com/code/md5/
Line: 41

The two lines are:
“var response = request.responseXML;
var root = response.documentElement;”

But dont ask me whats wrong

And no, you dont use the XML interface of http://md5.rednoize.com. At least what i see in the code:
request.open(‘get’, ‘md5.php?q=’ + escape(md5));

to use the xml interface use
request.open(‘get’, ‘md5.php?xml&q=’ + escape(md5));
and change the way the response is parsed. This would make your whole thing faster.

Anyway, thanks for your intrest in my site. i am quite happy that it gets so much attention (what i never expected)

By: Ben Ramsey

Ben Ramsey — Fri, 28 Oct 2005 13:21:20 +0000

I am using the XML interface, actually. You can take a look at my code to see what I’m doing; the source is right there.

As for point #2, I’ve fixed this. I was using ctype_alnum() to filter responses, and this clearly doesn’t work when it comes to spaces, etc.

And I’m not sure what you mean by “buggy on firefox” and “response has no properties.” All I ever use is Firefox, and I’m not seeing the problems you speak of.

By: puRe

puRe — Fri, 28 Oct 2005 11:17:51 +0000

Oh …
and you should realy use the XML interface (http://md5.rednoize.com/?xml&q=6254b8c64145b9493d470cd08ddbceaa)
or the plain text interface (http://md5.rednoize.com/?p&q=6254b8c64145b9493d470cd08ddbceaa)

By: puRe

puRe — Fri, 28 Oct 2005 10:21:20 +0000

Did Chris Shiflett really mention my site in his book ?
If so, amazing .. have to buy this one

I am realy not impressed of your AJAX Md5 thing.
1. – its buggy on firefox (response has no properties – http://benramsey.com/code/md5/ : 41)
2. – its not working very well at all.
i entered “6254b8c64145b9493d470cd08ddbceaa”, it has not found the value although its in my database (http://md5.rednoize.com/?q=902c964b0e03c9fd2112655fa647640b).

Greets
Marcel Oelke
http://puRe.rednoize.com/

By: Chris Shiflett

Chris Shiflett — Fri, 28 Oct 2005 06:37:53 +0000

Glad to hear you liked the book!

By: Christian

Christian — Thu, 27 Oct 2005 18:03:35 +0000

glad to see that you are back on writing about PHP security …