Lukas Vileikis

2017 OWASP Top 10 for PHP Developers Part 3: Sensitive Data Exposure

June 6, 2018 Colors Comments 0 Comment

There is a lot of exposed data floating on the web. People hear about such events all the time – it seems like data breaches are becoming more and more common. With data breaches being so prevalent, one would expect people should protect their data better. However, with many developers underestimating the importance of protecting private data, this isn’t always the case – when developers fail to adequately protect data, sensitive data exposure might occur. Sensitive data exposure is currently…

Read More Read More

2017 OWASP Top 10 for PHP Developers Part 2: Broken Authentication and Session Management

June 1, 2018 Colors Comments 0 Comment

While browsing the web, you click on a link. The link leads you to a page like this: Looks like a usual login page, right? Let’s try logging in. You go off to Discord and your friend asks for the URL of the login page, you provide him with this: http://localhost/2017-owasp-top-10/2/member.php?sessionid=3g7qpol6t8an9f81rk9m8imrj2 Your friend clicks on the URL and.. Wait – he’s logged in? He did not authenticate, how is this possible? To understand why this happened, we need to jump…

Read More Read More

Other uses of .htaccess: Making a .htaccess-based WAF

May 25, 2018 Colors Comments 0 Comment

If you’re a web developer, you’re probably fammiliar with .htaccess. If you’re not, let me give you a quick introduction: .htaccess is a part of Apache. A .htaccess file provides a way to make configuration changes on a per-directory basis without needing to edit Apache’s main configuration files. .htaccess is useful for many purposes: it can be used for URL rewriting, IP address blocking, restricting access to certain directories and so on. What I’m going to focus on today is probably a bit…

Read More Read More

An old Ticket System Security Analysis

May 14, 2018 Colors Comments 0 Comment

Since I started building websites few years ago, I’ve created a few projects. Some of them never saw daylight, some of them were deleted upon creation, some of them still reside in my project archive. When I was trawling through the archive a few days ago, I came across one of them. It was a ticket system I first made back in April 2016 – the whole project was dubbed a “Secure Ticket System” so it instantly caught my attention….

Read More Read More

BreachDirectory has passed the 5 Billion record mark – here’s what it means

May 7, 2018 Colors Comments 0 Comment

When I first began creating BreachDirectory, I thought I’d see at most a hundred million records. Okay, maybe half a billion. But this, this is something else altogether.. Today, BreachDirectory has passed the 5 billion record mark. I’m not sure whether this is a celebratory occasion though, because five billion – billion – people having their data compromised in one way or another is never a good thing. But hey, that is the reality of the web today. Data breaches are…

Read More Read More

Your passwords are terrible, and it’s time to do something about it

April 30, 2018 Colors Comments 0 Comment

You know what surprises me the most in regards to data breaches? It’s the fact that people still continue to use passwords like “password” or “123456” to protect their accounts. Think I’m kidding? I’m really not, take a look. Using passwords like these is a big issue because it leads to really, really bad things. Identity theft One day you log into your banking account to do some shopping and next thing you see is that you’ve got no money. You’ve…

Read More Read More

A journey back in time: The analysis of the first version of my WAF

April 25, 2018 Colors Comments 0 Comment

As you might already know, back in 2014, I’ve developed a custom Web Application Firewall. You’ll see one adorning BreachDirectory and indeed, you can see one on this blog too. The primary reason I’ve started making it is that I wanted to have one file that I could incorporate into a website to improve its security. Back then, the firewall was pretty simple – it only blocked basic attack vectors, but hey, it did work as it was supposed to, so…

Read More Read More

10 ways to increase the security of your WordPress application

April 18, 2018 Colors Comments 0 Comment

When someone mentions WordPress, you will often hear people saying “don’t use it, it’s insecure”. In a sense, those people are right – there is no such thing as a “silver bullet” in security. There are a few ways developers can fend off attacks concerning WordPress though – let’s dive into them. 1. Fundamentals The very first thing you should do is use HTTPS instead of HTTP. Now I get that a blog isn’t a bank and your readers could…

Read More Read More

How I could have pwned my highschool (SQLi, CSRF, Hardcoded Passwords & XSS) Part 2: Investigating the Breach

April 11, 2018 Colors Comments 44 comments

Honestly, this is a blog title I’ve never expected to write, but hey, data breaches happen – no website is exempt from that. I will begin with a little bit of a backstory: I’ve found flaws in a website that did belong to a high school in late 2015, but I’ve only been able to get it to their attention 2 years later. After I have been reliably informed that the flaws I found have been patched, I wrote about…

Read More Read More

Your website needs a CSP. Here’s why

April 5, 2018 Colors Comments 41 comments

Here’s a scenario: You create a website and make it available online. Your website ends up getting hacked (it happens frequently, by the way..) The nefarious party is able to inject some malicious javascript into one of your pages. A legitimate user visits your website and is redirected to a phishing page as a result of the work done by an attacker. The user attempts to log into the page thinking it’s your website and ends up getting all of…

Read More Read More