Updates!

Written by Benjamin Eriksson

20 February 2021

I just wanted to share some updates here on my website! :)

New real security challenges

I've started a new CTF-style project based on real security challenges found in the wild. Check out Real Sec CTF! If you have any examples of problematic security solutions you've found in the wild I'd be happy to add it!

Reversing PHP Malware

I've also started a section on reversing PHP malware where I take a closer look at PHP malware and try to figure out what they are doing and if they can be exploited! If you have any interesting malware you want analyzed I'd be happy to check them out!

Security

CSP

I've been working hard on improving the security here. Mostly trying to make everything work with quite a strict Content Security Policy. I think the current one is quite good!

securty.txt

I'm also happy to announce that I've added a security.txt file! If you find any security problems here I'd be happy to know and put you on the Hall of Fame.

You can read more about the proposed security.txt standard here: https://securitytxt.org/.

TLS 1.3 ONLY

This is probably not something I'd recommend due to compatibility but beneri.se is now only served over TLS 1.3 for maximum security! I use the modern setting on Mozilla SSL Configuration Generator (awesome tool!).

Tor

I'm big fan of the Tor Project and as such I thought it would be cool to setup my own hidden service! You can now find this website on the Tor network! http://beneri62jxxpjfaohxiftlxkqjvvbmsbhuxxe4jhoyxna3emfukcdyid.onion/
Of course it's not that hidden since it's on the same server and has my name everywhere, but still, pretty neat in my opinion.

Hash Game

No updates here from my side but I wanted to highlight that a 5-year-old highly contested record has been broken, twice! On 2020-08-31 itiv422 managed to beat Jiyong Youn(HLETRD)'s old MD5-MIN record from 2016! This record was again surpassed by 0x69BE027C97 last month! (2021-01-18).

I'm trying to find a universal hash "score" that would allow comparisons between different modes, e.g. is MD5-MIN with 10 leading zeros more difficult than a MD5-POPCOUNT-MIN of 20? I think something like 1 - #better_hashes / #total_hashes would be fair. Any ideas here would be greatly appreciated!

Write your comment!

Comments

Anonymous No. 151 >>152 2021-06-15 05:06:14
I don't do emails. Check your /uploads/.
And all that stupid alert crap in the comments isn't me.
Benjamin ## Admin !d2782292df32 No. 152 2021-06-16 09:33:08
>>151
Wow, thank you for reporting this!
Indeed, the file names were not escaped correctly and due to a misconfiguration, CSP was not active either, allowing for XSS.

Congratulations on being the first one making it to the hall-of-fame! :)
https://beneri.se/hall-of-fame.php

PS. Let me know if you want to add another nickname/link to the hall-of-fame.