Jon Klem's Dev Blog

CategorySecurity

Deep State vs Client State: Who’s Really in Control

By jonklem
In Security, Technology
4 Min Read
D

Who’s running your app — your server, your client, or a silent third party you forgot you even wired in? As I’ve been revamping the API layer for ManageMemberships, I’ve started seeing how layered and political “state” really is. You’ve got tokens, hashes, cookies, headers, and sometimes ghosts from past refactors — all arguing over who gets to say what’s true. This post breaks down some of...

Read onRead later

Weekend Destroyed with PHP Streams

By jonklem
In Security, Technology
6 Min Read
W

I was going to give this a different name but that would violate the terms of service of the inspiration of this post. IYKYK. This weekend I was taken deep into the darkness that is serialization attacks, gadgets, and rce via iconv. This was part of a puzzle of sorts. It boiled down to a challenge to try to exploit the following: <?php $data = file_get_contents($_POST['file']); if (...

Read onRead later
Jon Klem's Dev Blog

Other Links

Check out some of these other links