TIL – WebAuthn

WebAuthn is considered more secure than traditional two-factor authentication (2FA) methods like Google Authenticator or Duo because it is linked directly to a specific device, offering a stronger guarantee against phishing attacks. However, this device dependency also makes it less portable, as users may find it challenging to authenticate from different devices or in scenarios where their primary device is unavailable.

Some good reference:

TIL – Timing Attack

Question: Why should we use hash_equals in PHP rather than just the simple string comparison?

Answer: Actually, it’s not something PHP specific. Instead, it’s universal among all programming languages. But why? With the typical string comparison, the false result will be emitted as soon as a non-matched character is found. By trying to compare the response time in a fast network (such as local LAN) from different string lengths and content, attackers can slowly verify the correct secret string. hash_equals ensures that there is no difference in terms of response time.

References:

WhiteHat Security Trainings

Due to the requirement in my department (VIP/Automattic), I’ve had a chance to work through a few security training courses on whitehatsec.com. This post is more a concise summary for what I’ve got from them.

These are the courses I’ve finished:

OWASP Top Ten for Developers
Building Secure JavaScript Applications
Defensive Enterprise Remediation Series
Integrating Security Throughout the SDLC
Threat Modeling

The first three courses are more practical for developers with exploitation examples and solutions. The last two ones are more about procedure, strategy, and planning.

Continue reading →