Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Bouncy Castle Crypto is a popular and common cryptography library implemented in Java. This is used at the enterprise level quite a bit.

The bcrypt (password hashing function) had a flaw introduced into it for two versions before anybody noticed. This flaw (in Java) used the indexOf instead of the charAt function on a string. The indexOf function finds the first occurrence of a character in a string. Clearly, the code newPasswordHash.indexOf(i) == currentPasswordHash.indexOf(i) has an issue.

This bypass is not trivial to implement and does require a bunch of brute forcing. From testing, it appears that 20% of passwords were bypassed within 1000 attempts (which is not viable on a site). Regardless, this COULD be used for a bypass on some passwords.

Even in memory safe languages, vulnerabilities still exist! :)