Stealing session ids from phpinfo()
output has been a known technique for some time, and is used to bypass the HttpOnly
attribute, which prohibits JavaScript from accessing a cookie marked as such (e.g. PHPSESSID
). I just now thought of a solution that allows you to keep your phpinfo()
: we'll simply censor the sensitive data, making phpinfo()
lose some of its value to the attacker.
fbclid
Roughly two weeks ago, Facebook started adding a tracking parameter, fbclid
(Facebook click id?), to all external links users share. And I didn't like it so I'm hiding it.
I joined Report URI, the real-time security reporting tool, a year ago. In fact, my first code change was June 27, 2017. Since then I've added 709,402 more lines. And deleted 1,981,599 lines.
I've reported Stored XSS vulnerability and it was triaged, fixed, tested and deployed in less than an hour. On Friday. Before Christmas.