Jamie Scaife - United Kingdom 🇬🇧 

Taking Content Security Policy to the Extreme! - Policies on a Per-page Basis

Saturday 19th January 2019

For about two years at the time of writing, my website has had a Content Security Policy in order to lock-down and restrict the locations that content such as images and stylesheets can be loaded from. I had used Apache configurations in order to set a more relaxed policy for specific pages that require it, however this solution is not ideal as it becomes challenging to manage when used with larger websites with many different pages, each requiring a different policy.

I have now developed some useful PHP code that allows me to easily set a default policy for the entire website, and then override individual parts of the policy on specific pages where it is required. I've released the code to the public domain under the Unlicense, so you are welcome to use it for your own projects! Continue reading...

Security Apache

Introduction to Reverse Engineering with radare2 Cutter - Part 3: Solving a Crackme Challenge

Saturday 5th January 2019

Last year, I asked my friend Sam to write a basic crackme challenge for me to solve and then demonstrate in this series. He kindly agreed, and put together a simple password-based crackme. It looks like the following when run:

malw@re:~$ ./crackme
Enter Password (or q to quit): helloworld
Access Denied
Enter Password (or q to quit): Pa$$w0rd
Access Denied
Enter Password (or q to quit): q

In this third and final part of the series, we will solve the crackme using Cutter and some other tools. If you'd like to have a go yourself first, it is available on GitLab here. Continue reading...

Reverse Engineering Guide

Transferring Domain Names to Cloudflare Registrar

Sunday 23rd December 2018

This week I transferred all of my domain names to the brand new Cloudflare Registrar. I took screenshots throughout the process and have documented them here for anybody else who has not yet done the transfer, and wants to know what to expect before diving in. Continue reading...

Domain Names

Using a Bloom Filter to Anonymize Web Server Logs

Monday 17th December 2018

Since May 2018 when the GDPR came into full effect, I have had web server access logging completely disabled for my site. This is great from a security, privacy and GDPR compliance point of view, however it meant that I had very limited insight into the amount of traffic my site was getting.

In order to solve this problem, I have built an open-source log anonymization tool which will remove personal data from web server access logs, and output a clean version that can be used for statistical purposes. A bloom filter is used to identify unique IP addresses, meaning that the anonymized log files can still be used for counting unique visitor IPs.

I've released the tool under the MIT license, and it's available on my GitLab profile: https://gitlab.com/jamieweb/web-server-log-anonymizer-bloom-filter Continue reading...

Security Apache