Several XSS security notes

Security drawbacks and proposals

Trustmaster	#1801 2008-12-19 21:57
Administrators Thanked: 265 kez	Double MD5 is crap, I can brute force it just the same way as single MD5. And MD5+SHA and with salt whatsoever. It all results into O(2N) complexity which is almost the same as O(N). What would really matter is O(N^2), but that will be damn slow and will freeze your site as well as the attacker. And we must not remove sed_check_xp() if you don't want plenty of spam on your sites. Just see the link above on what CSRF is. I was very surprised that Olivier actually implemented anti-CSRF with what he called anti-XSS. May the Source be with you!

Trustmaster

#1801 2008-12-19 21:57

Double MD5 is crap, I can brute force it just the same way as single MD5. And MD5+SHA and with salt whatsoever. It all results into O(2N) complexity which is almost the same as O(N). What would really matter is O(N^2), but that will be damn slow and will freeze your site as well as the attacker.

And we must not remove sed_check_xp() if you don't want plenty of spam on your sites. Just see the link above on what CSRF is. I was very surprised that Olivier actually implemented anti-CSRF with what he called anti-XSS.

May the Source be with you!