You are here: » Archives for February 2016

February 2016

Cracking PHP rand()

Sjoerd Langkemper writes about Cracking PHP rand(): Webapps occasionaly need to create tokens that are hard to guess. For example for session tokens or CSRF tokens, or in forgot password functionality where you get a token mailed to reset your password. These tokens should be cryptographically secure, but are often made by calling rand() multiple times and transforming the output to a string. This post will explore how hard it is to predict a token made with rand().

This is a very interesting read about how PHP rand() works, and how to attack & crack it. The post ends with the following conclusion:

Read More »Cracking PHP rand()