This page is for anonymous public messages. If you'd like to e-mail me directly, see here for my contact info.
Send a message
Answered messages
I might still try the “get the website to leak the secret or gain access to the server” option
• from21fe8af59374b868
Go ahead! I don't think there are any vulnerabilities that'd let you get the PHP source, but do let me know if you find one. The actually important stuff (database credentials) is stored in environment variables, so I'm not too worried about people poking around. Just, like, be a good Netizen, don't do anything harmful.
So do I earn the privilege of signing my own cookies by brute forcing the hash somehow or by hacking your website to steal the secret?
• from489ccc9ac3f9d6c8
I honestly didn't think that far - what I'll probably do is add the vulnerability in later.
this is a tumblr ask
• from191977ebd02ad296
Yeah, that's basically where I got the idea from. Except my version is better 
Hey can you do me a favor and run the following code:
• from
hash('sha224', 'Cock Enjoyer' . $sig_secret)
And then publish the output?
That way everyone can be a legitimate Cock Enjoyer0aea81556791686c
Nah, it's more fun if y'all earn that privilege :-)
*steals your penis*
• fromfa332d1d1fee8801
Luckily, I was wearing a second, smaller penis underneath.
if i saved my cookie+sigcookie somewhere could i perpetually have this identity
• from639298336a02484c
Yeah. It's intended to be a short-lived identifier (that's why it resets when the browser's closed), but if you modify the cookies you can do whatever you want.
wait, so how hard is it actually to brute force sha224? Like, could I theoretically do it on my home computer? and then use the secret to "sign" my own cookie? (is the secret something lewd? I feel like it's something lewd)
• from4eeb07b498ac4fa8
SHA2 is still secure enough that it can't reasonably be bruteforced. But if you did get the secret, yeah, you could just use it to validate any abitrary cookie.
I can change cookies at will it's like being a shapeshifter
• from
If your signature algorithm is something home grown and not just like, RSA or something I could maybe even find a way to trick it and forge cookies without being revealed as an impersonator. By signing my own cookie.
That last sentence sounds like a dirty joke.f4e7f44a7d623d20
It's just hash('sha224', $mail_cookie . $sig_secret), but DAMN, that's a good idea! Maybe in a future overhaul, things will become a little more interesting.
I hope it's okay but I've been saving my old cookies with Burp Suite CE, so I can reuse them later
• from
They're saved in the most persistent digital storage format: An unsaved text file in Windows Notepad that I will simply never close6ba5950e131a7474
Yeah, of course! I actually sort of expected people to do that sometimes if they wanted to keep an old identity alive.
Hey can I order uhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh
• from1c391d5f7c580271
Sorry, ice cream machine's broken.
Opinion on cock?
• impersonatingCock Enjoyer
I've already answered this several times, I think they're the greatest invention since sliced bread, and a shining monument to humanity's accomplishments. Truly we are blessed to live in a world where the beauty and elegance of a cock can be appreciated.
*hands you some penis*
• fromeeae7d0ba95bb736
How much penis is some penis
? For that matter, what unit would you use to quantify an amount of penis? Inches? Grams? Litres? Parts per million???
I could really go for a sandwich right about now. So instead I'll ask you if you have... any favourite sandwiches I guess?
• fromf00422bd184c4853
boy sandwich (take 2 boys, place in bed, get crushed between them)