Michal Špaček

@[email protected]
261 Followers
56 Following
225 Posts
In your web, securing your app. Hacker, web developer, speaker, engineer. Security Shoptet, ex-Report URI. I believe HTTPS stands for How To Transfer Private Sh*.
Blog & sitehttps://www.michalspacek.com/
Blog & site in Czechhttps://www.michalspacek.cz/
Password storage disclosureshttps://pulse.michalspacek.cz/passwords/storages
Reporting API Demos, CSP etc.https://canhas.report/
Michal ŠpačekApr 4
The Axios supply chain attack post mortem notes show how it was done: via a fake cloned company on a fake Teams call. The two comments I find the most interesting, but the whole thing is nicely written: https://github.com/axios/axios/issues/10636#issuecomment-4180237789 and https://github.com/axios/axios/issues/10636#issuecomment-4182134203
Michal ŠpačekMar 28

Here's your (ir)regular reminder that HTTPS certificates without the CN (Common Name) field are completely valid. For example the 6-day certificates from Let's Encrypt do not have a CN as per the "shortlived" profile https://letsencrypt.org/docs/profiles/

Browsers do not use CN for validation even if it exists, they use the SAN (Subject Alternative Name) field only. Baseline Requirements by CA/Browser Forum say that "For Subscriber Certificates, the Subject Alternative Name MUST be present", while the section about Subscriber Certificate Common Name Attribute begins with "If present".

Profiles

A profile is a collection of characteristics that describe both the validation process required to get a certificate, and the final contents of that certificate. For the vast majority of Let’s Encrypt subscribers, you should never have to worry about this: we automatically select the best profile for you, and ensure that it complies with all of the requirements and best practices that govern the Web PKI. But some people might be interested in proactively selecting a specific profile, so this page exists to provide the information necessary to make that choice.

Michal ŠpačekMar 25

I always find entering personal details into a company website to tell them to stop processing the very same data a bit absurd.

This business data enrichment company is processing my personal phone number. They told me to fill out this form to opt-out, so I did. Now I'm asking how they process my data I have entered into the form 😅

There's a chance they need to store my data to not use them anymore if a new "enrichment source" appears, sort of a "lock". They also say they're not controllers as per GDPR, only processors, so they can't delete my data, but entering my data could made them one.

I could be wrong though. This will be interesting🤔 And I hope I'll learn a thing or two.

Michal ŠpačekMar 16

One of my favorite XSS tricks when you can add only attributes (when < and > are removed from the input) is to add onfocus=alert(1) and autofocus: <input value="" onfocus="..." autofocus="">.

To not create a "focus loop", I often add this.blur() to the onfocus handler, otherwise alert(1) steals the focus, and when you close it, the field gains focus once again and so on 😅

Michal ŠpačekMar 13
Naming is hard, so that's why my @phpstan extension called "Disallowed **Calls**" now supports disallowing **properties** 😅 Also a Friday the 13th release 👻 (at least in my timezone). https://github.com/spaze/phpstan-disallowed-calls/releases/tag/v4.9.0
Release Can disallow properties · spaze/phpstan-disallowed-calls

Naming is hard, so that's why this Disallowed Calls extension now supports disallowing instance and static properties, and enum properties with disallowProperties (#378) Other (mostly) internal cha...

GitHub
Michal ŠpačekJan 27
When issuing a HTTPS certificate, the CA needs to make sure you own the domain, and one of the many methods is via email where they'll email you a link. This method will be discouraged in March 2026 and disabled in March 2028.
See https://security.googleblog.com/2025/12/https-certificate-industry-phasing-out.html + https://cabforum.org/2025/11/20/ballot-sc-090-gradually-sunset-all-remaining-email-based-phone-based-and-crossover-validation-methods-from-sections-3.2.2.4-and-3.2.2.5/
HTTPS certificate industry phasing out less secure domain validation methods

Posted by Chrome Root Program Team Secure connections are the backbone of the modern web, but a certificate is only as trustworthy as the...

Google Online Security Blog
Michal ŠpačekDec 29

Instead of `cat`, I use `bat`, "a cat(1) clone with wings." https://github.com/sharkdp/bat

It supports syntax highlighting, line numbers, git, invisible chars etc. I even have it aliased to `cat`.

But if you'd like to concat multiple files into a single file like `cat 1 2 3 > foo`, you should run the original unaliased `cat` (by prefixing it with `\`, like `\cat`), seems much faster, at least in my case up to 10x. So now my scripts contain `\cat` instead of just `cat`.

GitHub - sharkdp/bat: A cat(1) clone with wings.

A cat(1) clone with wings. Contribute to sharkdp/bat development by creating an account on GitHub.

GitHub
Michal ŠpačekDec 18
Best news I've discovered today is that ripgrep is also available for Windows and you can install it with winget (winget install ripgrep). ripgrep is like the grep utility in Linux, but a bit faster, it also accepts grep's params https://github.com/burntsushi/ripgrep
GitHub - BurntSushi/ripgrep: ripgrep recursively searches directories for a regex pattern while respecting your gitignore

ripgrep recursively searches directories for a regex pattern while respecting your gitignore - BurntSushi/ripgrep

GitHub
Michal ŠpačekDec 9
Per ThorsheimDec 9

Michal Špaček @spazef0rze presenting his talk "Password Reuse Is a Dumpster Fire – We Brought a Hose" at #PasswordsCon in Prague, December 2, 2025.

https://www.youtube.com/watch?v=AuCNgoDf-5c

Michal Špaček: Password Reuse Is a Dumpster Fire – We Brought a Hose

YouTube
Show threadMichal ŠpačekNov 28
@steam_flow Why should I try it, does it use the same technique?