I am trying to learn how to defend against security attacks on websites. The

Question

0

Asked: May 20, 20262026-05-20T09:23:55+00:00 2026-05-20T09:23:55+00:00

I am trying to learn how to defend against security attacks on websites. The

0

I am trying to learn how to defend against security attacks on websites. The link below shows a good tutorial, but I am puzzled by one statement:

In http://google-gruyere.appspot.com/part3#3__client_state_manipulation , under “Cookie manipulation”, Gruyere says Pythons hash is insecure since it hashes from left-to-right.

The Gruyere application is using this to encrypt data:

# global cookie_secret; only use positive hash values
h_data = str(hash(cookie_secret + c_data) & 0x7FFFFFF)

c_data is a username; cookie_secret is a static string (which is just ” by default)

I understand that in more secure hash functions, one change generates a whole new result, but I don’t understand why this insecure, because different c_data generates whole different hashes!

EDIT: How would one go about beating a hash like this?

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-20T09:23:56+00:00

Editorial Team

2026-05-20T09:23:56+00:00Added an answer on May 20, 2026 at 9:23 am

What the comment may be trying to get at is that for most hash functions, if you are given HASH(m) then it is easy to calculate HASH(m . x), for any x (where . is concatenation).

Therefore, if you are user ro, and the server sends you HASH(secret . ro), then you can easily calculate HASH(secret . root), and login as a different user.

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I am trying to learn how to defend against security attacks on websites. The

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply