some small fixes

Cryptography/Hash-Length-extension-attacks/VimeoHashExploit/README.md

@@ -0,0 +1,55 @@
+Hash Extension Attack at the Vimeo API
+======================================
+
+This tutorial is a slight adaptation of Filippo Valsorda's presentation. The example here should not work currently, but it was a vulnerability a couple of years ago.
+
+The problem presented here shows how to exploit a poor choice combination of information in an API hash-function.
+
+TL;DR: given a hash that is composed of a string with an unknown prefix, an attacker can append to the string and produce a new hash that still has the unknown prefix.
+
+
+MD5
+---
+
+MD5 hashes can't be reversed and are nearly unique (accidental collisions are extremely rare, although possible).
+
+
+The Vulnerability
+-----------------
+
+* A signature is created from a hashed string. This string is a composed of:
+
+[ PASSWORD ]["api_key"+ api_key ]["method" + method]
+
+Where password is just the user password and method is the action, for example "vimeo.test.login".
+
+* This signature is hashed and added as the API signature.
+
+* Vulnerability 1: if we can see the hash, we can add code to it (extend).
+
+* Vulnerability 2: the secret is attached to the string that was hashed.
+
+* Vulnerability 3: all the other components (except the secret) is passed in the plaintext in the request.
+
+
+The Exploit
+-----------
+
+* If an attacker can see a request, she can extend the signature hash with any exploit. For example, she could add the method "vimeo.videos.setFavorite"
+
+* The API signature is now formed by hashing the entire new request.
+
+
+HOW TO RUN THIS EXAMPLE
+-----------------------
+
+* In one terminal run
+$ python server.py
+
+* Copy the values
+api_key     cdd56f298e71493b9b1015c691e14501
+api_sig     fdffe59969293f23c197f321ff2f972e
+
+to client.py and then run it.
+
+* To understand what happen, look inside client.py.