Recently I came across one of Securify‘s “spot the bug” challenges. The goal is to find one (or possibly more) critical vulnerabilities in the following code: <?php if (empty($_POST[‘hmac’] || empty($_POST[‘host’])) { header(‘HTTP/1.0 400 Bad Request’); exit; } $secret = getenv(“SECRET”); if (isset($_POST[‘nonce’])) $secret = hash_hmac(‘sha256’, $_POST[‘nonce’], $secret); $hmac = hash_hmac(‘sha256’, $_POST[‘host’], $secret); if ($hmac…