valorin

valorin, 8 months ago to php

One of my favourite (and oh so simple) hacker tricks is to abuse JSON support in APIs and pass TRUE instead of the actual API key. If the code does loose comparison, you don't need the key! 😎 😈 🍿
https://securinglaravel.com/p/security-tip-type-juggling #PHP #Laravel

valorin, 4 months ago to Laravel

This is your periodic reminder to keep your dependencies updated.

composer outdated and composer audit are your friends! 🤓

https://securinglaravel.com/p/security-tip-keep-dependencies-updated #Laravel #PHP

valorin, 5 months ago to random

Working on a new package aimed at making secure randomness a bit easier for folks who don't know how to implement some of the common use cases, such as OTPs, passwords with complexity rules, etc.

Still a lot to do, but you can take a peek at: https://github.com/valorin/random

valorin, 4 months ago to Laravel

The long awaited Missing Authorisation module for Practical Laravel Security is now LIVE! 🎉

This module covers IDORs, broken crypto, exposed routes, and related records, and includes 6 challenges to teach you how to find and exploit these vulnerabilities. 🕵️

The associated defence modules, covering Policies, Gates, Signed URLs, etc, should be coming next week to complete the topic.

Sign up: https://practicallaravelsecurity.com/
Or join the mailing list - I'll send out the details on Monday.
#Laravel #PHP

valorin, 9 months ago to php

Cross Site Request Forgery (CSRF) is not a solved problem. It's a problem with multiple defences that often get disabled...

There is a reason I covered it early in https://practicallaravelsecurity.com - when you're vulnerable, it opens a lot of possibilities. 😈
#PHP #Laravel #Security

valorin, 9 months ago to php

I'm excited to share that I'll be speaking and running a workshop at Longhorn PHP in Nov!
Many great names and talks on the schedule, so it's going to be a fun conf (& I have some cool tricks planned for my workshop)! 😁
https://www.longhornphp.com/ #php #LonghornPHP @longhorn

valorin, 8 months ago to php

Ok Laravel folks, it's time to increase your bcrypt rounds because 10 is no longer considered secure enough.
https://securinglaravel.com/p/security-tip-increase-your-bcrypt
#PHP #Laravel

valorin, 10 months ago to Laravel

My Laracon US talk is now up! 😁
https://www.youtube.com/watch?v=yBJStg-KMlU

Watch as we hack into a (intentionally) vulnerable app, exploiting a bunch of weaknesses, and learning how to think like a hacker along the way. If you can think like a hacker, you can better protect your own apps!
#Laravel #Laracon #LaraconUS #PHP

valorin, 8 months ago to php

It may be tempting to compare keys/sensitive strings using === (or even == 😱) but that opens you up to timing attacks! You should be using a timing attack safe string comparison function like hash_equals()...
https://securinglaravel.com/p/security-tip-compare-keys-with-hash_equals #PHP #Laravel

valorin, 6 months ago to php

Just how secure is PHP's strip_tags()? 🤔
Is it safe to use everywhere, or only in some situations, or should you avoid using it completely? 😕

Let's answer that question: https://securinglaravel.com/p/security-tip-is-strip_tags-secure
#PHP #Laravel

valorin, 1 month ago to Laravel

Securing Laravel has now officially moved to Ghost from Substack! 🎉

I'll be sending out the first Security Tip written on Ghost later today, but first, it's time for a migration discount!

For the next 2 weeks, you can get 25% off a new Securing Laravel subscription! 🎂

https://securinglaravel.com/ghost-migration-discount/

#Laravel #PHP

valorin, 6 months ago to php

I've had this question many times, so let me take you through the steps I follow when provisioning and securing apps on Forge...
https://securinglaravel.com/p/in-depth-securing-apps-on-forge [$]
#PHP #Laravel

valorin, 7 months ago to php

Since I'm in Austin for #LonghornPHP, and #LaraconAU is in two weeks, my traditional Securing Laravel discount is up: https://securinglaravel.com/3f37d076

Sign up to learn all about #PHP and #Laravel security!

valorin, 4 months ago to Laravel

Does your login form rate limit requests, or does it let an attacker make as many as they want? 🔓

You need rate limiting to slow down and hinder brute-force and credential stuffing attacks!
https://securinglaravel.com/p/security-tip-rate-limited-logins #Laravel #PHP

valorin, 10 months ago to Laravel

I've got some availability coming up for my Laravel Security Audits and Penetration Tests!
Reach out if you want me to find (and help you fix) the vulnerabilities in your apps before someone else discovers them... 🕵️🔓
https://valorinsecurity.com #Laravel #PHP

valorin, 4 months ago to Laravel

Ⓣⓡⓐⓝⓢⓛⓘⓣⓔⓡⓐⓣⓘⓞⓝ is a sneaky trick that can be used to bypass rate limiting, blocklists, existence checks, and more, by taking advantage of your database's "helpful" nature...

https://securinglaravel.com/p/security-tip-be-careful-of-transliteration
#Laravel #PHP

valorin, 4 months ago to Laravel

In case you missed
Caleb Porzio's announcement - Alpine now has an official CSP-friendly version! 🏆
This version lets you remove unsafe-eval from your CSP through the use of data components.
https://securinglaravel.com/p/security-tip-use-the-alpinejs-csp
https://alpinejs.dev/advanced/csp
#Laravel #PHP

valorin, 2 months ago to random

One of the things I love about Stripe is the prefixed API keys - making it trivial to block sk_live_* keys from being used outside production.

Anything that stops you from accidently calling production APIs from dev or staging is worth doing: https://securinglaravel.com/p/protecting-production-apis

valorin, 5 months ago to Laravel

Let's solve XSS with a bit of CSS! 🤓

Next time you think about reaching for nl2br(), reach for a bit of CSS instead: white-space: pre-line;
It'll do the same job without risking XSS sneaking through.
https://securinglaravel.com/p/security-tip-dont-use-nl2br
#Laravel #PHP

valorin, 10 months ago to Laravel

Great question in the comments for: https://securinglaravel.com/p/security-tip-disable-dev-tools-on
"Would you recommend moving "laravel/tinker" to dev?"
No, since it's only a command line tool, but you do need to consider your audit trail. Building custom Artisan commands instead would be easier to test and review.
#Laravel #PHP

valorin, 10 months ago to random

Thanks for coming to my talk #LaraconUS! 😁
Congrats to the top hackers, and bonus points to whoever figured out how to change my name to 'sad'. Rookie move on my part. 🤣
#Laracon

image/png

valorin, 2 months ago to random

This is your periodic reminder that anything you get from the user - including callback URL query params - should be considered untrusted user input and validated accordingly...

Otherwise, someone like me will come along and use it to steal your private keys! 😈
(True story)

video/mp4

valorin, 26 days ago to random

Fair warning my Laravel & security friends:

Now that The Rings of Power promo is starting back up, I'll probably start talking about that on here too because I loved S1, and am very excited for S2. (I'll avoid spoilers though.)

If you'd just like to follow just my Laravel and Security work, I'd suggest signing up for my weekly security tips on http://securinglaravel.com. 🙂

valorin, 1 month ago to random

My first full-time dev job was building a domain name registration system, so I'm very good at sniffing out domain scams.🧐

I received an suspicious looking email yesterday, so let's see how far I can string this along and what their goal is... 😈
(I'll keep this thread updated)

image/png

valorin, 26 days ago to Laravel

It's incredibly common to find hardcoded domains used for identifying admins, however this also makes it trivial to escalate privileges to admin! 😈

https://securinglaravel.com/security-tip-privilege-escalation-through-domain-wildcards/
#Laravel