valorin

andrewfeeney, 6 months ago to Laravel

I don't miss Twitter but I do miss the #Laravel community I used to interact with there. I don't really see any evidence that those folks are likely to give up on it soon, but I do wish they would. I expect the hard-liners wouldn't end up on Mastodon anyway.

Welp, will just have to do my best to build and contribute what I'm missing to this community.

valorin, 6 months ago to php

Just how secure is PHP's strip_tags()? 🤔
Is it safe to use everywhere, or only in some situations, or should you avoid using it completely? 😕

Let's answer that question: https://securinglaravel.com/p/security-tip-is-strip_tags-secure
#PHP #Laravel

valorin, 6 months ago to php

I've had this question many times, so let me take you through the steps I follow when provisioning and securing apps on Forge...
https://securinglaravel.com/p/in-depth-securing-apps-on-forge [$]
#PHP #Laravel

valorin, 6 months ago to random

Day two @ #LaraconAU!

It's gonna be another fun one, and don't forget to stick around to the very end! I'm last up, teaching you how to Th1nk Lik3 a H4acker. 🥷

This one's fully interactive, so bring your phones and get hacking. 😈

valorin, 6 months ago to php

You need to protect your .env file, and search engines like to snoop on all of your files, so be careful what you leave lying around! 😈

Or, in other words... Install your apps properly!

https://securinglaravel.com/p/security-tip-protect-your-env-file #PHP #Laravel

valorin, 7 months ago to php

Since I'm in Austin for #LonghornPHP, and #LaraconAU is in two weeks, my traditional Securing Laravel discount is up: https://securinglaravel.com/3f37d076

Sign up to learn all about #PHP and #Laravel security!

valorin, 7 months ago to random

I was procrastinating yesterday and noticed an app I use has a security bounty, so I went digging...

20 minutes later, I popped a top-tier vuln! 😈 🎉
Reported it via email, it was acknowledged in 12 mins, fixed in 17 mins. 🥰

That's how you do security properly.

valorin, 7 months ago to random

Anyone switched from Notion to https://obsidian.md?

I really like the idea of having everything local, but I use databases, templates, and properties A LOT. So I'm curious how you went replicating the experience of some of the advanced features.

valorin, 7 months ago to php

This week's "I can't believe I haven't already written about this" Security Tip: Disable Debug Mode on World-accessible Apps!

It may seem obvious, but you'd be surprised just how often I come across websites where it's left enabled! 😲
https://securinglaravel.com/p/security-tip-disable-debug-mode-on #PHP #Laravel

valorin, 7 months ago to php

I've just had some availability open up in December for my Laravel Security Audits & Penetration Tests! 🕵️

It's my only slot until March, so reach out if you need an audit before the end of the year, or you want me to test your app!
https://valorinsecurity.com/ #PHP #Laravel

valorin, 7 months ago to random

Any crypto/password entropy nerds able to help me out calculating possible combinations/entropy?

If an 8 character password with 88 possible characters to choose from has 3,596,345,248,055,296 possible combinations, how many would a password of the same length where one character MUST be a letter [a-zA-Z], one MUST be a number [0-9], and one MUST be a special char (with 26 options) be?

Is it just: 52 * 10 * 26 * (88^5), totalling 71,349,355,151,360?

I feel like that's missing something?

valorin, 8 months ago to Tolkien

For the Tolkien fans here: https://www.kickstarter.com/projects/expectedsoundscape/an-unexpected-soundscape-and-a-soundscape-of-ea
I have the LOTR soundscape, and it's a pretty great way to read the books or listen to the audiobook.
#Tolkien

valorin, 8 months ago to php

One of my favourite (and oh so simple) hacker tricks is to abuse JSON support in APIs and pass TRUE instead of the actual API key. If the code does loose comparison, you don't need the key! 😎 😈 🍿
https://securinglaravel.com/p/security-tip-type-juggling #PHP #Laravel

valorin, 8 months ago to php

Ok Laravel folks, it's time to increase your bcrypt rounds because 10 is no longer considered secure enough.
https://securinglaravel.com/p/security-tip-increase-your-bcrypt
#PHP #Laravel

valorin, 8 months ago to Tolkien

My Tolkien reread continues...

#Tolkien #LordOfTheRings #LOTR

image/jpeg
image/jpeg

jerry, 8 months ago to random

Well, I was just contemplating downsizing a bit on infosec.exchange when I saw this scroll by: https://variety.com/2023/digital/news/elon-musk-charge-all-x-twitter-users-fee-1235726693/

Maybe I'll wait a while...

valorin, 8 months ago to php

It may be tempting to compare keys/sensitive strings using === (or even == 😱) but that opens you up to timing attacks! You should be using a timing attack safe string comparison function like hash_equals()...
https://securinglaravel.com/p/security-tip-compare-keys-with-hash_equals #PHP #Laravel

valorin, 9 months ago to php

In the last 12 months on Securing Laravel, I have published:

• The OWASP Top 10 Series
• Security Audits Top 10 Series
• 33 Security Tips
• 11 In Depth Articles
• “Th1nk Lik3 a H4cker” walkthrough

Wow, it's been a busy year! 😲
https://securinglaravel.com/p/2-years-of-securing-laravel-laravel
#PHP #Laravel

valorin, 9 months ago to random

A friend received these emails recently, and asked me for help...
On face value they sound worrying, but this is what's known as a Beg Bounty! The sender runs an basic scanner, finds minor 'issues', and asks for money to disclose "serious vulns".

In the vast majority of cases, these are simply identifying things like missing security headers, which enhance your security but don't mean an actual vuln exists. You can usually identify them with the lack of details and a veiled request for money.

image/png