Article 0
It's easy to guess passwords if your app doesn't rate limit attempts...If youโre using an Authentication Kit โ check it includes rate limiting.If youโre not โ implement your own rate limiting....
View ArticleArticle 0
Never a good email to receive unexpectedly, and especially so at the the moment, given the chaos in the WP space and all the absurd decisions MM is making.My understanding is that this is just a result...
View ArticleArticle 0
Just like we can detect insecure functions with Pest, we can use PHPStan extensions to find and disallow insecure functions...
View ArticleArticle 1
It's been "in progress" for far too long, so I'm setting myself a goal to get https://practicallaravelsecurity.com completed by the end of November! ๐ค Friends, can you please hold me to this and poke...
View ArticleArticle 0
Progress update on Practical Laravel Security: 2 Injection challenges are done!I'm hoping to get the other 3 challenges done today or tomorrow, and also need to swap out Sendstack for a new provider...
View ArticleArticle 1
Should you block compromised passwords in your apps? Yes, but... you also need to consider your users, and how technical they are. There is no point blocking pwned password with a cryptic message if...
View ArticleArticle 0
Been putting it off for far too long, but it's time... It's time to move Practical Laravel Security's mailing list over to Kit. The website is done, now to import everyone and update my scripts....
View ArticleArticle 4
So... my current challenge is to safely allow people to conduct PHP Object Deserialisation attacks in my course... ๐คThis feels like a very bad idea, but so be it... ๐ง
View ArticleArticle 3
Note to self: don't overwrite your test script with the malicious script you're injecting. ๐คฆ
View ArticleArticle 2
I got very excited when I saw Copilot found a vulnerability in my code... and then very disappointed when it said it was a non-existent vulnerability instead of the obvious object deserialisation...
View ArticleArticle 1
Challenge #3 completed!I am very excited to see how folks go with this. It's unlike any of the other challenges and should prove a bit of fun, and frustration.
View ArticleArticle 0
I've had some Audit/Pentest clients unexpectedly pull out, leaving me with slots in Dec-Jan that I need to fill!If you're new to Pentesting, or it's been a while, now is a great time. I focus on...
View ArticleArticle 4
I've heard from some folks (ok, one person) that they didn't realise Securing Laravel and Practical Laravel Security were different (my fault for the similar names!), so I thought I'd explain the...
View ArticleArticle 3
Securing Laravel is my mailing list & "blog". I write weekly Tips and monthly In Depth articles on all aspects of security for Laravel and PHP devs. The Tips are free, while the In Depth articles...
View ArticleArticle 2
Practical Laravel Security is a hands-on text-based course designed around a series of interactive hacking challenges that teach you how specific vulns work, followed by defences. My theory is that if...
View ArticleArticle 1
In summary:Securing Laravel is a weekly mailing list and website full of free security tips and paid in depth articles.Practical Laravel Security is a paid text-only interactive course structured as a...
View ArticleArticle 0
Here's that idea I'd like feedback on:Would you be interested in Practical Laravel Security included as a perk of a high priced tier on Securing Laravel?I.e. You sign up for Securing Laravel on a...
View ArticleArticle 1
Long time coming, but the first 3 challenges in the Injection module on https://practicallaravelsecurity.com are now live! ๐They take you through Local File Inclusion, Object Manipulation, and PHP...
View ArticleArticle 0
The other awesome thing I added to Practical Laravel Security is a free demo, so if you're curious how the course works and the structure of the courses, check it out!๐...
View ArticleArticle 0
Proud hacker parent moment: While I'm lying on the couch feeling sick, Mr 8 took my phone without asking, scanned the QR code on his Switch, used my finger to unlock 1Password, and let himself into the...
View Article