Article 1
Part Two of my Pentesting walkthough is almost done! I just counted and it finds 4 different critical vulnerabilities in my copy of Chirper - all based off actual vulnerabilities I've found on client...
View ArticleArticle 0
It's time to continue the Pentest of Chirped, by diving into configs and dependences, and following those threads to discover 4 CRITICAL vulnerabilities! 😱I'm super proud of this one, all 4 are based...
View ArticleArticle 5
Started a new Pentest for a client, and something unusual happened: there were no hardcoded credentials. 😲
View ArticleArticle 4
HTML has a lot of hidden gems, and the `autocomplete` attribute is no exception. Lets take a look at how it helps your password fields and password managers work...
View ArticleArticle 3
Accepting File Uploads from your users is always a risky proposal, but have you considered just how easily uploaded files can be used to bypass CSRF and cookie...
View ArticleArticle 1
Scheduled tomorrows Security Tip - it's a bit more confrontational than I normally do, but hopefully it'll start some good discussions. 🔥Keep an eye out for it!
View ArticleArticle 0
That one time I had a domain hijacked... aka don't leave domains (or subdomains) pointing at servers or nameservers you don't control!...
View ArticleArticle 0
MD5 is like a cockroach - it's persistent and pops up everywhere, but one thing is very clear: you need to stop using it (and SHA-1...
View ArticleArticle 4
I'll be a bit quiet on here for the next few weeks. I'm dealing with some health stuff and really need to disconnect, and prepare for Laravel Live Denmark.I'll aim to keep posting my security articles...
View ArticleArticle 3
Let's look at my old buddy time(), who always has something for me during my audits - usually with my other buddy, md5()!. But this time it's being used to avoid filename collisions?Surely there is a...
View ArticleArticle 2
It may be tempting to compare keys/sensitive strings using `===`, or even `==`, but that opens you up to timing attacks! You should be using a timing attack safe string comparison function like...
View ArticleArticle 1
We've all heard about SQLi and XSS, but what about another big injection vector: Command Injection? It's less common but just as critical if your app does anything on the command line. Plus, it's not...
View ArticleArticle 0
This is your periodic reminder to ensure bcrypt rounds is set to 12 (or higher)!Laravel's default was increased from 10 to 12 last Sept, so if you're working on an older codebase, make sure you've...
View ArticleArticle 0
Signed URLs are awesome, but if you forget to check they are working - you may be leaving a massive vulnerability just waiting to be exploited... 😈(Spoiler alert: Write tests that check generation and...
View ArticleArticle 0
Don't forget to disable Debug Mode on world-accessible Apps! ⚠️It may seem obvious, you'd be surprised just how often I come across websites where debug mode is enabled, and what it allows an attacker...
View ArticleArticle 0
Stack traces are essential for debugging complex (and even simple) issues, but there is a risk that a sensitive parameter might be exposed within your logs or debugging output... Let's ensure that...
View ArticleArticle 1
While it's tempting to throw everything into your logs, keep in mind where they end up → plain text files, 3rd party collectors, passed around the dev team, etc... 😱If an attacker can access your logs,...
View ArticleArticle 0
Search engines like to snoop on all of your files, so be careful what you leave lying around. All it takes is a simple Google Dork to find sensitive data in an exposed `.env` and your app will be...
View Article