Article 0
Sorry folks, yesterday's In Depth for Securing Laravel will be a few days late. A bunch of personal stuff going on right now, combined with travelling for a funeral and a wedding, have sucked up all my...
View ArticleArticle 5
I've been trialling a "Quarterly Laravel Security Reviews" service, and a few slots have opened up next year! 🕵️These are different from an annual security audit/pentest, where you get a static report...
View ArticleArticle 4
I'm also available for your team to message at any time with security questions, and we can schedule the quarterly reviews around specific releases too.Every team has different needs, and I can...
View ArticleArticle 3
Selectively staging commits with `git add -p` is one of those hills I'll die on. 🤺I know folks love their Git GUIs and adding everything with `git add .`, but you really do need to be aware of every...
View ArticleArticle 2
Working on part 4 of my Pentesting Laravel series, and I'm sneaking a few more security vulns into Chirper as I'm going along. Anyone paying close attention between the posts will notice some issues I...
View ArticleArticle 1
Why duplicate password validation rules across your app when you can define defaults once and reference them everywhere?There's a reason Laravel's Password validator is one of my favourite framework...
View ArticleArticle 0
Woah, apparently I've now published 151 postsl! 🎉The fourth and final part of my Pentesting Laravel series is out! In this one I reinforce the benefits of reading the code, through a bit of...
View ArticleArticle 2
Building an updated version of my "Laravel Security Top 10" and now I know how OWASP feels when they build their Top 10. I have the urge to recategorize findings, both into wider categories, and more...
View ArticleArticle 0
It's easy to guess passwords if your app doesn't rate limit attempts...If you’re using an Authentication Kit → check it includes rate limiting.If you’re not → implement your own rate limiting....
View ArticleArticle 0
Never a good email to receive unexpectedly, and especially so at the the moment, given the chaos in the WP space and all the absurd decisions MM is making.My understanding is that this is just a result...
View ArticleArticle 0
Just like we can detect insecure functions with Pest, we can use PHPStan extensions to find and disallow insecure functions...
View ArticleArticle 1
It's been "in progress" for far too long, so I'm setting myself a goal to get https://practicallaravelsecurity.com completed by the end of November! 🤞 Friends, can you please hold me to this and poke...
View ArticleArticle 0
Progress update on Practical Laravel Security: 2 Injection challenges are done!I'm hoping to get the other 3 challenges done today or tomorrow, and also need to swap out Sendstack for a new provider...
View ArticleArticle 1
Should you block compromised passwords in your apps? Yes, but... you also need to consider your users, and how technical they are. There is no point blocking pwned password with a cryptic message if...
View ArticleArticle 0
Been putting it off for far too long, but it's time... It's time to move Practical Laravel Security's mailing list over to Kit. The website is done, now to import everyone and update my scripts....
View ArticleArticle 4
So... my current challenge is to safely allow people to conduct PHP Object Deserialisation attacks in my course... 🤓This feels like a very bad idea, but so be it... 😧
View ArticleArticle 3
Note to self: don't overwrite your test script with the malicious script you're injecting. 🤦
View ArticleArticle 2
I got very excited when I saw Copilot found a vulnerability in my code... and then very disappointed when it said it was a non-existent vulnerability instead of the obvious object deserialisation...
View Article