Article 0
Hardcoded admin emails are something I find quite often, but they pose a massive security risk if you forget to change the list when your admins change! Especially if you replicate the list across...
View ArticleArticle 0
This one is somewhat appropriate after my #LaraconAU talk:Dependencies are security risks, especially if you have a lot of them or don't keep them updated. Remove the ones you don't need, and update...
View ArticleArticle 2
Cryptographically secure randomness is one of those interesting weaknesses that often can't be easily demonstrated, but that's no reason not to use it, especially when PHP and Laravel give us some easy...
View ArticleArticle 1
ICYMI: I did an Interview with Eric Barnes for the @laravelnews Creator Series about all things Laravel Security. It's a great chat, covering a bunch of different security topics, including my most...
View ArticleArticle 0
Quick question for anyone who is online at the moment, what 3rd party scripts do you normally use on sites you work on?Can you please link me to their sites, so I can find their docs?
View ArticleArticle 1
Was asked recently why I decorate my laptop with stickers:It's an expression of who I am, seen on stage, or working in public. Each sticker is intentional, with the layers showing the passage of time...
View ArticleArticle 0
It's was time to refresh my Laravel Security Audits Top 10 list! 🧐There were no really surprising changes, but there is a new #1. Without looking, can you guess any of...
View ArticleArticle 1
Seeing some weird sensationalising about the recent critical CVEs in Symfony & Laravel in the "security news", that feel like AI-written rubbish hyping a non-issue. Am I missing something?Does...
View ArticleArticle 0
Now that Laracon AU is past, I'm getting back into practicallaravelsecurity.com. The final challenge in the Injection Attacks module is done! It 🎉Up next is Authentication... What authentication...
View ArticleArticle 1
I've joined the CVE hype-train! 🤣Ok, in all seriousness, this is an issue if you have register_argc_argv=On. It's trivial to exploit and can unlock dev/debug helpers. 😱GO...
View ArticleArticle 0
Laravel's helpers are great, but make sure you know everything they do before you use them... 😧In this example, I discovered Auth::loginUsingId() in use where the side-effects were terrifying....
View ArticleArticle 0
It may seem strange but non-production mail can be a security risk...Staging is often buggy, and can provide a weak point for an attacker to get into your ecosystem. But at least you don't have prod...
View ArticleArticle 0
I often get asked about validating inputs from WYSIWYG/Markdown editors, or simply find validation completely missing during audits... However, like all User Input, you cannot trust it. Validate and...
View ArticleArticle 3
XSS loves to sneak into your apps when you're not paying attention, so you need to be intentional with your outputs and think about every piece of user input you're using in your...
View ArticleArticle 2
Having seen Wicked (it was awesome!), my personal head cannon is now that Wicked and Bridgerton exist in the same universe: Wicked is set before Anthony had to take over running the household.And now I...
View ArticleArticle 1
w00t! My Laracon AU talk is online!I'm super proud of how this one turned out, given it started as a "vulnerabilities I'm sick of seeing everywhere"...
View ArticleArticle 0
It's Black Friday... week! 🙃👉 https://securinglaravel.com/black-friday-2024/👈Get 25% off a premium subscription, or sign up for a Hacker subscription to get access to...
View ArticleArticle 1
I've lost count how many times I've found Controller Actions an missing authorize() method, allowing me to access things I shouldn't... 😈My recommendation: use Route Groups, Routes, and Middleware for...
View ArticleArticle 0
A small win I want to share:I first announced I was starting my own Pentesting thing on 17th Feb 2022, and the very next day someone I admire in the Laravel community reached out for pricing. After 3...
View ArticleArticle 0
If you use Laravel’s implicit route bindings, you’ll probably end up with a route like this:/projects/{project}/plans/{plan} But how do you ensure {plan} is actually part of {project}?That's where...
View Article