Article 3
I used Copilot to write a quick code example for a Security Tip, and it spat out some vulnerable code for me. So now my security tip has 2 vulnerabilities in it, not just the one I planned on writing...
View ArticleArticle 2
It's incredibly common to find hardcoded domains used for identifying admins, however this also makes it trivial to escalate privileges to admin!...
View ArticleArticle 1
Laravel Security Tip #39: Casting Request ValuesWhy treat all user input as strings when you can pull out specific values and automatically cast them as the types you're...
View ArticleArticle 0
Writing my overdue In Depth article for Securing Laravel, and this is a really fun one! I'm demoing a vuln I recently found in a common 3rd party package. So far I've built a sneaky phishing page for...
View ArticleArticle 2
At this point I'm pretty convinced that MRIs were originally designed as torture devices: "keep the body part that's in pain perfectly still while we make lots of loud noises"... ๐
View ArticleArticle 1
My overdue In Depth is all ready to go, so now it's time to schedule it for Wednesday morning, but I can't select future publish dates in Ghost? ๐I think I can do it in the "Publish" confirmation...
View ArticleArticle 0
Oh I really hope this works... ๐คFree subscribers should get a Preview intro, while Paid should get the full thing. ๐ฌAnd I'll be asleep when it goes out... ๐
View ArticleArticle 0
It's time for some nightmare fuel with a sneaky inline CSS vulnerability I found in a popular Laravel package, which allows you to steal user passwords (among other things)! ๐[$]...
View ArticleArticle 7
Do you know what information is being leaked by the Referer header when your users click on external links?If you site is public, you might be safe - but what if you have internal apps, or sensitive...
View ArticleArticle 6
Laravel's Request gives you a bunch of different helper methods for interacting with user input. Although I recommend just sticking with `$request->validate()`, there are a few useful ones for...
View ArticleArticle 5
Been a bit lax in posting updates, but here's where we're up to.1. "internet keyword trademark" sounds totally legit... Any Chinese friends know if this is actually a thing? ๐คจ2. I haven't responded...
View ArticleArticle 4
I'll respond to ZN with a "I'm totally gonna buy it, just finding funds", and see how they react. ๐
View ArticleArticle 3
It's quite common to inject JSON into Blade templates for various use cases, but is it actually safe to do so? It depends... how are you doing it, and are you using `json_encode()`...
View ArticleArticle 2
Thanks Google... Yes, I am aware my *intentionally vulnerable* subdomains are dangerous. ๐
View ArticleArticle 1
Building a new challenge for Practical Laravel Security, this time abusing Magic Hashes to completely bypass signature checks. ๐
View ArticleArticle 0
The feels when one of your long-time subscribers upgrades to the top pricing tier.๐ฅฐ Thank you for supporting my security work within the Laravel community [redacted]!
View ArticleArticle 0
HTTPS is everywhere & easy, but HTTP is still an option... ๐คจ How do you stop an attacker intercepting and downgrading connections to your site?...
View ArticleArticle 1
I need some research help for a talk next week:What are the most surprisingly useful Electron apps that don't feel like Electron?
View ArticleArticle 0
Validating single values in Laravel is easy, but what about validating array inputs?https://securinglaravel.com/security-tip-validating-array-inputs/#Laravel
View ArticleArticle 1
A new player has entered the game: the General Manager of "Name Registry"! ๐ฒ(Same last name as SL!)Kinda looks like they've reset the scam. From the same company "Hongshun", but a new date? I also...
View Article