Security Tips
Security Tip: Can You Safely Unserialise Classes?
[Tip #95] While you really shouldn't unserialise anything you get from a user, occasionally you have no choice... so how do you do it safely?
Security Tips
[Tip #94] Just like we can detect insecure functions with Pest, we can use PHPStan extensions to find and disallow insecure functions!
In Depth
[In Depth #30] In the final part of the series, we finish our code searches and spend some time reading the code - which really pays off in terms of finding juicy vulnerabilities to exploit and report.
Security Tips
[Tip #93] Test suites aren't just for raw code expectations, it turns out you can also use them to encourage secure coding practices!
[In Depth #30] In the final part of the series, we finish our code searches and spend some time reading the code - which really pays off in terms of finding juicy vulnerabilities to exploit and report.
[In Depth #29] It's time to spend some time looking for smelly or suspicious code, searching for common patterns and functions that usually show up around weaknesses. π΅οΈ
[In Depth #28] Continuing our Laravel Security Audit and Penetration Test, we're looking into configs and dependences, and following threads to discover 4 CRITICAL vulnerabilities!
[In Depth #27] Let me walk you through my process of conducting a Laravel Security Audit and Penetration Test, starting with the passive scans that usually find a lot of low-hanging fruit!
[In Depth #26] It's time for some nightmare fuel with a sneaky inline CSS vulnerability I found in a popular Laravel package!
[In Depth #25] Laravel makes effective use of encryption for security purposes, but what happens if your encryption key needs to be rotated? Let's see how Laravel 11 handles it...
The essential security resource for Laravel developers.
[Tip #92] One of my personal pet peeves in Laravel has finally been fixed! The Secure cookie attribute will now match the request protocol! π (I'm excited, can you tell?)
[Tip #91] aka yet another example for why you should Never Trust User Input!
[In Depth #29] It's time to spend some time looking for smelly or suspicious code, searching for common patterns and functions that usually show up around weaknesses. π΅οΈ
Thank you for 3 incredible years of security in the Laravel community!
[Tip #90] Did you know Laravel's URL validator lets you control which protocols you accept? Here's my recommendation...
[Tip #89] dump() interceptors in dev tools like Herd and Telescope are very helpful, but be careful you don't accidently send dump() to production!
[Tip #88] Signed URLs are awesome, but if you forget to check they are working - you may be leaving a massive vulnerability just waiting to be exploited...
[Tip #87] MD5 is like a cockroach - it's persistent and pops up everywhere, but one thing is very clear: you need to stop using it (and SHA-1 too)!
[In Depth #28] Continuing our Laravel Security Audit and Penetration Test, we're looking into configs and dependences, and following threads to discover 4 CRITICAL vulnerabilities!
[Tip #86] Cookies come in many shapes and sizes, and with multiple attributes just to confuse you... Have you ever wondered what the humble HttpOnly attribute actually does?
[Tip #85] What browser features do you have enabled on your site, and what can an XSS attack do if you don't disable them?
[Tip #84] It's not just passwords you need to worry about when it comes to authentication and stolen credentials: your 2FA secret keys may also be at risk!