Security Notice
Laravel Security Notice: Laravel Environment Manipulation via Query String
[Notice #3] Update your Laravel version and ensure `register_argc_argv` is disabled non-CLI commands!
In Depth
[In Depth #31] Here are the Top 10 security issues I've found during my security audits, highlighting the areas we as a community need to improve our security.
Security Tips
[Tip #96] Encryption is essential, but you can't just install a certificate and go about your day... Secure those cookies, redirect from HTTP, and HSTS FTW! π
Security Tips
[Tip #95] While you really shouldn't unserialise anything you get from a user, occasionally you have no choice... so how do you do it safely?
[In Depth #31] Here are the Top 10 security issues I've found during my security audits, highlighting the areas we as a community need to improve our security.
[In Depth #30] In the final part of the series, we finish our code searches and spend some time reading the code - which really pays off in terms of finding juicy vulnerabilities to exploit and report.
[In Depth #29] It's time to spend some time looking for smelly or suspicious code, searching for common patterns and functions that usually show up around weaknesses. π΅οΈ
[In Depth #28] Continuing our Laravel Security Audit and Penetration Test, we're looking into configs and dependences, and following threads to discover 4 CRITICAL vulnerabilities!
[In Depth #27] Let me walk you through my process of conducting a Laravel Security Audit and Penetration Test, starting with the passive scans that usually find a lot of low-hanging fruit!
[In Depth #26] It's time for some nightmare fuel with a sneaky inline CSS vulnerability I found in a popular Laravel package!
The essential security resource for Laravel developers.
[Tip #94] Just like we can detect insecure functions with Pest, we can use PHPStan extensions to find and disallow insecure functions!
[In Depth #30] In the final part of the series, we finish our code searches and spend some time reading the code - which really pays off in terms of finding juicy vulnerabilities to exploit and report.
[Tip #93] Test suites aren't just for raw code expectations, it turns out you can also use them to encourage secure coding practices!
[Tip #92] One of my personal pet peeves in Laravel has finally been fixed! The Secure cookie attribute will now match the request protocol! π (I'm excited, can you tell?)
[Tip #91] aka yet another example for why you should Never Trust User Input!
[In Depth #29] It's time to spend some time looking for smelly or suspicious code, searching for common patterns and functions that usually show up around weaknesses. π΅οΈ
Thank you for 3 incredible years of security in the Laravel community!
[Tip #90] Did you know Laravel's URL validator lets you control which protocols you accept? Here's my recommendation...
[Tip #89] dump() interceptors in dev tools like Herd and Telescope are very helpful, but be careful you don't accidently send dump() to production!
[Tip #88] Signed URLs are awesome, but if you forget to check they are working - you may be leaving a massive vulnerability just waiting to be exploited...
[Tip #87] MD5 is like a cockroach - it's persistent and pops up everywhere, but one thing is very clear: you need to stop using it (and SHA-1 too)!
[In Depth #28] Continuing our Laravel Security Audit and Penetration Test, we're looking into configs and dependences, and following threads to discover 4 CRITICAL vulnerabilities!