Security Tips
Security Tip: What If You Hashed Null?
[Tip #100] One of the fun parts of doing my security audits is coming across unexpected code that looks exploitable, and trying it out myself to see what possibilities exist.
Stephen Rees-Carter
Friendly Hacker, Speaker, and PHP & Laravel Security Specialist.π΅οΈ I hack stuff on stage for fun. π
Security Tips
Security Tip: Please Stop Hardcoding Admin Domains!
[Tip #99] Let me tell you a story about a time when a single missing character allowed me to escalate my privileges and gain admin access, despite all the protections designed to stop me! π
Security Tips
Security Tip: strip_tags() Won't Save You from XSS!
[Tip #98] XSS doesn't just hide in <script> tags - it sneaks in through HTML attributes, links, and even inline styles! Don't rely on functions like strip_tags() to keep you safe...
Security Tips
Security Tip: Be Intentional with Your Outputs!
[Tip #97] XSS loves to sneak into your apps when you're not paying attention, so you need to be intentional with your outputs and think about every piece of user input you're using in your apps!
Security Notice
Laravel Security Notice: Laravel Environment Manipulation via Query String
[Notice #3] Update your Laravel version and ensure `register_argc_argv` is disabled non-CLI commands!
In Depth
In Depth: Laravel Security Audits Top 10 (2024)!
[In Depth #31] Here are the Top 10 security issues I've found during my security audits, highlighting the areas we as a community need to improve our security.
Security Tips
Security Tip: Ensure Your App Requires HTTPS!
[Tip #96] Encryption is essential, but you can't just install a certificate and go about your day... Secure those cookies, redirect from HTTP, and HSTS FTW! π
Security Tips
Security Tip: Can You Safely Unserialise Classes?
[Tip #95] While you really shouldn't unserialise anything you get from a user, occasionally you have no choice... so how do you do it safely?
Security Tips
Security Tip: Disallowing Functions with PHPStan!
[Tip #94] Just like we can detect insecure functions with Pest, we can use PHPStan extensions to find and disallow insecure functions!
In Depth
In Depth: Pentesting Laravel part 4 - Reading Code Pays Off!
[In Depth #30] In the final part of the series, we finish our code searches and spend some time reading the code - which really pays off in terms of finding juicy vulnerabilities to exploit and report.
Security Tips
Security Tip: Pest's Security Preset & Strict Equality
[Tip #93] Test suites aren't just for raw code expectations, it turns out you can also use them to encourage secure coding practices!
Security Tips
Security Tip: Auto-Secure Cookies FTW! π
[Tip #92] One of my personal pet peeves in Laravel has finally been fixed! The Secure cookie attribute will now match the request protocol! π (I'm excited, can you tell?)