Security Tips
Security Tip: Increase Your bcrypt Rounds
[Tip#58] It's time to upgrade your bcrypt rounds to 12 (or higher)!
Stephen Rees-Carter
Friendly Hacker, Speaker, and PHP & Laravel Security Specialist.🕵️ I hack stuff on stage for fun. 😈
Security Tips
Security Tip: Watch Out for Command Injection
[Tip#57] You've heard about SQL Injection and Cross-Site Scripting but what about another big injection avenue: Command Injection? It's less common but just as critical that you're aware of it...
Security Tips
Security Tip: Compare keys with hash_equals()
[Tip#56] It may be tempting to compare keys/sensitive strings using `===`, or even `==`, but that opens you up to timing attacks! You should be using a timing attack safe string comparison function...
Newsletter
2 years of Securing Laravel / Laravel Security In Depth!
Thank you for subscribing and supporting Securing Laravel these past 2 years!
Newsletter
In Depth: "Th1nk Lik3 a H4cker" Walkthrough (part 2)
[InDepth#19] It's time to finish up the "Th1nk Lik3 a H4cker" walkthrough, looking at the rest of the challenges and the final hack from Laracon US!
Security Tips
Security Tip: Hijacking Domains, the Easy Way?
[Tip#54] Don't leave domains (or subdomains) pointing at servers or nameservers you don't control, or you might get a copy of the email I just received! 😧
Security Tips
Security Tip: Bypassing CSRF Protection with File Uploads
[Tip#53] Accepting File Uploads from your users is always a risky proposal, but have you considered just how easily uploaded files can be used to bypass CSRF and cookie protections?
In Depth
In Depth: "Th1nk Lik3 a H4cker" Walkthrough (part 1)
[InDepth#18] Let's take a walk through the first half of my "Th1nk Lik3 a H4cker" talk from Laracon EU & US. We'll explore the vulnerabilities behind each challenge and what I was trying to teach.
Security Tips
Security Tip: HTML autocomplete Attribute
[Tip#52] HTML has a lot of hidden gems, and the `autocomplete` attribute is no exception. Lets take a look at how it helps your password fields and password managers work together!
Newsletter
Don't forget about the special Laracon US 25% Discount!
Only a couple of days left to take advantage of the 25% off special!
Security Tips
Security Tip: Validate Your Webhooks!
[Tip#51] Just because your webhook endpoints aren't listed anywhere (are they?) doesn't mean someone won't find them, and send malicious payloads to your app! You need to validate your webhook payloads!
Security Tips
Security Tip: Watch out for Resource Authorisation
[Tip#50] Watch out when you mix Resource Controllers and Authorisation with custom Controller Actions and custom routes... you may find you're lacking authorisation without realising it!