In Depth: "Th1nk Lik3 a H4cker" Walkthrough (part 1)
[InDepth#18] Let's take a walk through the first half of my "Th1nk Lik3 a H4cker" talk from Laracon EU & US. We'll explore the vulnerabilities behind each challenge and what I was trying to teach.
Greetings friends, this week we’re going to take a walk through the first half of my “Th1nk Lik3 a H4cker” talk from Laracon EU & US! We’ll work through each of the challenges, looking at the vulnerabilities featured in each, and I’ll explain why I included it in the talk and what the audience was supposed to learn.
Also, a quick note for those who were at Laracon US or watched the stream - I wrote a Tweet thread (copied on my website) explaining why *that password* was selected as the “correct password”. It was not my intention, but rather a bug in my code, and I apologise to anyone who found it in poor taste or offensive.
⚠️ Just how secure is your app? When was your last security audit or penetration test? Can you really be sure you’re safe if someone tries to break into your app?
🕵️ Book in a Laravel Security Audit and Penetration Test, and I’ll help you secure your app!
Please consider sharing Securing Laravel with your Laravel friends and teammates!
"Th1nk Lik3 a H4cker" Walkthrough (part 1)
If you’ve seen one of my conference talks before, you’ll know that I love to do demos and practical talks, rather than talk off a bunch of slides. I find this the best medium for presenting security concepts, as it gives the audience a feel for the mentality of the hacker and how they approach exploiting each vulnerability.
When I started planning my Laracon EU talk, it was going to be my first in-person Laracon talk and I wanted to do something big and memorable, plus take advantage of having everyone in the same room as me. So I decided to go all-in and make the entire talk interactive!
Thus, Th1nk Lik3 a H4cker1 was created:
Let’s dive into the fist challenge…
Challenge #1: Identify the correct password!
The apparent purpose of this challenge is a simple guessing game to identify the “correct password”, while in reality it’s actually here for multiple purposes (and getting the correct password has nothing to do with guesswork):