Greetings friends, this week we’re going to take a walk through the first half of my “Th1nk Lik3 a H4cker” talk from Laracon EU & US! We’ll work through each of the challenges, looking at the vulnerabilities featured in each, and I’ll explain why I included it in the talk and what the audience was supposed to learn.

Also, a quick note for those who were at Laracon US or watched the stream - I wrote a Tweet thread (copied on my website) explaining why *that password* was selected as the “correct password”. It was not my intention, but rather a bug in my code, and I apologise to anyone who found it in poor taste or offensive.

One final thing, I’ve got 2x BlueSky and 2x T2 invites to give out - send me an email if you want one! 😉 (P.s. You can find all my socials at src.id.au/links)

⚠️ Just how secure is your app? When was your last security audit or penetration test? Can you really be sure you’re safe if someone tries to break into your app?
🕵️ Book in a Laravel Security Audit and Penetration Test, and I’ll help you secure your app!

Looking to learn more?
⏩ Security Tip #33: Restricting Local File Access
▶️ OWASP In Depth: A08:2021 – Software and Data Integrity Failures

"Th1nk Lik3 a H4cker" Walkthrough (part 1)

If you’ve seen one of my conference talks before, you’ll know that I love to do demos and practical talks, rather than talk off a bunch of slides. I find this the best medium for presenting security concepts, as it gives the audience a feel for the mentality of the hacker and how they approach exploiting each vulnerability.

When I started planning my Laracon EU talk, it was going to be my first in-person Laracon talk and I wanted to do something big and memorable, plus take advantage of having everyone in the same room as me. So I decided to go all-in and make the entire talk interactive!

I had one simple rule I had to follow: Everything must be hackable via a phone browser. I wanted the audience to be able to fully participate with their phones, rather than relying on laptops. This requirement somewhat limited and shaped the challenges - but not in a bad way - it just meant I needed to consider Javascript errors for the XSS challenge, and how to manipulate user input sent to the sever.

Thus, Th1nk Lik3 a H4cker1 was created:

Let’s dive into the fist challenge…

Challenge #1: Identify the correct password!

The apparent purpose of this challenge is a simple guessing game to identify the “correct password”, while in reality it’s actually here for multiple purposes (and getting the correct password has nothing to do with guesswork):