Authorisation

Security Tips

Security Tip: Temporary Local File URLs!

[Tip #108] Temporary URLs for file access is an essential piece of the security puzzle, which up until recently were only available out-of-the-box for the S3 driver. Now you can easily generate them for local files too!

Security Tips

Security Tip: Type Coercion in Broadcast Routes!

[Tip #104] It's easy for type juggling to sneak into authorisation callbacks, especially when types are ambiguous, and if you're not careful, you may be leaving a massive hole waiting to be exploited! 😱

In Depth

In Depth: Common Authorisation Failures!

[In Depth #33] Let's explore a number of common ways developers fail authorisation in Laravel apps, and what you need to watch out for so you don't make the same mistakes!

Security Tips

Security Tip: Please Stop Hardcoding Admin Domains!

[Tip #99] Let me tell you a story about a time when a single missing character allowed me to escalate my privileges and gain admin access, despite all the protections designed to stop me! 😈

In Depth

In Depth: Laravel Security Audits Top 10 (2024)!

[In Depth #31] Here are the Top 10 security issues I've found during my security audits, highlighting the areas we as a community need to improve our security.

In Depth

In Depth: Pentesting Laravel part 4 - Reading Code Pays Off!

[In Depth #30] In the final part of the series, we finish our code searches and spend some time reading the code - which really pays off in terms of finding juicy vulnerabilities to exploit and report.

In Depth

In Depth: Pentesting Laravel part 2 - Configs, Dependencies, and Routes

[In Depth #28] Continuing our Laravel Security Audit and Penetration Test, we're looking into configs and dependences, and following threads to discover 4 CRITICAL vulnerabilities!

Security Tips

Security Tip: Privilege Escalation Through Domain Wildcards!

[Tip #80] It's incredibly common to find hardcoded domains used for identifying admins, however this also makes it trivial to escalate privileges to admin!

Security Tips

Security Tip: Laravel 11's Controller Authorisation & Validation Methods

[Tip#75] As part of the simplification of the app structure in Laravel 11, the Request Authorisation and Validation methods are no longer available on the controller - here's how you get it back.

In Depth

In Depth: "Th1nk Lik3 a H4cker" Walkthrough (part 1)

[InDepth#18] Let's take a walk through the first half of my "Th1nk Lik3 a H4cker" talk from Laracon EU & US. We'll explore the vulnerabilities behind each challenge and what I was trying to teach.

Security Tips

Security Tip: Watch out for Resource Authorisation

[Tip#50] Watch out when you mix Resource Controllers and Authorisation with custom Controller Actions and custom routes... you may find you're lacking authorisation without realising it!

Security Tips

Security Tip: Test for Missing Authorisation

[Tip#48] We write tests for everything else, so why not write tests for authorisation as well?