In Depth

In Depth

In Depth: Version Numbers Are Vanity Labels

[In Depth #40] We trust version numbers to mean a specific, fixed release - but they're really just labels pointing at a commit, and an attacker can quietly move them. Let's dig into tag hijacking, the attack behind tj-actions and Laravel-Lang. 😈

In Depth

In Depth: Don't Trust Public Livewire Properties

[In Depth #39] Public Properties may look like PHP class properties, but they're really hidden form fields, just waiting for your input... 😈

In Depth

In Depth: Email Verification Isn't as Simple as You Think

[In Depth #38] You can't trust an email address you haven't verified, so why are you storing them in your database?

In Depth

In Depth: Setting up Two-Factor Authentication!

[In Depth #37] It's time to finally fulfil one of the most common requests for an In Depth article: setting up 2FA! 🎉 So let's add some TOTP 2FA to our boring user/pass auth login!

In Depth

In Depth: A Deep Dive into Laravel's New Starter Kits! (pt 2)

[In Depth #36] It's time to review the Livewire Volt, Vue, and React Starter Kits! Let's see what vulnerabilities are hiding under the surface, and just how easy it is to fix them... 🧐

In Depth

In Depth: A Deep Dive into Laravel's New Starter Kits! (pt 1)

[In Depth #35] Let's take a dive into the security of Laravel's new Starter Kits to see how they handle authentication, what security features they include, and what areas could be improved! 🤓

In Depth

In Depth: What Actually Is MFA?

[In Depth #34] MFA, 2FA, 2SV, DFA... Something you know/have/are... Let's figure out this MFA thing and why it's so important.

In Depth

In Depth: Common Authorisation Failures!

[In Depth #33] Let's explore a number of common ways developers fail authorisation in Laravel apps, and what you need to watch out for so you don't make the same mistakes!

In Depth

In Depth: Five Ways to Fail at Authentication

[In Depth #32] Let's explore 5 different "Authentication Fails" that I've come across, as a reminder for why it's so important to get authentication right.

In Depth

In Depth: Laravel Security Audits Top 10 (2024)!

[In Depth #31] Here are the Top 10 security issues I've found during my security audits, highlighting the areas we as a community need to improve our security.

In Depth

In Depth: Pentesting Laravel part 4 - Reading Code Pays Off!

[In Depth #30] In the final part of the series, we finish our code searches and spend some time reading the code - which really pays off in terms of finding juicy vulnerabilities to exploit and report.

In Depth

In Depth: Pentesting Laravel part 3 - Looking for "Interesting" Code

[In Depth #29] It's time to spend some time looking for smelly or suspicious code, searching for common patterns and functions that usually show up around weaknesses. 🕵️