RT @valorin@twitter.com

Thinking about a @laravelphp@twitter.com security audit/pentest?

I've just had some availability open up in November, and would love to hack your site!
um...
I mean...
Help you improve the security of your site. 😉

Send me a DM or go to: valorinsecurity.com/

🐦🔗: twitter.com/valorin/status/155

Thinking about a @laravelphp@twitter.com security audit/pentest?

I've just had some availability open up in November, and would love to hack your site!
um...
I mean...
Help you improve the security of your site. 😉

Send me a DM or go to: valorinsecurity.com/

Wow, someone skipped forward to challenge #5 first 😲, but it is the most fun, so I get it.
(🤫 bypass a @laravelphp@twitter.com signed url 😈)

Give it a try and let me know how you go: larasec.substack.com/p/in-dept

New Laravel Security In Depth on Insecure Direct Object References (IDOR)! 🤓

This was so much fun to put together. I built 5 new challenges to explore and play with. See if you can get through to the end without peaking! 😈 🙊 🔒
larasec.substack.com/p/in-dept

It's out! 🥳
This month's Laravel Security In Depth covers Magic Emails - specifically One-Time Passcodes and Magic Links via email.

I've included some example code to make implementing your own OTPs easier.

larasec.substack.com/p/in-dept

Show thread

RT @Paul_Reviews@twitter.com

Here's another challenge for y'all.

This is how the latest stores .
There's an obvious & serious flaw - but can YOU spot it?

Remember, this is PHP 7.
cc @PoliceChiefs@twitter.com - it's like shooting fish in a barrel guys

🐦🔗: twitter.com/Paul_Reviews/statu

Bumped my In Depth email to next week, so this week we've got a security tip about Type Juggling in PHP and why PHP 8 didn't completely fix it. 😈
larasec.substack.com/p/securit

(Spoiler alert: APIs are your weakness...)

RT @phpmagazin@twitter.com

ist voller , die helfen, schnell, schöne zu schreiben und erstklassige Anwendungen zu produzieren. Ebenso besitzt das viele .

@valorin@twitter.com analysiert Laravel in Bezug der .

➡️app.entwickler.de/ARa0Ymdv9pb

🐦🔗: twitter.com/phpmagazin/status/

RT @freekmurze@twitter.com

🔐 Laravel can encrypt model attributes out of the box. Very handy / needed when storing third party API keys in your DB.
laravel.com/docs/master/eloque

Make sure to use custom key for the encryption so your main app key remains rotatable
stephenreescarter.net/custom-k

🐦🔗: twitter.com/freekmurze/status/

Following my theme of underrated @laravelphp@twitter.com features, this month's In Depth is everything I know about Signed URLs! 🤓

For a minor feature with a small section in the docs, there is a lot to unpack and learn. 📖

Check it out here: larasec.substack.com/p/in-dept

If you're using packagist.org/packages/hautelo, you'll want to swap it out for something else and rotate your creds and keys ASAP.

The package was hijacked and modified to steal creds like AWS keys from your machines.

See: riskybiznews.substack.com/p/ri

Policy Objects are a seriously underrated component in Laravel. They are so underrated they don’t even get their own menu item in the docs - you need look under “Security → Authorization” to find them! 😱

So I wrote a guide:
larasec.substack.com/p/in-dept

Infosec Exchange

A Mastodon instance for info/cyber security-minded people.