Thinking about a @firstname.lastname@example.org security audit/pentest?
I've just had some availability open up in November, and would love to hack your site!
Help you improve the security of your site. 😉
Wow, someone skipped forward to challenge #5 first 😲, but it is the most fun, so I get it.
(🤫 bypass a @email@example.com signed url 😈)
Give it a try and let me know how you go: https://larasec.substack.com/p/in-depth-insecure-direct-object-references
New Laravel Security In Depth on Insecure Direct Object References (IDOR)! 🤓
This was so much fun to put together. I built 5 new challenges to explore and play with. See if you can get through to the end without peaking! 😈 🙊 🔒
It's out! 🥳
This month's Laravel Security In Depth covers Magic Emails - specifically One-Time Passcodes and Magic Links via email.
I've included some example code to make implementing your own OTPs easier.
Here's another #security challenge for y'all.
Remember, this is PHP 7.
cc @PoliceChiefs@twitter.com - it's like shooting fish in a barrel guys
Bumped my In Depth email to next week, so this week we've got a security tip about Type Juggling in PHP and why PHP 8 didn't completely fix it. 😈
@firstname.lastname@example.org analysiert Laravel in Bezug der #Security.
🔐 Laravel can encrypt model attributes out of the box. Very handy / needed when storing third party API keys in your DB.
Make sure to use custom key for the encryption so your main app key remains rotatable
Following my theme of underrated @email@example.com features, this month's In Depth is everything I know about Signed URLs! 🤓
For a minor feature with a small section in the docs, there is a lot to unpack and learn. 📖
Check it out here: https://larasec.substack.com/p/in-depth-signed-urls
If you're using https://packagist.org/packages/hautelook/phpass, you'll want to swap it out for something else and rotate your creds and keys ASAP.
The package was hijacked and modified to steal creds like AWS keys from your machines.
Policy Objects are a seriously underrated component in Laravel. They are so underrated they don’t even get their own menu item in the docs - you need look under “Security → Authorization” to find them! 😱
So I wrote a guide:
Audits the security of Laravel apps 🕵️
Hacks stuff on stage for fun 😈
Teaches Laravel Security at http://larasec.substack.com 🎇
Huge Tolkien fan 📖
A Mastodon instance for info/cyber security-minded people.