SR
Stephen Rees-Carter
@valorin
Friendly Hacker
Friendly Hacker | Speaker | PHP & Laravel Security Specialist 🕵️ I spend my time doing security audits of Laravel apps and writing tips and articles at securinglaravel.com. 🤓
26 Posts
Over the weekend I wrote far too many words about environment files and secrets, answering all of the questions I've heard about them... 🤓 From removing committed secrets to dedicated secrets managers, there is a lot to consider! 😲 #PHP #Laravel Forgetting to check authorisation is super easy to do, it happens all the time! 😔 So why not write actual feature tests for authorisation alongside your other tests? 💡 ❌ Guest User ❌ Not Allowed User ✅ Allowed User #PHP #Laravel Content Security Policies may seem like a daunting task, especially when adding one to an existing project - but they don't need to be! Report-Only mode gives you full visibility without any risk, and you can increment policies over time. 🤓 #PHP #Laravel Working with a new Laravel security audit client this week, and almost all of my initial checks are failing to find anything of note. 😲 I suspect I'm going to have to get really sneaky to hack into this one... 🥷 Security headers add important layers of defence to your apps, preventing data leaks, XSS and CSRF attacks, clickjacking, and more... They are also free and (mostly) easy to enable. 🥷 Why are you leaving your apps unprotected? 😲 #PHP #Laravel According to random folks on the internet 😉, "insecure functions" are a wide and varied concept. Let's take a look at the common themes across the different ideas... #PHP #Laravel Security Tip: Replace simple dependencies with in-house versions! The more dependencies your project has, the higher your risk of supply-chain attack is, and the less you're aware of what code is actually running… #PHP #Laravel W00t! Final two modules in my CSRF section are out: CORS and SameSite Cookies! 😎🥳 Next up will be the SQL Injection attack module, which means includes more challenges to test your hacking skills. 🥷 #PHP #Laravel More info: I go on about using HtmlString to avoid XSS constantly - it's one of my favourite Laravel features - but I surprisingly didn't have a Security Tip dedicated to it... until now! 😎🔥 #PHP #Laravel It's been a while since I promoted it, so here's your periodic reminder that I'm building a security course: 😎 It includes interactive challenges that teach you hacking techniques, so you can recognise vulnerabilities in your own code. #PHP #Laravel The HtmlString class in Laravel is seriously underused and overlooked. We'd have far less XSS floating around if we wrapped our safe HTML inside HtmlString and then avoided using {!! ... !!} everywhere. #PHP #Laravel Finished up a security audit today, and it was super awesome to see my client had fixed absolutely everything - even some old outstanding issues from last year's audit!! 😎🥳🏖️ Such a great feeling knowing my work makes a difference like this. 😊 Security Tip: Don't Forget Rate Limiting 🛡️
It's essential for limiting bot attacks, and preventing data scraping. Plus don't forget it on other sensitive routes like authentication or MFA with guessable tokens and lengthy expiry time... 😈 #Laravel #PHP ⚠️Top 10 Laravel security issues I've found during audits⚠️ #1 → Exposed API Keys & Passwords How many times do I need to say it? Don't commit secrets into git!😡 Don't commit secrets into git!😡 Don't commit secrets into git!😡 Don't commit secrets into git!😡 The unsurprising champion ⚠️ Top 10 Laravel security issues I've found during audits ⚠️ #2 → Missing Authorisation IDORs, missing signed and auth middleware, and forgotten authorize() calls... Most projects have a single one of these hiding somewhere, waiting to be exploited... 😒 I was surprised to see this ⚠️Top 10 Laravel security issues I've found⚠️ #3 → Missing Content Security Policy (CSP) CSPs are a secondary line of defence against XSS & clickjacking, and give you visibility and control over what scripts, styles, fonts, etc, run on your app. CSPs are often dismissed as too hard ⚠️Top 10 Laravel security issues I've found⚠️ #4 → Missing Security Headers Web browsers include a bunch of really awesome security tools, you just need to enable them on your site through a couple of security headers. But most sites don't... 😭 So do yourself a favour, and head over ⚠️Top 10 Laravel security issues I've found⚠️ #5 → Insecure Function Use Please stop using md5(time()) for generating random tokens and filenames! Seriously, stop it!! 😡 Also, rand() isn't cryptographically secure, so stop using it too! I bet if you go into the codebase of your app Laravel Security in Depth - Security Tip: Validating Array Inputs Insufficient Input Validation was #10 on my Top 10 security issues I've found in Laravel apps, and it's common to see validation fail on array inputs... But how hard is it to validate arrays? https://larasec.substack ⚠️Top 10 Laravel security issues I've found⚠️ #6 → Outdated & Vulnerable Dependencies When was the last time you ran composer/npm update? It's common to delay dependency updates, to avoid things breaking, but vulns in deps can expose your apps. You should update everything weekly/mon