banner
LightNews
valorin.bsky.social
Stephen Rees-Carter
@valorin.bsky.social
2.3K followers 510 following 950 posts
Friendly Hacker, Speaker, and PHP & Laravel Security Specialist.🕵️ I write securinglaravel.com and hack stuff on stage for fun. 😈 I'm found elsewhere too: https://pinkary.com/@valorin 🪄
pinkary.com
Posts Media Videos Starter Packs
valorin.bsky.social
Stephen Rees-Carter @valorin.bsky.social · 6d
"Let's Hack!", my Pre-Laracon Security Workshop is just FIVE weeks away! 🎉
(So is @laracon.au... but let's be honest, priorities.)

Only 11 tickets left, & I need to confirm numbers with the venue, so if you've been thinking about it, now's the time!
👉 events.humanitix.com/lets-hack-pr...
"Let's Hack!" Pre-Laracon Security Workshop
Attending Laracon AU? Come along to
events.humanitix.com
1 1
valorin.bsky.social
Stephen Rees-Carter @valorin.bsky.social · 14d
Good point! I completely forgot about this option. 🤦

I've updated the article to reflect this.
1
valorin.bsky.social
Stephen Rees-Carter @valorin.bsky.social · 15d
If an API client tries to connect via unencrypted HTTP, what should your API do: redirect to HTTPS, disable HTTP, offer a swift rebuke, or take matters into it's own hands? 🤔

securinglaravel.com/security-tip... #Laravel
Security Tip: How Should APIs Respond to HTTP?
[Tip #123] If an API client tries to connect via unencrypted HTTP, what should your API do: redirect to HTTPS, disable HTTP, offer a swift rebuke, or take matters into it's own hands?
securinglaravel.com
1 1 3
valorin.bsky.social
Stephen Rees-Carter @valorin.bsky.social · 19d
Cookies come in many shapes and sizes, and with multiple attributes just to confuse you... Have you ever wondered what the humble HttpOnly attribute actually does?

securinglaravel.com/security-tip... #Laravel
Security Tip: What Is An HttpOnly Cookie?
[Tip #86] Cookies come in many shapes and sizes, and with multiple attributes just to confuse you... Have you ever wondered what the humble HttpOnly attribute actually does?
securinglaravel.com
1 5
valorin.bsky.social
Stephen Rees-Carter @valorin.bsky.social · 19d
I was wondering if anyone would get the reference! 🎉

I haven't seen it in a long time, the π is the only thing I remember. Not sure how I'll fit impossible IP addresses into my talk...
1
valorin.bsky.social
Stephen Rees-Carter @valorin.bsky.social · 19d
Exactly. 😎

Maybe next time I'll do my Ethics talk, that'd make for some fun irony. 😈
1
valorin.bsky.social
Stephen Rees-Carter @valorin.bsky.social · 19d
Clearly I'm being framed here!
1 1
valorin.bsky.social
Stephen Rees-Carter @valorin.bsky.social · 19d
Would I do something like that?
1 1
Reposted by Stephen Rees-Carter
dyrynda.au
Michael Dyrynda @dyrynda.au · 19d
We'll never know how @valorin.bsky.social keeps getting invited back to speak at @laracon.au but we do know that he always puts on a heck of a talk when he does!

Learn how to defend your Hornburg on November 13-14!

Grab your ticket before 29 Sept to get a 👕 in your size 👉 laracon.au/tickets
1 1 3
Reposted by Stephen Rees-Carter
laracon.au
Laracon AU @laracon.au · 19d
Security advocate and friendly hacker @valorin.bsky.social keeps finding his way back into the #LaraconAU lineup.

Join us on November 13-14 for some practical security tips to help you defend your Hornburg (with or without Gandalf)
2 2 4
valorin.bsky.social
Stephen Rees-Carter @valorin.bsky.social · 20d
Laravel Security Tip: Do You Have a Permissions Policy?

What browser features do you have enabled on your site, and what can an XSS attack do if you don't disable them?

securinglaravel.com/security-tip...
#Laravel
Security Tip: Do You Have a Permissions Policy?
[Tip #85] What browser features do you have enabled on your site, and what can an XSS attack do if you don't disable them?
securinglaravel.com
2
valorin.bsky.social
Stephen Rees-Carter @valorin.bsky.social · 22d
Do you reset your 2FA secret keys when a user toggles TOTP off/on?

It's not just passwords you need to worry about when it comes to authentication and stolen credentials: if an attacker can steal a 2FA secret key, they'll always have a valid TOTP! 😱

securinglaravel.com/security-tip... #Laravel
Security Tip: Don't Forget to Regenerate 2FA Secret Keys!
It's not just passwords you need to worry about when it comes to authentication and stolen credentials: your 2FA secret keys may also be at risk!
securinglaravel.com
3
valorin.bsky.social
Stephen Rees-Carter @valorin.bsky.social · 26d
It's important to be paranoid when it comes to production environments - because if you forget you're logged into prod, you may end up dropping a database... or worse! 😱

Laravel's new Prohibitable trait lets you disable Artisan Commands to avoid this!

securinglaravel.com/security-tip...
#Laravel
Security Tip: Prohibiting Destructive Commands on Production
[Tip #83] It's important to be paranoid when it comes to production environments - because if you forget you're logged into prod, you may end up dropping a database... or worse! 😱
securinglaravel.com
valorin.bsky.social
Stephen Rees-Carter @valorin.bsky.social · 27d
You may have heard of the /.well-known/ path, and the security.txt file, but there is a new one you should be aware of too:

/.well-known/change-password

It should redirect to your change password form, so password managers can easily send users there.

securinglaravel.com/security-tip... #Laravel
Security Tip: A Well-Known URL for Changing Passwords
[Tip#73] You may have heard of the `/.well-known/` path, and the security.txt file, but there is a new one called `change-password` you should be aware of too!
securinglaravel.com
1 10
valorin.bsky.social
Stephen Rees-Carter @valorin.bsky.social · 29d
Content Security Policies are awesome, but if you haven't fully configured all of your directives, it's possible to redirect requests, inherit Nonces, and get juicy CSP-bypassing XSS! 😈

securinglaravel.com/security-tip... #Laravel
Security Tip: Bypassing Content-Security-Policy with <base>!
[Tip #122] Content Security Policies are awesome, but if you haven't fully configured all of your directives, it's possible to redirect requests, inherit Nonces, and get juicy CSP-bypassing XSS! 😈
securinglaravel.com
1 2
valorin.bsky.social
Stephen Rees-Carter @valorin.bsky.social · 29d
Sometimes when I sit down to write a Security Tip it comes together so quickly that I'm surprised I hadn't written it sooner. 🤓

The one I'm about to publish came together perfectly, including the demo, and it has the bonus of being pure nightmare fuel. Win-win for me! 😈
5
valorin.bsky.social
Stephen Rees-Carter @valorin.bsky.social · Sep 12
Agreed!

It's the switching of defaults that annoys me the most. There is nothing wrong with MRU, but don't switch my defaults! Add the option and let me enable it.
1
valorin.bsky.social
Stephen Rees-Carter @valorin.bsky.social · Sep 12
So what you're saying is, you've all been off on a long weekend?
xkcd.com
Randall Munroe @xkcd.com · Sep 11
Biology Department

xkcd.com/3140/
Comic. [Building with large sign in front of it[ SIGN: Welcome to the *Biology Department* It has been [changeable sign: 3] days since we discovered something existentially horrifying about bugs that makes you question your whole reality
valorin.bsky.social
Stephen Rees-Carter @valorin.bsky.social · Sep 11
Ugh, I hate it when apps switch from Next/Previous Tab switching to Most Recently Used (MRU) switching with Ctrl+Tab! MRU is only logical when you can't see the other tabs, otherwise it's a UX disconnect between display and keyboard. 😒

Looking at you Telegram! 😡
1 3
valorin.bsky.social
Stephen Rees-Carter @valorin.bsky.social · Sep 11
We talk a lot about protecting password reset and login forms, but don't forget about the humble registration form, it can provide attackers with crucial intel! 😈

securinglaravel.com/security-tip... #Laravel
Security Tip: Don't Forget Your Registration Form!
[Tip#72] We talk a lot about protecting password reset and login forms, but don't forget about the humble registration form... it can provide attackers with crucial intel!
securinglaravel.com
3
valorin.bsky.social
Stephen Rees-Carter @valorin.bsky.social · Sep 11
Totally, you were just adding some helpful context. 👍
valorin.bsky.social
Stephen Rees-Carter @valorin.bsky.social · Sep 11
The Laravel News article you're replying to is my article. 😉
1 2
valorin.bsky.social
Stephen Rees-Carter @valorin.bsky.social · Sep 10
HTTPS is everywhere & easy, but HTTP is still the default option browsers will attempt when given a raw domain. How do you stop an attacker from abusing this by hijacking the initial HTTP connection attempt? 😱

This is where HSTS comes in... 🔒

securinglaravel.com/security-tip... #Laravel
Security Tip: How Strict Is your Transport Security?
[Tip #82] HTTPS is everywhere & easy, but HTTP is still an option... How do you stop an attacker intercepting and downgrading connections to your site?
securinglaravel.com
4
valorin.bsky.social
Stephen Rees-Carter @valorin.bsky.social · Sep 8
Technically, XSS involves injecting malicious Javascript, but sometimes you don't need any JS to get up to mischief! 😈

securinglaravel.com/security-tip... #Laravel
Security Tip: When Is XSS Not Strictly XSS? (But Still Bad!)
[Tip #121] Technically, XSS involves injecting malicious Javascript, but sometimes you don't need any JS to get up to mischief! 😈
securinglaravel.com
2
valorin.bsky.social
Stephen Rees-Carter @valorin.bsky.social · Sep 4
Do you know what information is being leaked by the Referer header when your users click on external links?

If you site is public, you might be safe - but what if you have internal apps, or sensitive information in your URLs?

securinglaravel.com/security-tip... #Laravel #PHP
Security Tip: Is Your Referrer Leaking Information?
[Tip #81] Do you know what information is being leaked by the Referer header when your users click on external links?
securinglaravel.com
3