@valorin@phpc.social
@valorin@phpc.social avatar

valorin

@valorin@phpc.social

Friendly Hacker, Speaker, and PHP & Laravel Security Specialist.🕵️
I hack stuff on stage for fun. 😈
I used to be found at: https://infosec.exchange/@valorin
#searchable

This profile is from a federated server and may be incomplete. Browse more on the original instance.

andrewfeeney, to php
@andrewfeeney@phpc.social avatar

and folks, what do you make of this?

https://youtu.be/kQdRT2odUIk

valorin, (edited )
@valorin@phpc.social avatar

@andrewfeeney It feels over-hyped, as PHP security issues often are. 😔

I'm 50/50 on it being an interesting academic vulnerability that affects a very specific configuration and some specific apps, vs it affecting apps like WordPress that try to do magic language handling.

valorin,
@valorin@phpc.social avatar

@bobmagicii @andrewfeeney
The video is a third party speculating based on the CVE description and the conference talk abstract the researcher is presenting.

You haven't missed anything of note.

valorin,
@valorin@phpc.social avatar

@andrewfeeney @bobmagicii @j3j5

I wasn't aware of him before this, but he came across in the video as someone who knew his stuff about infosec - even if he was just speculating about this specific issue.

I guess YT requires hyping up videos to get engagement, etc, though, so he does what he needs to do... 🤷

But I'm always frustrated when I see PHP-ecosystem vulns hyped up, because you can guarantee some ignorant executive is going to blindly reject PHP because "it's insecure".

valorin, to random
@valorin@phpc.social avatar

Getting closer to migrating Securing Laravel to Ghost, but now there is a new issue: Substack manage the Stripe account, so I can't link Ghost to import subscribers.

Hopefully there is an easy fix. 🤞

valorin,
@valorin@phpc.social avatar

@willpower232 @molly0xfff
That's awesome, thanks for sharing!

valorin,
@valorin@phpc.social avatar

@molly0xfff @willpower232 Awesome, thanks! 🙂

I'm using Ghost's Concierge for my migration, so hopefully they can handle all the pain for me. Although I've already had to build a script to interact with the API to bulk edit posts...

Did you have to deal with your Stripe account being "Managed by Substack"?

Ghost needs to be connected to the same Stripe account, but Stripe won't let me because it's managed by Substack.

valorin,
@valorin@phpc.social avatar

@molly0xfff @willpower232
Ah! It wasn't fully clear in your article.

Every set of instructions I've seen talked about connecting to the Substack Stripe before disconnecting Substack so billing is uninterrupted. Even the stuff from concierge.

I'm wondering if my account is somehow set up differently. I've pinged concierge, so hopefully they've encountered it before.

valorin, to Laravel
@valorin@phpc.social avatar

Do you use Encrypted Environment files in Laravel?

I think they are great for some special use cases, but given the prevalence of API keys and credentials found in repos, is it worth it to use them all the time?

There was a bit of a debate about this last time I posted it, so I'm curious to see how we're all feeling about them now. Or maybe I'm just being a old security grump? 🧐

https://securinglaravel.com/p/security-tip-encrypting-environment
#Laravel

valorin, to random
@valorin@phpc.social avatar

Just discovered Ghost doesn't support native footnotes... 😟

valorin,
@valorin@phpc.social avatar

@outofcontrol That was my original plan, and is still my eventual goal, but I just don't have the time to spend on setting up a full newsletter site at the moment. I'm having enough trouble finding time for my course. 😔

The big appeal with Ghost is the Concierge who are doing the hard parts of the migration for me, so I can get off Substack faster.

valorin, to Laravel
@valorin@phpc.social avatar

Let's checkout three of the configuration options available as part of Laravel 11's Automatic Password Rehashing: custom fields, disabling rehashing, and changing bcrypt rounds.

https://securinglaravel.com/p/security-tip-laravel-11s-automatic

valorin, to random
@valorin@phpc.social avatar

Anyone else wonder why the default header used for Authentication is actually called Authorization, or is it just me? 😕

I wish those two words weren't so similar (or so long).

valorin, to random
@valorin@phpc.social avatar

I think this is the week Securing Laravel is moving to Ghost! Pretty nervous about the move, but also quite excited to see it happen. 😄🤞

Huge shout-out to Alex and Paul from Ghost Concierge who have been patiently answering my many questions, and making the process so easy.

valorin, to Laravel
@valorin@phpc.social avatar

Limiting access to remote files is easy if you're using something like S3, but what about limiting access to local files?

Here's my solution: https://securinglaravel.com/p/security-tip-restricting-local-file

valorin, to Laravel
@valorin@phpc.social avatar

One of my favourite security tricks is to install Canary Tokens in all of my apps. (I also put them in my live code talks too!)

They'll tell you if anyone is snooping around your code who shouldn't be! 🕵️

https://securinglaravel.com/p/security-tip-canary-tokens

valorin, to random
@valorin@phpc.social avatar

This is your periodic reminder that anything you get from the user - including callback URL query params - should be considered untrusted user input and validated accordingly...

Otherwise, someone like me will come along and use it to steal your private keys! 😈
(True story)

video/mp4

valorin, to random
@valorin@phpc.social avatar

One of the things I love about Stripe is the prefixed API keys - making it trivial to block sk_live_* keys from being used outside production.

Anything that stops you from accidently calling production APIs from dev or staging is worth doing: https://securinglaravel.com/p/protecting-production-apis

valorin, to random
@valorin@phpc.social avatar

Still a lot to do before Dropbear will be ready for an actual usable release, but I've been spending some time cleaning up the scanner output, and I'm really loving it. 🥰

I'm thinking of opening it up with a "works on my machine" pre-alpha once I've refreshed the whole scanner.

valorin, to php
@valorin@phpc.social avatar

You may have heard of the /.well-known/ path, and the security.txt file, but there is a new one called change-password you should be aware of too! 🤓

(Spoiler: It tells password managers where your change password page is!)

https://securinglaravel.com/p/security-tip-a-well-known-url-for

valorin, to Laravel
@valorin@phpc.social avatar

Do you log login attempts in your app? 🤔
Both successes and failures? 😯
Why not? 😧
https://securinglaravel.com/p/security-tip-login-logging

valorin,
@valorin@phpc.social avatar

@heiglandreas
What sort of PII are you worried about throwing into your logs?

You could drop or anonymise the IP if that's a concern, although IP is incredibly useful to correlate app logs with access logs.

Email or Username could be replaced with the user ID, making the messages very generic, but still more helpful than nothing:

"
User login attempt failed.
User logged in successfully.
Unknown user login attempt failed.
"

valorin,
@valorin@phpc.social avatar

@heiglandreas
You're thinking of it purely from a debugging point of view. I'm not talking about debugging, I'm saying that you need logging for security reasons. You need to be able to actively monitor activity and identify attacks on your app. Debugging doesn't and cannot give you this.

valorin,
@valorin@phpc.social avatar

@heiglandreas
I feel like we're going around in circles a bit here...

My point was simply that logging login activity is good for security. That could be verbose logs, or anonymous logs, an audit trail, a separate process, or something else entirely. If you have visibility of what's going on in your login flow, you may be able to identify attacks and malicious behaviour.

If you have PII and/or legal requirements, then by all means follow them. 🤷

valorin,
@valorin@phpc.social avatar

@heiglandreas
Yep, that's fair, blindly logging PII is a bad idea. 🙂

valorin, to Laravel
@valorin@phpc.social avatar

It's not just your app dependencies that need to be maintained and updated, but also the tools you use every day - such as Composer, which recently fixed a High severity security risk! 😱
https://securinglaravel.com/p/security-tip-keep-your-tools-updated

  • All
  • Subscribed
  • Moderated
  • Favorites
  • megavids
  • thenastyranch
  • rosin
  • GTA5RPClips
  • osvaldo12
  • love
  • Youngstown
  • slotface
  • khanakhh
  • everett
  • kavyap
  • mdbf
  • DreamBathrooms
  • ngwrru68w68
  • provamag3
  • magazineikmin
  • InstantRegret
  • normalnudes
  • tacticalgear
  • cubers
  • ethstaker
  • modclub
  • cisconetworking
  • Durango
  • anitta
  • Leos
  • tester
  • JUstTest
  • All magazines
    •