valorin

valorin, 9 months ago to random

Working on my first Laravel Security Review today! 😄

While I'd love to live-tweet all the details, privacy is an important part of what I do, so instead I'll just walk you through my process at a high level as I go, and possibly discuss past audit findings.
Let's go! 👇 🧵

valorin, 9 months ago to php

Overly complex code is a common source of security issues, one I often see when devs attempt to avoid filename collisions…
https://securinglaravel.com/p/security-tip-avoiding-filename-collisions
#PHP #Laravel

valorin, 26 days ago to random

Fair warning my Laravel & security friends:

Now that The Rings of Power promo is starting back up, I'll probably start talking about that on here too because I loved S1, and am very excited for S2. (I'll avoid spoilers though.)

If you'd just like to follow just my Laravel and Security work, I'd suggest signing up for my weekly security tips on http://securinglaravel.com. 🙂

valorin, 10 months ago to Laravel

Great question in the comments for: https://securinglaravel.com/p/security-tip-disable-dev-tools-on
"Would you recommend moving "laravel/tinker" to dev?"
No, since it's only a command line tool, but you do need to consider your audit trail. Building custom Artisan commands instead would be easier to test and review.
#Laravel #PHP

valorin, 1 month ago to random

It's finally happening: Securing Laravel is moving off Substack onto Ghost this week! 🎉

Just asked Substack to disconnect my Stripe account, and once that's done I can connect Ghost and get them to import subscribers.

Still some content to fix up, but billing is the big one!

valorin, 10 months ago to random

I want to rebuild my personal and consulting (audits) websites and need some inspiration. What are some good examples of personal/consultant websites in the tech space?

Also, what CMS do you recommend?

valorin, 10 months ago to random

I wrote a very long and emotional thread over on Twitter, I wanted to share it here but I'm about to fly home, so:
https://twitter.com/valorin/status/1682498273221951489

tl;dr: A rude password was selected during my #LaraconUS talk, it was from an audience member and my code wasn't supposed to display it. I should have changed it or said something to clarify it wasn't supposed to be shown, but I didn't...
#Laracon

valorin, 1 month ago to random

My first full-time dev job was building a domain name registration system, so I'm very good at sniffing out domain scams.🧐

I received an suspicious looking email yesterday, so let's see how far I can string this along and what their goal is... 😈
(I'll keep this thread updated)

image/png

valorin, 3 months ago to Laravel

Do you log login attempts in your app? 🤔
Both successes and failures? 😯
Why not? 😧
https://securinglaravel.com/p/security-tip-login-logging #Laravel #php

valorin, 8 months ago to php

One of my favourite (and oh so simple) hacker tricks is to abuse JSON support in APIs and pass TRUE instead of the actual API key. If the code does loose comparison, you don't need the key! 😎 😈 🍿
https://securinglaravel.com/p/security-tip-type-juggling #PHP #Laravel

valorin, 4 months ago to random

I'm surprised by the number of folks who use git guis. I find them so clunky and just slow me down compared to the raw cli. Doing it all via a couple of simple commands is so much more efficient in my eyes. 🤷

valorin, 1 month ago to random

Getting closer to migrating Securing Laravel to Ghost, but now there is a new issue: Substack manage the Stripe account, so I can't link Ghost to import subscribers.

Hopefully there is an easy fix. 🤞

valorin, 9 months ago to random

A friend received these emails recently, and asked me for help...
On face value they sound worrying, but this is what's known as a Beg Bounty! The sender runs an basic scanner, finds minor 'issues', and asks for money to disclose "serious vulns".

In the vast majority of cases, these are simply identifying things like missing security headers, which enhance your security but don't mean an actual vuln exists. You can usually identify them with the lack of details and a veiled request for money.

image/png

valorin, 10 months ago to random

Ah, that old familiar developer dilemma... I could build an app that would save me a significant amount of time. But building it would take a significant amount of time... ⚖️

valorin, 10 months ago to random

Did my followed hashtags come over? Probably not... How do I even find those in the settings?

valorin, 7 months ago to random

Any crypto/password entropy nerds able to help me out calculating possible combinations/entropy?

If an 8 character password with 88 possible characters to choose from has 3,596,345,248,055,296 possible combinations, how many would a password of the same length where one character MUST be a letter [a-zA-Z], one MUST be a number [0-9], and one MUST be a special char (with 26 options) be?

Is it just: 52 * 10 * 26 * (88^5), totalling 71,349,355,151,360?

I feel like that's missing something?

valorin, 4 months ago to random

Anyone else having issues uploading images to phpc.social in the PWA on Android?

The image uploads and then errors out with:
"500 Error processing thumbnail for uploaded media"

@ramsey @phpc

valorin, 10 months ago to random

Well, I'm here. 😅

video/mp4

valorin, 9 months ago to php

You know you have too many domains when you don't notice someone has hijacked one of them to run a malicious web shell, and in the simplest way possible too... 🤦
https://securinglaravel.com/p/security-tip-hijacking-domains-the
#PHP #Laravel

valorin, 8 months ago to php

Ok Laravel folks, it's time to increase your bcrypt rounds because 10 is no longer considered secure enough.
https://securinglaravel.com/p/security-tip-increase-your-bcrypt
#PHP #Laravel

valorin, 6 months ago to php

You need to protect your .env file, and search engines like to snoop on all of your files, so be careful what you leave lying around! 😈

Or, in other words... Install your apps properly!

https://securinglaravel.com/p/security-tip-protect-your-env-file #PHP #Laravel

valorin, 9 months ago to random

Still one of the best movies to see at the cinema. 🎥

valorin, 1 month ago to random

Just discovered Ghost doesn't support native footnotes... 😟

valorin, 10 months ago to random

No, I will not hack into a website for you... 🙄

valorin, 10 months ago to random

Every time I do a demo-heavy/interactive talk, I tell myself that I'll just do slides next time, and yet, here I am building another Forge server for my talk tomorrow and hoping the internet will be stable... 🤞 🤣
#Laracon #LaraconUS