Scary stuff.
US BlackHat 2018 proved that is possible to obtain RCE from a PHAR package, moreover, by tweaking its binary content, it's possible to disguise it as a full valid image, bypassing security checks.
Read more [www.nc-lp.com]
Simon Kollross explains how to use our laravel-backup package to create an encrypted backup of your Laravel based app.
You should always encrypt backups of your apps and securely transfer them to one or multiple backup destinations. If you encrypt the backups on your server and transfer only the encrypted version, your backups are stored encrypted at rest in your backup destination. Not even your backup storage provider is able to read them.
Read more [simonkollross.de]
Join 9,500+ smart developers
Get my monthly newsletter with what I learn from running Spatie, building Oh Dear, and maintaining 300+ open source packages. Practical takes on Laravel, PHP, and AI that you can actually use.
No spam. Unsubscribe anytime. You can also follow me on X.
"Freek publishes a super resourceful and practical newsletter. A must for anyone in the Laravel space"
In a new post at the Oh Dear blog, there's a good explanation how HSTS improves security.
HSTS stands for HTTP Strict Transport Security. It's a mechanisme that allows a website to signal that it should only be reached via HTTPS - the encrypted HTTP - instead of the plain text HyperText Transfer Protocol.
Read more [ohdear.app]
Here's a PDF, made by Ryan Grove, that executes JavaScript when you open it in Chrome.
Read more [rawgit.com]
In a Laravel app policies are a great way to organize authorization logic that revolves around models.
For the longest time, I've been using Gate::before to allow superadmins to do anything they want. While working on a new app, it finally clicked how Gate::after can be useful too. I'd like to share that knowledge in this blog post.
My colleague Brent offers some more details on the intricacies of Laravel's query builder.
I recently learned that not all query builder functionality in Laravel is "safe". This means that user input shouldn't be passed directly to it, as it might expose your application to SQL injection vulnerabilities.
Read more [stitcher.io]
Our laravel-query-builder package exposed a serious security issue: it allowed SQL injection attacks. Laravel Query Builder v1.17.1, which is now available, fixes the vulnerability. If you're using the package, stop reading now and upgrade to the latest version first. For Laravel 5.6, 5.7 and 5.8…
Mattias Geniar argues that you shouldn't buy extended validation certificates.
You know those certificates you paid 5x more for than a normal one? The ones that are supposed to give you a green address bar with your company name imprinted on it? It's been mentioned before, but my take is the same: they're dead.
Read more [ma.ttias.be]
Matt Allan took a deep dive learning about environment variables.
Laravel, Symfony, and other modern PHP frameworks use environment variables to store security credentials and configuration that changes from one machine to the next. ... Let’s break down what environment variables are, how they work, and how to correctly use them in your code.
Read more [mattallan.me]
I fully agree with Troy Hunt here.
So in summary, everyone clicks through cookie warnings anyway, if you read them you either can't understand what they're saying or the configuration of privacy settings is a nightmare, depending on where you are in the world you either don't get privacy or you don't get UX hell, if you understand the privacy risks then it's easy to open links incognito or use an ad blocker, you can still be tracked anyway and finally, the whole thing is just conditioning people to make bad security choices.
Read more [www.troyhunt.com]
Here’s another: see the public keys of a github user by adding ‘.keys’ to their profile URL:
— Bramus! (@bramus) January 23, 2019
? https://t.co/GaHnUISqM1
? https://t.co/zIeqVbxQbE
Read more [twitter.com]
When adding a form to a public site, there's a risk that spam bots will try to submit it with fake values. We recently released a new package, called laravel-honeypot, that can detect these spammy requests. How honeypots work The majority of spam bots are pretty dumb. You can thwart most of them by…
Implementing the change-password-url spec in Laravel (aka: it's really dead simple) https://t.co/ow1PNMqecy pic.twitter.com/kTJK6Jq5rn
— /dev/eloper (@mattiasgeniar) December 7, 2018
Read more [twitter.com]
The last couple of weeks soem strange Imagick errors popped up across all our servers. In a new blogpost my colleague Alex explains the cause and the fix.
Over the last few days we've had a couple of issues with Imagick and processing PDFs on our servers. As it turns out, these issues are caused by automatic security updates. Let's look into the issue and its solution.
Read more [alexvanderbist.com]
Developers can now instruct browsers to control whether cookies are sent along with the request initiated by third party websites - by using the SameSite cookie attribute, which is a more practical solution than denying the sending of cookies.
Read more [www.netsparker.com]
Jake Bathman, developer at Tigthen Co, wrote a new blogpost explaining what Laravel's APP_KEY environment variable is used for.
In this post, we'll talk about what APP_KEY does and doesn't do, some common misconceptions about its relationship to user password hashing, and the simple steps to changing your APP_KEY safely without losing access to your data.
Read more [tighten.co]
In a new blogpost Troy Hunt explains why you shouldn't bother buying an EV certificate anymore.
That's it - I'm calling it - extended validation certificates are dead. Sure, you can still buy them (and there are companies out there that would just love to sell them to you!), but their usefulness has now descended from "barely there" to "as good as non-existent". This change has come via a combination of factors including increasing use of mobile devices, removal of the EV visual indicator by browser vendors and as of today, removal from Safari on iOS
Read more [www.troyhunt.com]
Following is a list of the world's top 100 websites by Alexa rank not automatically redirecting insecure requests to secure ones. You'll then find the top 50 sites by country underneath that. The data is driven by Scott Helme's nightly crawl and is explained in detail in the launch blog post for this project.
https://whynohttps.com/
Scott Helme, creator of both securityheaders.com and report-uri.com introduces a header to enable or disable certain APIs on a webpage.
Feature Policy is being created to allow site owners to enable and disable certain web platform features on their own pages and those they embed. Being able to restrict the features your site can use is really nice but being able to restrict features that sites you embed can use is an even better protection to have.
Read more [scotthelme.co.uk]
Recently Taylor Otwell held a blogging competition. Entries could be submitted on a GitHub repo, the post with the highest amount of ? would win. My colleague Alex wrote a blogpost on how you could easily win the competition by hacking a bit. It's pretty awesome that Alex, without using any of the hacks described in the post, wound up winning the competition.
I feel like programmers are often as good at breaking things as they are at fixing things. Part of the thought process of programming anything new is figuring out its flaws, weaknesses and possible exploitations. As a web developer, I often find myself applying the same thought process to everything I see and read about online. Including Laravel's May Mayhem blog contest.
Read more [alexvanderbist.com]
