Freek.dev

On his blog Chris White explains how to upload files directly to S3. Pretty cool!

Most of us know of Amazon S3, a cloud based storage service designed to store an unlimited amount of data in a redundant and highly available way. For most situations using S3 is a no brainer, but the majority of developers transfer their user's uploads to S3 after they have received them on the server side. This doesn't have to be the case, your user's web browser can send the file directly to an S3 bucket. You don't even have to open the bucket up to the public. Signed upload URLs with an expiry will allow temporary access to upload a single object.

https://cwhite.me/avoiding-the-burden-of-file-uploads/

Read more

Over at the CloudFlare blog John Graham-Cumming wrote an interesting article on SQL injection attacks via http request headers.

SQL injection is a perennial favorite of attackers and can happen anywhere input controlled by an attacker is processed by a web application. It's easy to imagine how an attacker might manipulate a web form or a URI, but even HTTP request headers are vulnerable. Literally any input the web browser sends to a web application should be considered hostile.

Read more

In security-sensitive situations, performance can actually be a bug rather than a feature. This presentation covers timing attacks on the web, and demonstrates how modern performance-related web APIs can sometimes have a negative security impact.

Mathias Bynens — Front-End Performance: The Dark Side from Fronteers on Vimeo.

Read more

Jens Segers wrote an interesting little article about fail2ban. This piece of software prevents unauthorized pundits from accessing your server. You'll be happy to know that is installed by default on Forge.

The first thing I do on every server is set up the firewall so that all ports except for the SSH port are blocked from incoming requests. But with the SSH port unprotected, you still want it to be protected from illegitimate access, right? This is where fail2ban comes in. Fail2ban will automatically ban IPs that show the malicious signs such as too many password failures, seeking for exploits, etc.

Read more

Let’s take a look at a PHP script used to send spam. These types of scripts run on servers all over the world and might give you some insight into a spammer’s dedication to annoy the hell out of you. ... One of the WordPress sites on a shared hosting web server I manage was infected by a spam script. Fortunately, the script was unable to do any real damage and was detected within half an hour of infection. I thought it would be fun to show you the script and dissect it, to find out exactly how these things work and make thousands of email administrators’ lives a living hell.

Read more

Imagine you are working on new app. Your client wants to see the progress that you've made. However your site isn't ready for prime time yet. Sure, you could create some login functionality and display the site only to logged in users. But why bother creating users when there is a more pragmatic approach?

At Spatie we often instruct a client to visit /demo. Visiting that url will unlock access to the entire front site. Because creating packages has many benefits we decided to open source our solution.

Our newly released laravel-demo-mode package blocks your work in progress from prying eyes. After it is installed you can use a route macro to register a route that grants access to the protected routes:

Route::demoAccess('/demo');

Routes can be protected by using the demoMode-middleware on them:

Route::group(['middleware' => 'demoMode'], function () {
    Route::get('/secret-route', 'SecretController@index');
});

Unless a user has first visited /demo first, he or she will be redirected to /under-construction. This url can be changed in the config file.

A word to the wise: do not use this package to restrict access to sensitive data or to protect an admin section. For those cases you should use proper authentication.

You can take a look at the package on GitHub. If you like it, you might like some of our other Laravel packages as well.

Read more

I use Slack for many things and it's great to see how many integrations are available out of the box. But building integrations yourself is extremely easy using Incoming Web Hooks.

Wouldn't it be nice if you could see a message in Slack each time a user connects to one of your machines over SSH? Yes it would!

(I found this via cron.weekly. If you haven't subscribed yet, you're missing out)

Read more

In 2015 web developers understand more about SSL than they ever have. If you read Hacker News you should know:

• You can get domain validated (DV) certs from Let's Encrypt for free.
• You can get extended validation (EV) certs from CertSimple with checks before you pay. That's us by the way!
• The Mozilla SSL Config Generator can set up your server as secure as possible for the browsers you want to support.
• When you're done, use SSL Labs to check everything. Make sure you get an A, otherwise people will pick on you.

What about the rest?

Read more

If you have a form on your website where one of the fields is of the `type="password"`, the page will now be marked as insecure in your browser if it is served over a plain HTTP connection.

Read more

"Password must contain 1 uppercase letter, 1 lowercase letter, and 1 number."

With a rule like that, the password Abcd1234 would pass your validation, but mu-icac-of-jaz-doad would not.

Ryan makes an excellent suggestion to replace password rules by an entropy estimator like Zxcvbn.

Read more

In this video Tom Scott explains why Chrome couldn't handle http://a/%%30%30 :

https://www.youtube.com/watch?v=0fw5Cyh21TE

Read more

In this excellent post Matthias explains why you can't put all your trust in cat when inspecting a file:

https://ma.ttias.be/terminal-escape-sequences-the-new-xss-for-linux-sysadmins/

Let's all agree to never trust anything that has been posted on the internet without very thorough inspection. And let's especially agree to never run an arbitrary command or script found on the internet, without really close inspection.

Read more

Garrett St. John wrote a clear example on how to use UUIDs in Eloquent models. This kind of logic could go in a trait so it can be reused across multiple models.

By default, Eloquent uses an auto-incrementing integer as the primary key for its tables. While most of the time this is totally acceptable, sometimes there is a need for primary keys to be less predictable.

EDIT: Kirk Bushell has made a trait for this functionality. Take a look at his Eloquence package on GitHub.

Read more

The project I'm currently working on will have to send out mails to all its users on a regular basis. It's not a newsletter: the contents of each mail will be very specific to each user. The mail also should contain a link to unsubscribe the user from simular future mails.

The link could look like this: https://myapp.com/unsubscribe. Clicking on the link would direct the user to a login page. After the user has logged in the unsubscribe can be automatically performed. In my mind requiring the user to login first in order to unsubscribe from something isn't very user friendly.

This can be improved by adding the id of the user to the link. Here's what that could look like: https://myapp.com/user/1/unsubscribe. With this link you the app can unsubscribe the user with id 1 in one go. That'll work, but it's not very secure. Unsubscribe links for all other users can be easily guessed. Such links can be made more secure by adding a signature and an expiry date on them.

My colleague Sebastian coded up a Laravel package to create signed url's with a limited lifetime. Here's example where the url gets signed and made valid for only one day:

echo UrlSigner::sign('https://myapp.com/user/1/unsubscribe', 1);

This outputs an url that looks like: https://myapp.com/user/1/unsubscribe?expires=1123690544&signature=93e02326d75

The validate-method can be used the determine if a signed url is (still) valid:

$isValidUrl = UrlSigner::validate($theSignedUrlInTheExampleAbove);

The signature is calculated using the original url itself, the expiration date and a secret string that's specific to your project. When a malicious user tries to change any part of the url the signature won't match up.

I'm assuming that the most common use case of signing url's is to protect routes. The package supplies a middleware that protects routes from invalid signed url's. In the following example only requests with a valid signed url will hit the controller:

Route::get('unsubscribe', ['middleware' => 'signedurl', 'uses => 'UserController@unsubscribe']);

If you're interested in using the package, take a look at it on GitHub: https://github.com/spatie/laravel-url-signer

There's also a framework agnostic version: https://github.com/spatie/url-signer

E-mails can be intercepted and are never 100% secure. Bearing that fact in mind you should never use this kind of link for any destructive action.

EDIT: Some fellow developers pointed out that I could also obfuscate the id in the url. Here are two good libraries to do that:

• http://hashids.org/
• https://github.com/jenssegers/optimus

And sure enough, the unsubscribe links of other users cannot be easily guessed. A small downside however is that the url becomes less readable. The big disadvantage is that the url will remain valid forever. As these links through an unsafe medium I think it's a good idea to give them a limited lifetime. Signing an url will do that.

Read more

If you're comfortable at the CLI, WPScan is super easy to get going.

The project is open source on Github and uses the WPScan Vulnerability Database, an open dataset of known WordPress vulnerabilities.

Installation on a Mac is a piece of cake. Other methods and operating systems are documented on Github.

Read more

While doing some research about other obfuscation techniques I stumbled upon an implementation based on Donald Knuth's integer hash. This unbelievable small and fast algorithm will generate random-like integers with the ability to convert them back to the original value. This technique was so cool that I decided to create a PHP package for it called Optimus.

Read more

When installing an SSL certificate on your server you should install all intermediate certificates as well. If you fail to do so, some browsers will reported “untrusted” warnings for your site like this one.

Searching and downloading those intermediate certificates can be a hassle.

Today my colleagues at Spatie and I launched certificatechain.io. This online tool helps you download all intermediate certificates. Just paste or upload your certificate and you'll get a file containing the entire trust chain that you can install on your server.

The site is built with Laravel 5 and uses the SSL certificate chain resolver we made last month.

Read more

This package ensures that your application doesn't have installed dependencies with known security vulnerabilities.

...

The checks are only executed when adding a new dependency via composer require or when running composer update: deploying an application with a valid composer.lock and via composer install won't trigger any security versions checking.

Awesome idea! It works by leveraging the "conflict"-property in the composer.json-file of the package.

Read more