Entries with the tag “security”

These entries are about cybersecurity and programming securely so they have the “security” tag.

If you’re looking for Laravel-specific security content, you might want to check out masteringlaravel.io/security.

Use Github Actions Permissions with 3rd Party Actions

Dec 6, 2023 github security

I can’t say how much I love Github actions. It really felt like a game-changer for me. But I always had some concerns about security. How do we stop 3rd party actions from accessing stealing our code?

Why Care About Privacy with Web Analytics?

Dec 24, 2022 business security

If Google gives free access to their web traffic tool called Google Analytics, why would you need anything else? Why would you care? Let’s briefly talk about why privacy matters and what you can do instead.

Securing Laravel from Hackers

Aug 23, 2021 laravel php security

Laravel Hacker is no longer a brand. You can find my security work at MasteringLaravel.io/security

Laravel is a great framework that is pretty secure by default. However, configuration mistakes or coding errors can still leave your app open for attack. Where do you go for help?

Illustrating Why Fillable and Validated Matter in Laravel

Feb 22, 2021 laravel php security

When given a choice of methods and ways to do something, it might not be clear which way is the best. As programmers, we tend to pick the easiest, then. However, the easiest can have security implications. Let me illustrate why we should use more stringent controls in a Laravel project.

Remember to Review Your Package Code for Security

Aug 12, 2019 laravel php security

Open source software is wonderful for many reasons. One of the best is we can see and inspect the software for vulnerabilities. But, far too many people actually do this. Let me demonstrate, using a Laravel package, how this lack of review might backfire and cause you grief.

Composer Security Concerns with Create Project

Jan 21, 2019 composer php security

One of the lesser known pieces of functionality from Composer is the ability to create a project from skeleton/scaffolding. This ability allows you to create a project structure, directory, files and requirements based on the suggested setup from the project maintainer. A common installation mechanism of Laravel uses this functionality. (Even I use it to save time and set up my own custom configuration for new project skeletons.)

HTTP Only Cookies Aren't Perfectly Secure

Dec 10, 2018 javascript php security

When you’re creating cookies on your server side application, it’s good security practice to flag the cookie as HTTP Only. This way, it instructs the browser that it should sandbox this cookie from the client side scripts. It still will send it between client and server on each subsequent request, but javascript can’t access it directly.

Quick Local Network Scanner for Default MySQL Installs

Nov 11, 2018 mysql nodejs security

The other day I was at a coffee shop and I looked around at all the Mac’s open. It used to be that you’d see people writing manuscripts at coffee houses. Surprisingly, this place held a lot of programmers. I suddenly thought of something interesting:

Reminder That Target Blank Links Are Not Safe

Sep 4, 2018 html javascript security

tldr; Remember to use rel="noopener" on target="_blank" links where you do not control the destination.

Anatomy of a PHP Hack

Nov 7, 2017 php security

It’s hard to come up with a title for this - but - basically I found some rogue code the other day that I thought was pretty interesting. I was fixing a “hacked” website when I came across the source of the symptoms of the hack. One file had the following code in it:

Laravel Default Throttle Configuration and Common JWT Blacklist Vulnerable to Cache Attacks

Aug 7, 2017 laravel php security

One thing I like about Laravel is the amount of built-in functionality that is available. But when this functionality is left in default configuration (much like many default configuration items getting hacked), there can be consequences.

The Chicken or the Egg of Hacking Your Software

Jul 26, 2016 business security

Today I was faced with an interesting quandary about whether I should write the code to exploit an application vulnerability in our software at work. This vulnerability is not necessarily a “security” one, but more-so a known-risk: it was theorized that someone with enough knowledge could bypass a mechanism in our software.

Two Quick Tips for Securing PHP Sessions

Feb 11, 2016 php security

Let’s talk a little bit about session fixation in PHP. Such a fun topic, right? Tons to get into here. But, let’s just touch the surface on two VERY SIMPLE things you can be doing now to make sure that your website is safe.

Testing MySQL User Info Passwords

Aug 20, 2013 mysql security

Out of some sheer boredom, I started looking at the top 25 used passwords (from articles here and here).

The Very Bad Things That Javascript Can Do: Part 2

Apr 16, 2013 html javascript security

In part 1, I discussed the various arguments I run into about wanting to be overly security conscious with our sites in regard to third party javascript. In this entry, we’ll run through a few scenarios.

The Very Bad Things That Javascript Can Do: Part 1

Apr 9, 2013 javascript security

I have the argument a lot with product managers about allowing custom HTML and Javascript into our projects. I don’t want to do it. I want to only put in predefined, sanitized information. But more about my reasons after this… let’s look at the arguments I get first…

It is important to use die() after a header redirect - here's why

Jan 8, 2013 php security

I was doing some code challenge review for an open web developer position I have for my team, and I came across one piece of code that made me smile.

Filtering User Input/Output in Zend Framework

Jun 26, 2012 security zend-framework

There are two areas where user input should be filtered: on display and on storage. Luckily, Zend Framework provides tools for this…

Keep your Admin Interface CSS Separate

May 16, 2012 css performance security

There are a number of performance arguments about combining assets to reduce HTTP requests and speed up your site. I agree! However, I do have to say that there is such a thing as overkill - to the detriment of speed and security…

Filtering and Validating Discussion

I came up with a great topic to write this blog entry about: filters and validators. Then, I got to thinking - maybe I can get more feedback from other programmers I know. I decided to send a note out to a few of my buddies and see what they thought as well.

Why IP Authorization No Longer Works on Web Apps

The last time someone brought up authorizing certain actions by IP address - or I should say, limiting the amount of actions that can happen by one IP address. I brushed that off without a second thought. It didn’t occur to me until later that the original owner of that idea may not have known all the reasons why I know this isn’t a good idea. So here’s a quick rundown:

Easiest Form Token class to prevent CSRF

Oct 12, 2010 php security

So, if you’re not familiar with CSRF, check out this blog post about AJAX Security. Some of the steps talking about Cross Site Request Forgeries will help you understand the problem.

Easy MCrypt encryption class

Aug 17, 2010 php security

For whatever reason, I can never remember the exact coding of MCrypt. And maybe that is a good thing - so I stop doing so much code duplication and start using a class I wrote. For this reason, I’ll save you the same frustrations and share how I do my encryption.

Restrict your .git directory on live site

Jun 15, 2010 git security

Do you use Git to manage your repository? If so, do you use it to check out code onto the server as well? If you do, you really should restrict access to your .git directory if it’s in your public root. (If you’re using things like Zend Framework, chances are your root directory is not your public directory, so you have less to worry about.)

Scanning for Unfiltered Content Automatically with PHP

Sep 15, 2009 php security

A friend of mine posed a question: Do you know of any good PHP based vulnerability scanners? I told him I did not (add any in the comments, if you know! :) ) - but it wouldn’t be that hard to build one. He asked me to give him a code example, so here goes:

Another example of CSRF - in CSS

Mar 5, 2009 css javascript security

Just saw this really cool example get submitted on one of my websites testing for CSRF:

My Progression Through Forgot Passwords

Mar 2, 2009 php programming security

I thought I’d take some time to look at the 3 main ways that I’ve handled forgotten passwords on my websites, why I did them that way, and if there was anything wrong.

Disable md5 now - or you will die

Feb 19, 2009 php security

I remember a while ago hearing about a few theoretical collisions of the MD5 algorithm, but I thought nothing of them. Now, as more information emerges, Microsoft is issuing advisories, and people are proving more and more collisions with example code, and even md5 is out of vista, I figure its time to remind everyone not to use MD5.

Password Complexity Class

Feb 12, 2009 php security

After many times of coding relatively the same thing, it becomes prudent to have a standard library for certain sets of processes. Of course - that is why there are things like frameworks! At any rate, one of the biggest things I run into is password complexity. Each website has its own requirement for the security they want to implement. So, let’s talk about the requirements and then look at the code:

How custom passphrases/pictures still don't protect against phishing

Nov 20, 2008 security

As you probably remember, I have lots of interest in phishing techniques (I talked about one here, and preventing them here). I’ve noticed a new trend: a dual stage login form with a custom picture or passphrase. Users are to gain trust in the login page because their custom configured option is displayed. The more I started thinking about this, however, I kept seeing an issue - this still can be easily phished!

Finally - PHP has NoIndex on phpinfo output

Jun 4, 2008 php security

A big issue with PHP security had been the developers creating a php info page and not removing it from a production site. As you may know, phpinfo() will dump a ton of useful information (for the developer - as well as the cracker) to the screen:

JS Tool - Security Auditing in Javascript

Apr 24, 2008 javascript security

JSTool was a trial run of combining many different scripts from the open source community into a security and auditing script.

PHP Shared Host - Session File Browser Script

Apr 24, 2008 php security

PHP stores its session information into flat files unencrypted by default.

XSS with Img OnError attribute

Mar 20, 2008 javascript php security

So much of my time is spent worrying over the src or href tags on images and links - that I sometimes forget about the other attributes.

Update your URL filtering: possible XSS from "Data" URL scheme - Firefox

Mar 18, 2008 html javascript security

In regards to the Data in URL scheme (RFC here), I’ve found an interesting issue with the way firefox handles it which could lead to some XSS I think.

Securing Wordpress - what my 'oops' reminded me

Feb 23, 2008 security wordpress

I don’t want to admit it - but I messed up. I didn’t patch wordpress - and I was a victim of one of the released wp exploits. How could you let this happen? you ask. Well, I was lazy. But let this be a lesson to ya - don’t forget - otherwise its a LOT harder to clean it up (it took me roughly 4 hours to fix which included 2 hours of ignoring my friend on the phone…)

Cross Domain AJAX - A quick anatomy of a mashup

So after searching the Internet for some cross domain AJAX stuff, I noticed two interesting articles. The first was the specifics of writing these queries (located here). Then, the next gave a breakdown of how this might be useful in a mash-up collaborative sense (here).

Write Security Triggers Against SQL Injection

Aug 20, 2007 security sql

An interesting idea that a colleague told me about was a ‘security trigger’ in any application that has a SQL type storage engine. The trick is to make sure that your admin account is not ID #1 and that your administrative username isn’t one of the most common ones:

Demonstrating Password Manager Almost Vulnerability in FireFox

Jul 28, 2007 javascript security

The “security guys” have been talking about the problems with FireFox’s password manager and I got curious. It turns out that javascript can access saved passwords in your password manager simply by creating a login form and capturing the input field’s contents.

The anatomy of a phishing attack - advanced technique

Jul 12, 2007 security

So many phishing attempts lately are just purely pathetic - easy to guess and figure out, mis spelling and grammar issues and just poorly fashioned websites. Although these will work on the novice web surfer, can a clever criminal actually create a phishing site/scenario that can trap the experienced members in your IT department?

The Top 17 Ways to Help Eliminate the Phishing Threat

Jul 12, 2007 security

The following is the result of a research project I had done about phishing. Its some best practices and suggestions based upon information from leading security professionals such as white hat security, McAfee, etc. A combination of e-mail security, authentication methods and corporate identity standards are among the suggestions… Here are the top solutions and methods of securing against Phishing:

AJAX Security Research and Findings - Round 2

Jul 7, 2007 ajax php security

Round 2, and the final round, is complete! The previous article here talked about my initial findings. Well, I was able to try some proofs of concepts on my javascript finding, and I put together our top level recommendations for (”the triangle”). Let’s see:

AJAX Security Research and Findings - Round 1

Jun 28, 2007 ajax php security

(“the triangle”) wants to keep implementing more and more AJAX based systems - but no one ever took time to research into the security issues with this.