Profile avatar
valorin.bsky.social
Friendly Hacker, Speaker, and PHP & Laravel Security Specialist.πŸ•΅οΈ I write securinglaravel.com and hack stuff on stage for fun. 😈 I'm found elsewhere too: https://pinkary.com/@valorin πŸͺ„
711 posts 2,164 followers 480 following
Regular Contributor
Active Commenter
Posts 28 Comments 22

Running my first "Let's Hack!" Laravel workshop for an awesome Aussie team tomorrow! πŸŽ‰ It's based around "Th1nk Lik3 a H4cker", but I've added more challenges and twists, so even if they've studied, they'll still need to work hard. 😈 It's going be sooo much fun! 😁

submitted 2 days ago β€’ 1 comment

These are my top 3 tips for getting started with a Content Security Policy - as proven by a friend who went from failing security scans to passing with flying colours. https://securinglaravel.com/security-tip-run-your-csp-in-local-development/ #Laravel

submitted 4 days ago β€’ 0 comments

Delivering XSS payloads via User Agent strings. 😈

submitted 8 days ago β€’ 1 comment

The more dependencies your project has, the higher your risk of supply-chain attack is, and the less you're aware of what code is actually running. My recommendation: Replace simple dependencies with your own versions. https://securinglaravel.com/security-tip-replace-simple-dependencies/ #Laravel

submitted 9 days ago β€’ 0 comments

I've had a few "ad companies" reach out about ads/sponsorships on Securing Laravel, so let me be clear: I'm not interested in a third-party managing any content on SL. But it got me thinking, are there Laravel/PHP/Security companies that would be interested in directly sponsoring articles?

submitted 9 days ago β€’ 0 comments

I read online about how some women in STEM bios are being deleted from websites "to comply with the new regulations". And I have thoughts. Many thoughts. I wrote some of them down, as I do when I need to process something. Have a read. www.zuzana-k.com/articles/rep...

submitted 12 days ago β€’ 0 comments

Ok friends, what do you call these things? () [] <> I call them brackets (), square-brackets [], and angle-brackets <>. Is that just me thing, or an Aussie thing? Are there better names for them?

submitted 11 days ago β€’ 11 comments

Had a wide range of responses to this, and unsurprisingly a lot of folks aren't fully aware of how PHP handles precedence, and why brackets are so important! 🧐 securinglaravel.com/security-tip... #Laravel

submitted 11 days ago β€’ 2 comments

Ok #Laravel folks, without looking anything up, what do you think this code does? Broadcast::channel('users.{id}', function (User $user, $id) { return (bool) $user->id == $id; });

submitted 14 days ago β€’ 4 comments

I talk about it all the time, so it should come as no surprise that my favourite trick to avoiding XSS with complex HTML output is to use Laravel's HtmlString with {{ ... }}. The less you use {!! ... !!}, the harder it is for XSS to hide! πŸ•΅οΈ https://securinglaravel.com/security-tip-avoiding-xss-w…

submitted 15 days ago β€’ 0 comments

There is something disturbing about AI options in Microsoft Notepad... but also kinda fun. 🀣

submitted 16 days ago β€’ 0 comments

Do you have sufficient rate limiting on your app? Are your authentication routes covered? What about your API? Can a hacker brute-force your 2FA prompt? Rate limiting is important for a number of reasons, so make sure you have it configured! https://securinglaravel.com/security-tip-dont-forget-rat…

submitted 16 days ago β€’ 0 comments

Let's explore a number of common ways developers fail authorisation in Laravel apps, and what you need to watch out for so you don't make the same mistakes! https://securinglaravel.com/in-depth-common-authorisation-failures/ #Laravel

submitted 16 days ago β€’ 0 comments

Any PhpStorm @jetbrains.com users having trouble with it freezing when opening projects? I think it's related to @github.com Copilot, but still trying to debug...

submitted 17 days ago β€’ 4 comments

Today's working music... Once Upon a Time: The Musical Episode. 🎢 My one complaint: there are only 8 songs, I want more...

submitted 17 days ago β€’ 1 comment

submitted 18 days ago β€’ 446 comments

For the nerdy folks interested in hashing, bcrypt, 72 bytes, and other weird cryptography things like that in Laravel, check out this PR: https://github.com/laravel/framework/pull/54509 πŸ€“

submitted 18 days ago β€’ 0 comments

Validating single values in Laravel is easy, but what about validating array inputs? https://securinglaravel.com/security-tip-validating-array-inputs/ #Laravel

submitted 22 days ago β€’ 0 comments

Had a great intro call with the team for my security workshops in a few weeks! It's going to be a fun one, and they should get a lot out of it. But it got me thinking... maybe I should run a public security workshop? πŸ€” Who is interested?

submitted 23 days ago β€’ 1 comment

It's quite common to inject JSON into Blade templates for various use cases, but is it actually safe to do so? Not really... https://securinglaravel.com/security-tip-safely-rendering-json/ #Laravel

submitted 23 days ago β€’ 0 comments

While trying to come up with a security tip relating to Insecure Cryptography, my partner reminded me of a story she was once told about the SHA-3 competition. It's a great reminder that crypto is hard, even for those who are very good at it! 🧐 https://securinglaravel.com/security-tip-dont-roll-yo…

submitted 23 days ago β€’ 0 comments

Love to see these numbers each morning, and getting very close to 4,000 subscribers! πŸŽ‰

submitted 25 days ago β€’ 0 comments

Well this is a new one... What's going on here? 🧐 There are a few different aspects to this one, they definitely get points for creativity. 🀣

submitted 29 days ago β€’ 2 comments

WTF is a "oxbow lake"?? Isn't that a Billabong?

submitted 30 days ago β€’ 2 comments

"EU"... 😭

submitted 30 days ago β€’ 1 comment

Laravel's Request gives you a bunch of different helper methods for interacting with user input. Although I recommend just sticking with `$request->validate()`, there are a few useful ones, if you need something specific. https://securinglaravel.com/security-tip-retrieving-request-values/ #Laravel

submitted 30 days ago β€’ 1 comment

Why treat all user input as strings when you can pull out specific values from Laravel's Request object and automatically cast them as the types you're expecting? https://securinglaravel.com/security-tip-casing-request-values/ #Laravel

submitted 30 days ago β€’ 0 comments

Kids go back to school tomorrow, which means (in theory), I'll be able to inject some quality distract-free hours onto my course. 🀞 I was hoping to have the Authentication module out last week, but setting up a safe challenge for credential stuffing proved difficult.

submitted 32 days ago β€’ 0 comments