Overview
Why is Laravel Security important?
It's easy to make the assumption that a robust framework like Laravel is secure, but most of the time, it's the little things which expose vulnerabilities in your apps.
Let's take a look at some recent examples from the news...
• Australian telecommunications company Optus was recently hacked due to allegedly leaving an unauthenticated API endpoint exposed "with the assumption that the API would only be used by authorised company systems."
• PortSwigger discovered a vulnerability in a Mastodon fork that allowed them to steal user passwords, caused by a weak Content Security Policy (CSP) and flexible limitations on user inputs: "The form-action directive could prevent these sorts of attacks".
• Fortbridge discovered the REST API in Plesk was lacking adequate Cross-Site Request Forgery (CSRF) protection, which allowed them to craft custom attacks that affect "all the POST requests and we could abuse most of the APIs with it".
All of these were small and overlooked vulnerabilities in otherwise robust and secure systems.
Practical Laravel Security teaches you how to avoid, find and fix these small mistakes, so unlike these apps, yours won't get hacked!
Course Outline
I believe the best way to learn how to defend against the hackers, is to first learn how to hack (ethically, of course...).
So we start by learning their attacks.
First we'll cover the theory - what is is? How does it work? Why would they use it?
And then you'll learn how to do it yourself! Each module will give you hands on practical exercises where you can put your new hacking skills to use!
Of course, there's no point teaching you an attack without also teaching you how to defend against it. So in the Defend modules, I'll teach you exactly what tools you need to protect your site from the attacks you've just learnt.
Finally, in the History section, you can learn from their mistakes. We'll look at previously disclosed vulnerabilities in Laravel and the community. I'll show you exactly what when wrong, and how they were fixed.
Episodes
-
Cross-Site Scripting (XSS)
-
SQL Injection (SQLi)
-
Cross-Site Request Forgery (CSRF)
-
Insecure Direct Object References (IDOR)
-
Type Juggling
-
Credential Stuffing
-
PHP Object Injection
-
Remote Code Execution (RCE)
-
Server-Side Request Forgery (SSRF)
-
Escaping Output
-
Input Validation
-
Password Security
-
Policy Objects
-
Rate Limiting
-
Signed URLs
-
Authentication
-
Authorisation
-
Browser Security Headers
-
Content Security Policy (CSP)
-
Subresource Integrity (SRI)
-
More and More
Attack
Defend
Reviews
No review yet.
Author
Stephen Rees-Carter
I’m a Security Consultant who specializes in security audits and pentesting for Laravel and PHP sites. I’ve been building and hacking Laravel apps since 2013, so I know how to help you secure your sites.
In addition to security audits, I also run security workshops and training for development teams. These are focused on teaching developers to think like hackers, to help them write secure code, and to identify weaknesses hackers may exploit.
In my spare time, you’ll find me speaking at conferences about security (or hacking sites while speaking about security!) and writing my Laravel Security in Depth newsletter, which teaches Laravel developers of all skill levels about security concepts.