Categories
Development LaraSec Security

Why Parameterised Queries Are Important

This is the fourth security tip from my Laravel Security in Depth newsletter, sent out to all subscribers on October 8th. Please subscribe if you’d like these tips delivered weekly. Laravel provides an expressive fluent interface for building database queries, either as raw queries through the query builder or as part of Eloquent (Laravel’s Object-Relational Mapper, ORM). The query builder allows […]

Categories
Development Security

Using a Custom Key for Encrypted Cast Model Attributes in Laravel

This is the first security tip from my Laravel Security in Depth newsletter, sent out on Monday to all subscribers. Please sign up if you’d like these tips delivered weekly. Laravel allows you to cast model attributes as encrypted strings, when stored in the database. This gives you added security for any values that are […]

Categories
Security

Introducing Laravel Security in Depth

I’d like to introduce a new project I’ve just started: Laravel Security in Depth. It’s something I’ve never tried before, or even considered as an option until recently, and I’m very excited to dive into it and see how it grows. What is Laravel Security in Depth? Laravel Security in Depth is a paid mailing […]

Categories
Security

The Security Risk of SMS Two Factor Authentication

The often talked about security risk of using SMS-based Two Factor Authentication (2FA) isn’t actually as big of a security risk that everyones makes it out to be. It’s much more of a security risk in SMS-based Account Recovery. It’s a subtle but incredibly important difference that I keep seeing news sites and security blogs completely overlook. […]

Categories
Development

The difference a single character makes…

I love debugging weird bugs. There is something fun about tracking down a weird bug, spending time replicating the circumstances, and eventually tracing the issue to the cause of the bug. Once you’ve found the cause, the fix is often incredibly trivial – something that was overlooked or not considered when the code was originally […]

Categories
Privacy Security

What are you doing with my data?

My wife and I¹ were filling out a rental house application the other night, and we noted the incredibly invasive nature of the personal information the form was asking for. For example, it wanted to know our car registration number and pet microchip details – both of which have absolutely nothing to do with us […]

Categories
Tutorials

WSL2 Network Issues and Win 10 Fast Start-Up

I recently encountered a network issue where my WSL2 (Windows Subsystem for Linux) distro was unable to retrieve DNS and connect to the internet without me changing /etc/resolv.conf. Likewise, Windows was unable to connect to the WSL2 ports via localhost. To quickly workaround these issues, I set my nameserver to be 1.1.1.1 in /etc/resolv.conf and […]

Categories
Tutorials

Automatic Backups for WSL2

Windows Subsystem for Linux (WSL) is pure awesome, and WSL2 is even more awesome. (If you’ve never heard of it before, it’s Linux running inside Windows 10 – not as a virtual machine or emulator, but as a fully supported environment that shares the machine.) I’ve been testing WSL2 for a few months now as […]

Categories
Security Development

CSRF Is Dead, Long Live SameSite=Lax! (or is it?)

In the original version my talk “Think Like a Hacker and Secure WordPress, live on stage“, I demonstrated a Cross-Site Request Forgery (CSRF) attack. While this attack worked perfectly during WordCamp Brisbane 2019, in-progress changes to Google Chrome (version 80) are bringing about the end of CSRF. (Well, sort of…) In light of this change, […]

Categories
Tutorials

How to Shrink a WSL2 Virtual Disk

I’m a huge fan of Windows Subsystem for Linux (WSL), especially WSL2 which uses a virtualisation layer to bring increased performance and compatibility to WSL. However, one of the few downsides of WSL2 is that it uses a virtual disk (VHDX) to store the filesystem. This means you can end up in a situation where […]