12 months of Laravel Security in Depth
Thank you all for an amazing journey!
Greetings my friends!
I’m writing this on August 31st, exactly one year after I sent out the first Laravel Security in Depth email, Welcome to Laravel Security in Depth, and a week before the first security tip, Security Tip: Custom Encryption Key. It still amazes me that I’ve been doing this for a year. Previously I’d be lucky to write a blog post once a month!
Rather than sending out the scheduled In Depth, I wanted to pause and take a break for the month, and reflect on the year that has been. I’m also in the middle of moving house and planning for Laracon Online, and working on an awesome secret project1, so realistically, I wasn’t sure I was going to get my In Depth ready in time anyway2. However, it is important to take the time to reflect, so maybe it’s all rather well timed, and I definitely want to reflect on the incredible journey I’ve taken this past 12 months.
Most importantly, I want to say a massive thank you to every single one of you (both free and paid subscribers)! Thank you for supporting my strange idea to start a mailing list about Laravel Security. When I launched it, I had no idea what to expect and now 12 months later Laravel Security in Depth has an incredible 1,172 subscribers! Thank you all so much. 🥰
Also, a big extra thank you to those who support me financially. Your financial support allows me to dedicate the time each week to writing these emails, and encourage me to keep learning and sharing more about Laravel security. I would not be able to do this each week if it wasn’t for your support. Thank you.
If you haven’t subscribed already, please consider becoming a free or paid subscriber to support Laravel Security in Depth!
The Origin of LSID
I haven’t talked about this much publicly, but I wanted to share briefly about the origin of Laravel Security in Depth.
In July last year I quit my job due to burn out. I was working remotely as a senior dev for a US company (I’m in Australia) and I was completely burnt out with the 4am starts and the culture changes brought on by COVID.
So I quit my job, intending to take a few months off and work on a new upcoming project. I was scheduled to speak at Laracon Online at the start of September, and knew that most speakers at Laracon have some side hustle to promote, so why shouldn’t I do it too?
I’d recently come across Substack and thought their model was interesting, so when I was thinking of ideas I thought about starting up a paid mailing list about Laravel Security. I had no idea anyone would actually be interested, but I loved the idea and dived right in. And that’s how Laravel Security in Depth was born!
Launching at Laracon September 2021 saw a lot of immediate interest, a number of subscribers, and validation of my weird idea. So it started and has been growing quickly every month!
The In Depths
Over the past 12 months I’ve published 11 In Depths, of which 4 have included interactive challenges in our intentionally vulnerable Laravel app.
Side note, if you haven’t checked those exercises out yet, you’re missing out on a lot of fun.
In publication order, these are the In Depths we’ve had over the past year.
I don’t think I would’ve started here if I had to start LSID again, but it was worth doing, and is great deep dive into how Encryption works in Laravel.
SQL Injection (SQLi) is such a fun topic to cover, and I couldn’t talk about it without providing an interactive SQLi demo for you to play with. Hence the demo site was born! I documented some of my decisions setting it up on Twitter too: https://twitter.com/valorin/status/1454228607799156742.
Escaping Output Safely
Following up SQLi with XSS seemed somewhat appropriate. I built some more challenges and talked about escaping output. Given this is a common flaw I see when auditing apps, it’s still very much applicable.
This one came from a vulnerability that was fixed in Laravel v8.74.0, around nested blade placeholders. It was such an interesting vulnerability that we took a look into the guts of how it worked and similar issues relating to it.
Another technical one, this time into password hashing and safely updating passwords to modern hashes. This one was quite fascinating to write, even if it was also very technical.
This was a fun one that was absolutely screaming for an interactive demo, so I built a new challenge and walked you through the fascinating world of timing attacks. The highlight for me was looking at examples of timing differences in nanoseconds!
Content Security Policy (CSP)
My favourite, and the hardest to write! 😲 It took a lot of time to carefully massage such a huge topic into a single email. I missed out heaps of content I wanted to include, but I’m really proud of what I wrote, and I believe it does the topic justice.
This is another area that’s often lacking when conducting my audits, and I wanted to share everything I knew about one of my favourite Laravel features. It ended up being a great resource. 🙂
Ah… Signed URLs. I absolutely love these. So easy to use, and so incredibly powerful. 🥰 If you’ve never used them before, go read this post. You’ll find a use for them - trust me!
The logical extension from Signed URLs, with some really useful tips around numeric OTPs and entropy.
Insecure Direct Object References (IDOR)
Of the challenges, these were by far the most fun to put together. I had to come up with some creative, but realistic, scenarios for IDORs to exist, and I believe I pulled it off nicely.
Most of these were so long to write that I was getting alerts from Substack that I was hitting the email content length limit3, and I'm proud of the amount of content I was able to pack into each and every one of them.
If you’re looking for some security content this week, go and check out any of the In Depth’s you’ve missed or need a refresher on!
The Most Popular
According to Substack, these are the most popular posts:
Laravel Security: File Upload Vulnerability
This was an unscheduled extra email writeup about a “Laravel vulnerability” that was doing the rounds on Twitter. I keep an eye out for any such vulnerabilities and will do more writeups as they are discovered.
In Depth: Signed URLs
One of my favourites, covering Signed URLs, which is a feature I absolutely love.
In Depth: Content Security Policy (CSP)
See above. 🥰
Security Tip: Login Logging
A surprise favourite of subscribers, a quick tip reminding you to log important events like logins and registrations. Something I don’t see enough of in audits!
Unsurprising this is up here, given how much I go on about this and believe validation is essential.
In Depth: SQL Injection
SQLi is fun, what can I say? 🤣
Security Tip: Custom Encryption Key
A commonly asked question is how to use a custom encryption key, and hopefully this tip makes it easy.
In Depth: Escaping Output Safely
Like I said, I go on about this a bit…
This was a great new feature added to Laravel that I had to cover on here. It deserves as much attention as possible.
Security Tip: Protecting Production APIs
This is something I’ve been doing for ages and wanted to share with the community. It’s a great little trick for protecting third-party API keys from being used in the wrong environments.
If you’ve missed any of these, you’ll want to go check them out.
Let me know in the comments (or reply to this email) and let me know which were your favourites and what you’d love to see me cover next!
What Didn’t Work…
I tried launching discussion posts, and it never took off. I was hoping to start a lively debate, but was lucky to get 1 comment from a subscriber…
I dropped discussions for a month or two until Substack added polls, and relaunched discussions with added polls. These gave some feedback on the discussion points to discuss, and it seems to be working out better.
These were our discussions and polls:
Updating Packages (Poll)
I’m going to keep writing you emails each week, covering Laravel Security in Depth. We’ll be back to our monthly In Depths and weekly security tips shortly, and I’m excited to kick off our series about the OWASP Top 10 soon! I’ll also get that anniversary challenge built! I have some really
evil fun ideas for it, so you’re not going to want to miss it.
Before we finish up, I want to get YOUR thoughts on LSID…
Please jump into the comments and leave your thoughts and ideas. I’d love to receive any and all honest feedback, good or bad. 🙂
Finally, thank you once again for making Laravel Security in Depth what it is today. I would not be doing this if it wasn’t for your support.
Thank you. 🥰
P.s. Please don’t forget to Share Laravel Security in Depth with your Laravel friends. I love seeing people sharing LSID and my posts on Twitter, and if you tag me (@valorin), I’ll retweet and follow you. 🙂
It’s something new I’ve never done before, and it’s super exciting! I’ll definitely be letting you all know when it’s ready to go. 😁
I know I mentioned a few weeks ago about running a hacking competition to celebrate the anniversary, and I still plan to set it up (and no, it’s not my secret project). It won’t be ready by the time this email goes out - but when it’s ready, you’ll all be the first to know!
The point at which Gmail, and others, truncate and force you to open the full thing in a new tab.