Friendly Hacker, Speaker, and PHP & Laravel Security Specialist.🕵️
I hack stuff on stage for fun. 😈
I used to be found at: https://infosec.exchange/@valorin
#searchable
Starting to lock in details for the Pre-Laracon Security workshop in Brisbane! 🎉
It'll be the morning of Wednesday 12th November - the day before Laracon AU, at a venue really close to the conference.
I'll get ticket sales open soon, but sign up at https://workshop.valorinsecurity.com/ to keep informed.
It's incredibly common to find hardcoded domains used for identifying admins, however this also makes it trivial to escalate privileges to admin! 😈
https://securinglaravel.com/security-tip-privilege-escalation-through-domain-wildcards/
#Laravel
"Don't Roll Your Own Crypto" applies to password generators too! It's way too easy to unknowingly lower your entropy by trying to be clever... 😱
https://securinglaravel.com/security-tip-dont-generate-your-own-passwords/ #Laravel
It may be tempting to reach for env() outside your config files, but you may be introducing subtle bugs, or exposing your app to compromise... 😱
https://securinglaravel.com/security-tip-only-use-env-within-config-files/ #Laravel
Oooh, yes. This would be a great way to do it. Sometimes you do need that info, but really only once.
When I did WordPress site cleaning, our toolkit was auto-deleting. We'd upload the script, use it to extract all the files and metadata, and when it was done, the file would remove itself.
@outofcontrol Painless to abuse too. 😈
It may seem like a harmless debugging tool, with a bunch of boring config values and version numbers, but phpinfo() is a goldmine of sensitive data - even when it's "protected" in an admin account! 😈
https://securinglaravel.com/security-tip-dont-use-phpinfo/ #Laravel
So many spinning plates at the moment, between trying to organise workshops, trips, sponsors, audit/pentest clients, etc... 🥴
To keep up with all I'm doing, sign up to https://securinglaravel.com. The "Appendices" after each email has everything coming up, and any opportunities. 🙏
On the subject of Laravel Security Workshops, any companies in the EU or UK interested in an in-person workshop for their team? I'm hoping to book a few around Laravel Live Denmark. 🤓
I've transformed "Th1nk Lik3 a H4cker" into a much bigger, fully-interactive, workshop format! 😈
Excited to report that I've had a lot of interest for a Laravel Security Workshop at Laracon AU, so I'm looking into venues for a half-day on Wed morning (12th Nov), so you just have to come a day early! 🎉
If you're interested and want to keep in the loop, I've popped up an announcements mailing list: https://workshop.valorinsecurity.com
@bobmagicii I think it works for shows that have limited scope, such as Bridgerton - it would've suffered if it didn't have a single focused story.
But for stories with a big scope like LOTR, WOT, Star Gate, Star Trek, etc, they need that space to explore.
@bobmagicii Yeah, and they had a plenty of time to explore their "world", with lots of tangents and side plots. Rather than every minute being focused on the final endgame.
@bobmagicii Stargate was such a fun show!
Ok Aussie & NZ friends, would anyone be interested in coming to a half or full day security workshop in Brisbane the week before #LaraconAU (i.e. Mon, Tues, or Wed)? 🤓
If there is enough interest, I'll start looking for a venue and figure out pricing, etc.
I miss the days when TV shows had more episodes, smaller budgets, and space to breathe. Wheel of Time was an incredible show, but 8 eps per season wasn't enough, and the "expectations of success" were set too high. 😭
What am I going to alternate years with Rings of Power now?
@standaniels Definitely one of the joys of this job. 😎
@me Hehe, indeed.
Honestly, it's a fairly predictable bypass. It sounds a lot cooler if I'm mysterious than actually coming out and saying it.
Just bypassed CloudFlare Access on a client's site! 😈
Ask Me Anything!
Note, my NDA prevents me from answering anything even vaguely relevant, but feel free to ask... 🤣
I've been considering this for a while, so it's time to throw it out into the world...
Securing Laravel is now open to sponsorships! 🎉
Your company can sponsor my weekly Security Tips, supporting my work in improving security within the Laravel and PHP communities .
It's comments like these that make all the work I put into my big articles like https://securinglaravel.com/in-depth-a-deep-dive-into-laravels-new-starter-kits-pt-1/ so worth it! 🥰
