File Explorer
https://ift.tt/3h2zKRi
Let’s continue our rebuild by working on the file explorer and footer.
Published on Sep 3rd, 2020.
programming
via Laracasts https://ift.tt/1eZ1zac
September 3, 2020 at 10:32AM
Google Offering $400, Six-Month Online Certificate in UX Design, “the Equivalent of a Four-Year Degree”
Google Offering $400, Six-Month Online Certificate in UX Design, “the Equivalent of a Four-Year Degree”
https://ift.tt/32Uq3PB
In an effort to both boost the economy and train the types of workers they themselves need, Google will shortly be rolling out an ambitious initiative: Google Career Certificates, which one gains by taking their online courses, requiring "about six months to complete."
For a reported tuition of $300-$400, the company is betting they can teach you enough in a half-year’s time (rather than you having to attend a traditional university for four years) to land a job. And while you don’t have to apply for a job specifically with Google, pursuing it sounds advantageous: "At Google we will consider our new career certificates as the equivalent of a four-year degree for related roles," writes Kent Walker, Google’s SVP of Global Affairs.
Unsurprisingly there are no ID degrees on offer. The closest we could find to the Core77 wheelhouse was UX Designer.
User experience (UX) designers make technology easier and more enjoyable to use. They create or refine products and interfaces to make them useful, usable, and accessible to users.
This certificate teaches learners the foundations of UX design and research, building low-fidelity designs and wireframes, creating high-fidelity prototypes, and testing.
The median annual wage for UX designers: $75,000
Other fields and salaries mentioned are Data Analyst ($66,000), IT Support Specialist ($54,760), and Project Manager ($93,000). Google also mentions that enrolling in their Certificate program provides "access to career resources: Learners will have access to resources to facilitate their job search and interview preparation."
There’s no word yet on when precisely the courses will go online; for now they’ve got a "Notify me" button on the webpage.
fun
via Core77 https://ift.tt/1KCdCI5
September 3, 2020 at 10:46AM
No Time to Die (Trailer 2)
No Time to Die (Trailer 2)
https://ift.tt/31TtR4f
Daniel Craig’s final turn as 007 has been delayed until November 2020, but from the look of the intense action and stunt sequences in the latest trailer, it’ll be worth the wait. We also get a closer look at Rami Malek’s pockmarked face as the villainous Safin.
fun
via The Awesomer https://theawesomer.com
September 3, 2020 at 11:45AM
Preparing for Laravel 8
Preparing for Laravel 8
https://ift.tt/3bp6zGz
Before we dive into the new features in Laravel 8, let’s first pull in the latest version of the Laravel Installer tool. This new version includes the ability to generate the necessary Jetstream scaffolding when creating a Laravel app. Next, we’ll install a fresh copy of Laravel 8.
Published on Sep 3rd, 2020.
programming
via Laracasts https://ift.tt/1eZ1zac
September 3, 2020 at 03:37PM
Westminster Abbey’s Hidden Gallery Space, Sealed to the Public for 700 Years
Westminster Abbey’s Hidden Gallery Space, Sealed to the Public for 700 Years
https://ift.tt/31zyVKY
Westminster Abbey is perhaps the UK’s most famous Gothic cathedral, with instantly-recognizable interior views like this:
One area of the church, however, may not look so familiar. The triforium, a walled interior space located 52 feet above the cathedral floor, was closed off to the public for some 700 years. The Abbey’s administrators used it for storage, and for seven centuries the space was unseen by the masses.
Recently, however, the decision was made to repurpose the triforium as a gallery, open to the public. Two years ago the space was rechristened the Queen’s Diamond Jubilee Galleries, hosting a rotation of 300 historical artifacts.
Providing physical access was initially an issue. Westminster Abbey’s construction began over 1,000 years ago, and because wheelchair access was not a design consideration in the year 960, in 2018 a modern exterior tower was constructed to house an elevator and stairs that the public could use to access the triforium. Designed by Ptolemy Dean Architects and fabricated by contractors McNealy Brown, the Weston Tower was the first structural element added to the building in 300 years.
And while Westminster Abbey was around for the Bubonic Plague back in the 14th century, it is of course currently closed on account of the current COVID pandemic. Once it, and London, opens back up, add the hidden gem of the triforium to your sightseeing bucket list.
fun
via Core77 https://ift.tt/1KCdCI5
August 28, 2020 at 08:50AM
Consider subdomains and route files for your App Areas. It’s not that difficult!
Consider subdomains and route files for your App Areas. It’s not that difficult!
https://twitter.com/francisc0daniel/status/1296477126275796992
Consider using subdomains for your app areas and also splitting routes in files. It’s not that difficult!
1. Put your domains in your “hosts” file
2. All route groups with respective domains
3. Session domain
4. php artisan serve –port=80@laravelphp @laravelnews pic.twitter.com/SnTuMSZYAk— Francisco Daniel (@francisc0daniel) August 20, 2020
programming
via Laravel News Links https://ift.tt/2dvygAJ
August 25, 2020 at 09:45PM
[Best AR-15 Builds] Pin & Weld Blue-Collar Duty Rifle
[Best AR-15 Builds] Pin & Weld Blue-Collar Duty Rifle
https://ift.tt/2CWsdVU
If you’ve been on any social media page devoted to the AR, you’re seeing a lot of hype over 13.7-14” barrels lately. The hype is real. It’s a versatile length for an AR for multiple reasons.
But why would someone go with that size of barrel?
How can you run a sub-16” barrel with a stock, and not have to worry about NFA legislation and the $200 donation to the crown?
Let’s dig into my new favorite build, all the DIY “gunsmithing” options I performed, and how to pin and weld a muzzle device to bypass unconstitutional gun legislation like the National Firearms Act.
Table of Contents
Loading…
Reasons to Go Short
First and foremost, why go under 16” of barrel?
Simple.
Shorter is lighter, handier, and with a permanently attached muzzle device, you can keep the overall length of the barrel to legal minimum lengths. Velocity is still effective for a 300+ meter carbine as well.
A 16” barrel with a typical muzzle device adds length to the rifle overall. It may not seem like much, but shaving off 2”+ is noticeable when handling a rifle.
With a shorter handguard, it makes the rifle balance well while using a thumb over bore grip with your support arm.
With the plethora of muzzle devices on the market that doubles as a suppressor mount, you can permanently attach a muzzle device to add overall length to a barrel that is 13.7-14.0”. The SOLGW NOX, the Dead Air Flashhider and Brake, and FCD options are just a few that will work.
If you plan on using a can on your rifle, this efficiently keeps the overall length shorter since most QD cans have the muzzle device inside of the blast chamber. For example, running a Sandman S becomes more manageable than a 16” barrel with a Key Mount from Dead Air.
The Barrel and Gas Block
The barrel I chose for this duty level blue-collar build was a Ballistic Advantage 14” Hanson profile in 4150 CMV steel.
The barrel has a QPQ (nitride) finish with a FailZero nickel boron coated M4 barrel extension. It has a carbine gas length and comes predrilled to pin the gas block that is included.
210
at Brownells
Prices accurate at time of writing
Prices accurate at time of writing
Speaking of the predrilled and included gas block, I decided to take it a step further.
While the included roll pin would serve well in fixing the gas block to the barrel, I typically can’t leave well enough alone.
I decided to dimple the barrel for the gas block set screws and ream the drilled hole out with a 2/0 taper pin reamer. It’s easy to do with the jigs I purchased from Black Rifle Engineering.
84
at Brownells
Prices accurate at time of writing
Prices accurate at time of writing
If you build a few rifles, they are worth adding to your gunsmithing tools and make the process quick.
Like most BA Hanson barrels, accuracy is everything you’d expect. Its typically a sub-2MOA barrel, and when I do my part with match grade ammunition, the rifle will shoot consistently 1 MOA or under. It happens to prefer Mk262, and Remington 62 grain BTHPs.
The Pin and Weld
The dimpling didn’t end there.
To make the 14” BA Hanson barrel legal to use with a stock, I needed to make the overall length at a minimum of 16”. I decided to go with the tried and true Dead Air Key Mount Flash Hider.
99
at Brownells
Prices accurate at time of writing
Prices accurate at time of writing
Before anything else is done, you need to verify that the overall barrel length is at least 16” to legally be a rifle. To measure the overall length, you must install the muzzle device and any shims needed for proper timing.
A simple cleaning rod pushed up against the bolt face and marked with a marker can give you an accurate measurement to verify a 16” overall length.
This is the ONLY WAY to measure overall length per ATF guidelines.
It must be measured from the BOLT FACE. Mine happened to measure at 16.125” with the shims.
The Dead Air FH has a hole predrilled at the bottom of the muzzle device specifically for pinning. It is also sized perfectly to use a takedown pin detent to act as the pin.
The detent works perfectly since it is beveled, and you will need to dimple the threads of the muzzle for the pin.
Dimpling the threads of the muzzle should be done slowly and methodically. The last thing you want to do is punch through the muzzle and create a hole. Just like a golfball, you only want to make a small dimple in the material for the pin to properly lock into place.
Once you have dimpled the barrel’s muzzle, all that is required for prep work is to size the pin. Dropping the pin into the hole will give you an idea of how short it needs to be. It’s a good idea to take a hammer and give the pin a few taps to make sure it’s fully seated into the dimple.
After marking for a cut, you can either file the pin down or use a small cut off wheel. I took my time and filed the pin down for a proper size. It takes a little extra time, but it makes for a perfectly sized pin for your weld. You want the pin barely shorter than flush with the outside of the muzzle device.
I would also recommend countersinking around the hole. This allows the weld to pool which gives a cleaner look and won’t require as much grinding or clean up. I am by no means a welder, so I still cleaned the weld up a little. Some cold blue, or even some spray paint, will protect the exposed weld.
For an excellent resource, check out IraqVeteran8888’s channel. They go through step by step on how to properly pin and weld a muzzle device, which helped me out a lot.
There are other ways to permanently fix a muzzle device. I prefer a pin and weld, but you can also silver solder the threads, or weld the seam where the muzzle device meets the shoulder of the barrel towards the muzzle.
Receivers and Handguard
To stick with the blue-collar approach, I went with an Aero Precision M4E1 receiver set. I have yet to be disappointed with these receivers and they look great. When these receiver sets go on sale, it’s a great value for a budget-minded AR build.
90
at Brownells
Prices accurate at time of writing
Prices accurate at time of writing
The upper and lower receivers have a small amount of play between the two. It’s not enough to worry about, but a nice touch with the M4E1 lower is it has a tension screw to take out any slop between the receivers. I tightened mine up a little and it locks up like a bank vault.
Editor’s Pick Upper Receiver
105
at Aero Precision
Prices accurate at time of writing
Prices accurate at time of writing
For my handguard, I decided to go with a 13” Bravo Company MCMR. It measures at 13.4” to the end of the flare of the handguard, which should work perfectly for a near flush fit once I finally buy a Dead Air Sandman-S.
192
at Brownells
Prices accurate at time of writing
Prices accurate at time of writing
BCM MCMR handguards just might be my favorite go-to handguard. Installation can be a pain because of the tight tolerances for fitment, but in the end, it gives a shooter an impressively solid handguard for almost any condition. The hardware and anti-rotation tab provide for a perfect lock up at the barrel nut.
To finish off the receivers, I played around with some templates and did a rattle can job. The stencil I used looked like a mixture of reptile scales and tree bark. I thought it was too dark at first, so I used a honeycomb pattern with desert sand to lighten it up.
The Guts
For a rifle you want to rely on, the guts are important. I went with a Sons of Liberty Gunworks Blaster Kit for all the small parts. Their detents and takedown pins are some of the smoothest I have used when building ARs. I chose a BCM PNT trigger and hammer and I have been happy with it at about 5.5 lbs pull weight.
68
at Brownells
Prices accurate at time of writing
Prices accurate at time of writing
The BCG that I chose was a Brownell’s phosphate model that is individually HPT and MPI. It uses a C158 steel bolt that is shot-peened. After lubing it up, this bolt hasn’t missed a beat.
148
at Brownells
Prices accurate at time of writing
Prices accurate at time of writing
I even sent it to Instructor Chad of the School of the American Rifle. Check out his video!
Properly buffering a carbine length gas system is important. I decided to go with the best and ordered a VLTOR A5H2 buffer using a green rifle length spring from Sprinco. These two go together like peanut butter and chocolate.
Overall, that pair housed in my Magpul UBR stock makes for a flat shooting rifle.
192
at Brownells
Prices accurate at time of writing
Prices accurate at time of writing
I went with a Radian LT charging handle. At this point, running a mil-spec charging handle just isn’t worth your time.
It’s 2020. We have all had a rough year so far. Treat yo’ self and get one of the best ambidextrous charging handles in the industry.
Best Lightweight Charging Handle
56
at Brownells
Prices accurate at time of writing
Prices accurate at time of writing
Duty–Level Upgrades
For a proper bang-around rifle, its settled science on three things to have on your rifle.
A weapon light must be mandatory for any defensive use.
You can’t shoot what you can’t identify.
An optic, whether red dot or LPVO provides a consistent aiming point regardless of lighting conditions. And lastly, a sling is like a holster to a handgun.
For the weapon light, I bought a Surefire M600DF with a Unity Tactical Hot Button from AR15 SafeSpace.
236
at Amazon
Prices accurate at time of writing
Prices accurate at time of writing
While you can get more candella with better throw from Modlite or Arisaka Defense, Surefire has been battle-tested and is an excellent light for defensive use.
Check out more of our favorites in Best AR-15 Lights.
The optic I currently have on my rifle is the Swampfox Optics Arrowhead in a 1-8x. I tested, reviewed, and beat up the optic. Its FOV is excellent and works well on a defensive rifle set up with its bright reticle. Check out my review of the Arrowhead!
370
at Optics Planet
Prices accurate at time of writing
Prices accurate at time of writing
There are a lot of great slings out there, but I prefer the Blue Force Gear Vickers 2-to-1 Red sling. It’s quick to adjust, can convert into a 1-point sling if you like smashing your grapes, and comes with QD sling swivels. It’s simple, and that’s exactly why I love it.
85
at Brownells
Prices accurate at time of writing
Prices accurate at time of writing
Parting Shots
There are A LOT of great choices on the market to build your own blue-collar defensive rifle. These are just a few great choices to use.
Have you ever built a rifle for defensive use with a practical budget? Have you ever tried to pin and weld a muzzle device? Let us know in the comments below! Trick out your gat with the Best AR-15 Upgrades, stem to stern!
The post [Best AR-15 Builds] Pin & Weld Blue-Collar Duty Rifle appeared first on Pew Pew Tactical.
guns
via Pew Pew Tactical https://ift.tt/2m7cc0U
August 25, 2020 at 02:40PM
How to establish a startup and draw up your first contract
How to establish a startup and draw up your first contract
https://ift.tt/3je9Lb0
Founders are encouraged, incentivized and pressured to begin transacting with customers as quickly as possible to drive growth and revenue. But making legal mistakes early in the game can create costly liabilities down the road.
That’s why we invited James Alonso from Magnolia Law and Adam Zagaris from Moonshot Legal to join us at TechCrunch Early Stage to give us a 360 overview of the legal side of running a startup. We’ve shared highlights from their presentations below, along with a video of the entire panel discussion.
Corporate law 101 for startup founders
James Alonso gave us a presentation on company formation and getting funding. Maybe you’ve already created your startup, but if you’re still working on your own and don’t have any clients or employees yet, these tips are essential before you get your startup off the ground.
When you’re setting up a new company, it forces you to have a discussion about capital structure — who owns shares, how many shares and what kind of shares. There isn’t a single way to design a company on this front and we’ll look at some options later in this article. And because you’re starting a startup, you want to structure your company in a way that makes future financing easy.
Setting up a company also lets you put your IP in a single entity that you’re sharing with other shareholders. “One of the key things you’re doing when you’re forming a company is assigning the IP related to that company into a single entity that holds it all,” Alonso said.
technology
via TechCrunch https://techcrunch.com
August 25, 2020 at 02:43PM
Forging a Crankshaft
Forging a Crankshaft
https://ift.tt/32tbMJH
Charged with moving the pistons in and out, a crankshaft is like the beating heart of an engine. While crankshafts need to be finished by machining, they start by forging and stamping steel, then twisting the molten metal to form the journals and counterweights that comprise this critical car part.
fun
via The Awesomer https://theawesomer.com
August 25, 2020 at 02:45PM
How to Protect Your Laravel Web Application Against the OWASP Top 10 Security Risks
How to Protect Your Laravel Web Application Against the OWASP Top 10 Security Risks
https://ift.tt/321qsQ0
I remember the first time one of my sites got hacked.
The client emailed saying their website was taking ages to load. I jumped online as soon as I got home from college and noticed somebody had used SQL injection to inject a <script> tag into all the product titles.
The script attempted to redirect visitors to a malicious website. I was devastated.
This was back in 2004, and I had just taught myself ASP and SQL Server. It was a sobering moment and one that brought home the realisation that any website could be a target, no matter how small.
It also taught me about the importance of web security, and it’s been at the forefront of my development process ever since.
No site can ever be completely safe — the sheer number of high-profile breaches are a testament to this. But you can follow some best practices to make your site less of a target for a casual malicious actor or automated script.
OWASP & Laravel
The Open Web Application Security Project (OWASP) is an international non-profit organisation dedicated to creating awareness about web application security.
The OWASP Top Ten is a standard awareness guide about web application security and consists of the topmost critical security risks to web applications.
Laravel is one of my favourite PHP frameworks. I’ve used it extensively over the years for anything from small business sites to large fintech and e-commerce applications demanding security at the core.
The great thing is, Laravel takes care of many of these security features out the box.
I’ll run through the OWASP Top Ten and note how you can harden your Laravel web applications with some basic security best practices.
1. Injection
“Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorisation.” — OWASP Top 10
The Laravel query builder uses PDO parameter binding to protect the application against SQL injection attacks. This means you don’t have to sanitise values being passed as bindings.
Be aware that Laravel also allows you to run raw SQL queries. You should avoid this if possible. Stick to Eloquent instead.
Bear in mind that PDO does not support binding column names. You should never use input from users to dictate the table column name, including columns used in an ORDER BY statement.
If you do need some flexibility, ensure you check the column names against a whitelist.
2. Broken Authentication
“Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently.” — OWASP Top 10
There are several strategies you can use to protect your application from this type of attack.
- Use CAPTCHA for any endpoints that can be exploited using brute-force techniques. This includes login, registration, and forgot password forms. CAPTCHA will stop most automated attacks. Go with something like Google’s reCAPTCHA rather than developing your own implementation.
- Rate-limit login attempts. If used in conjunction with CAPTCHA, it allows for a great defence-in-depth strategy. Laravel has a middleware that can be used straight away in your routes or controllers to throttle requests.
- Build multi-factor authentication for your member and admin accounts. There are great packages available that you can use to generate QR codes and validate one-time password codes upon login. Avoid other means of delivering this code, such as email or SMS. It simply isn’t secure enough.
- Never commit any default login details or sensitive API credentials to your code repository. Maintain these settings in the
.envfile in the project root. - Configure sessions securely: they should be sent over HTTPS only and never display in your application. The
securesetting can be enabled in thesession.phpconfig file of your Laravel application.
3. Sensitive Data Exposure
“Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser.” — OWASP Top 10
Not a week goes by without news about another high-profile data breach. And most concerning of all is that at times, these breaches reveal how the company used weak security practices. Weak password hashes and unsecured S3 buckets are common occurrences.
Here are a few ways you can combat this:
- Ensure you serve the entire application over HTTPS with a TLS certificate. If users try to access the HTTP equivalent, redirect them to the secure route instead and make use of HSTS headers.
- Hash all passwords using an adaptive salted hashing function. These are hash functions where the work factor can be increased over time as processor power increases. Laravel supports both Bcrypt and Argon2 by default.
- Encrypt all sensitive data stored at rest. Never use your own developed encryption functions. Instead, use Laravel’s built-in encryption functions that use OpenSSL to provide AES-256 and AES-128 encryption.
- If you use enumeration for files or primary keys to identify records, you could be inadvertently be exposing information about your system. Using a URL like
/member-profile/23will reveal you have (at least) 23 members on your system. If you include uploaded files like/user-images/45.jpg, you could open yourself to an enumeration attack where a malicious actor could try all number combinations and extract all user images from your website. To combat this, use a different scheme like UUIDv4 to identify records that are public and might require protection. For files, use automatically generated file names or a hashed folder structure to prevent enumeration.
Never trust user-uploaded files. If these uploaded files are not validated or handled correctly, they can allow access to your entire system. The OWASP Unrestricted File Upload page includes several precautions to take. You can implement most of these using Laravel’s validation functionality:
- Setting a minimum and maximum file upload size.
- Limiting the number of simultaneous file uploads.
- Only allow specific file types by checking their MIME.
- Rename all files upon upload.
- Upload files to a non-public directory or third-party object storage like AWS S3. You don’t want somebody uploading a PHP shell script, allowing them to run commands directly on your server.
Best of all, you can wrap this all into a Laravel rule and simply call this rule as part of your validation flow.
4. XML External Entities (XXE)
“Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.” — OWASP Top 10
This vulnerability applies to any system that parses XML. A security researcher found this vulnerability in Facebook a few years ago. This SensePost article goes into more detail about how this was accomplished.
The quickest way to prevent this attack is to disable external entity resolution when using the default PHP XML parser. This is done by setting libxml_disable_entity_loader to true.
If you cannot disable this functionality, make sure that your XML parser is updated and that you’re using at least SOAP v1.2 or higher where applicable. Always be vigilant when it comes to user-uploaded or third-party XML.
5. Broken Access Control
“Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorised functionality and/or data, such as access other users’ accounts, view sensitive files, modify other users’ data, change access rights, etc.” — OWASP Top 10
In 2011, attackers made off with details of over 200,000 Citigroup customers after discovering an exploit in the way they handled customer account numbers. Once they logged into an account, all they had to do was change the customer number in the URL to jump to the record of another customer.
This allowed them to create an automated process that would cycle through all possible numbers and capture all the confidential data.
The system didn’t have any authorisation checks in place to ensure the account number being accessed belonged to the logged-in user.
- Always perform authorisation checks on any operations that are only available to logged-in users. This includes the page (for example, allowing you to update details), as well as the destination of the form submit.
- There are popular RBAC (Role-Based Access Control) packages that can be used with Laravel allowing you to manage user permissions and roles. You can also use Laravel’s built-in authorisation services.
6. Security Misconfiguration
“Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched/upgraded in a timely fashion.” — OWASP Top 10
When configuring your web application, always consider the principle of least functionality. Harden your installation by removing or disabling all services you don’t need.
Back in 2001, the Nimda worm wreaked worldwide havoc by exploiting several IIS (Internet Information Server) vulnerabilities.
Many systems had IIS installed by default, even though they didn’t use the Microsoft web server at all. The result was a high infection rate that could have been prevented by hardening the system and uninstalling any services not required by the system or network.
- Keep all server software and any dependencies in your web application up to date.
- Disable directory listing for your web server.
- Disable debugging on production servers. Even on staging servers, debugging can reveal sensitive server information by outputting all your environment variables. Make use of the
debug_hideapp configuration option in Laravel to prevent this.
7. Cross-Site Scripting (XSS)
“XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.” — OWASP Top 10
Never display user-supplied input without escaping the data. Laravel’s template engine, Blade, automatically escapes content rendered using the default syntax. This sends it through PHPs htmlspecialchars function.
Escaping all output this way will reduce your website visitors’ exposure to XSS and CSRF (Cross-Site Request Forgery) attacks.
Unfortunately, it’s not always as simple as that. If you’ve ever included WYSIWYG HTML editors in your application such as TinyMCE or CKEditor, you know this poses a risk (especially since escaping the output would result in a bunch of HTML tags rather than the formatted content).
In these instances, use a package like HTMLPurifier to remove any potentially malicious code.
8. Insecure Deserialisation
“Insecure deserialisation often leads to remote code execution. Even if deserialisation flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks.” — OWASP Top 10
Be wary of unserialising anything from untrusted sources. This includes cookies your application might create. A malicious user can edit that cookie in their browser and use this as an attack vector against your application.
By default, all cookies created by Laravel are encrypted and signed. This means they’ll be invalid if a client tampers with them.
9. Using Components with Known Vulnerabilities
“Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts.” — OWASP Top 10
Because most of the dependencies you may be using in Laravel are open source, it allows malicious users to analyse the packages and find ways to exploit vulnerabilities. A few ideas to mitigate this problem:
- Ensure you keep all dependencies up to date.
- Remove any dependencies not in use. This will reduce the potential number of attack entry points.
- Subscribe to security bulletins and include a security scanner (such as Snyk) as part of your CI/CD pipeline.
- Consider using an LTS (Long Term Support) version of Laravel rather than the latest version. LTS versions receive security fixes for three years rather than the one year for non-LTS releases.
10. Insufficient Logging and Monitoring
“Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.” — OWASP Top 10
When it comes to your application and server, log everything, including failed login attempts and password resets.
Laravel comes with Monolog out of the box. You can even integrate it with a third party logging service like Papertrail and receive alerts for specific log events.
Conclusion
Thank you for reading, I hope this has proven useful! Sign up to my newsletter or visit my blog where I’ll share insightful web development articles to supercharge your skills.
Resources
The OWASP website is a brilliant source of information, and they provide several in-depth guides about many of the security issues mentioned above.
programming
via Laravel News Links https://ift.tt/2dvygAJ
August 24, 2020 at 09:42PM