Practical Laravel Security is hands-on course that uses
interactive hacking exercises to teach you how to keep your
applications secure.
Because learning security doesn't have to be boring!
Practical Laravel Security is currently open for Early-Access. Sign up now and get access to each module as it's released!
Or you can subscribe to the mailing list for more information and to be notified when the course is complete.
Why is Laravel Security important?
It's easy to make the assumption that a robust framework like Laravel is secure, but most of the time, it's the little things which expose vulnerabilities in your apps.
Let's take a look at some recent examples from the news...
1. Australian telecommunications company Optus was recently hacked due to allegedly leaving an unauthenticated API endpoint exposed "with the assumption that the API would only be used by authorised company systems."
2. PortSwigger discovered a vulnerability in a Mastodon fork that allowed them to steal user passwords, caused by a weak Content Security Policy (CSP) and flexible limitations on user inputs: "The form-action directive could prevent these sorts of attacks".
3. Fortbridge discovered the REST API in Plesk was lacking adequate Cross-Site Request Forgery (CSRF) protection, which allowed them to craft custom attacks that affect "all the POST requests and we could abuse most of the APIs with it".
All of these were small and overlooked vulnerabilities in otherwise robust and secure systems.
Practical Laravel Security teaches you how to avoid, find and fix these small mistakes, so unlike these apps, yours won't get hacked!
Course Outline
I believe the best way to learn how to defend against the hackers, is to first learn how to hack (ethically, of course...).
So we start by learning their attacks.
First we'll cover the theory - what is is? How does it work? Why would they use it?
And then you'll learn how to do it yourself! Each attack module will give you hands on practical exercises where you can put your new hacking skills to use!
Of course, there's no point teaching you an attack without also teaching you how to defend against it. So in the Defend modules, I'll teach you exactly what tools you need to protect your site from the attacks you've just learnt.
Attack
-
Cross-Site Scripting (XSS)
- Steal Cookies!
- Escape Input!
- Attribute Magic!
- Hijack Formatting!
- Markdown Injection!
- Script Injection!
-
Cross-Site Request Forgery (CSRF)
- Send a POST Request!
- Replicate a Form!
- Submit a Form in the Background!
- Bypass
SameSite=Lax
! - Abusing a Subdomain!
- Stealing the CSRF Token!
-
SQL Injection (SQLi)
- Cliché Login SQLi!
- Nested Login SQLi!
- Union-Based SQLi!!
- Error-Based SQLi!
- Blind Error-State SQLi!
- Blind Timing-Based SQLi!
-
Missing Authorisation
- Incremental IDOR!
- UUID Leakage!
- Incomplete Cryptography!
- As Simple As CRUD!
- Beware the SPA!
- Predictable Hashing!
-
Type Juggling
- Bypassing Passwords with Integers!
- Magic Hashes!
- JSON Makes This Easy!
- What About Serialization?
-
Injection
- Path Traversal / Local File Inclusion (LFI)!
- Object Manipulation!
- PHP Object Deserialisation!
- Command Injection
In progress
- Remote Code Execution (RCE)
- Authentication
- Debug Mode
- Supply Chain Attacks
- Browser Security
- Leaky Data
Defend
-
Escaping Output
Completed -
HTML and Markdown
Completed -
CSRF Tokens
Completed -
SameSite Cookies
Completed -
Cross-Origin Resource Sharing (CORS)
Completed -
Parameterisation
Completed -
Authorisation Policies
Completed -
Authorisation Gates
Completed -
Signed URLs
Completed -
HMAC Hashes
Completed -
Strict/Secure Comparisons
Completed -
Unserialize Safely
Completed - Input Validation
- Password Security
- Rate Limiting
- Authentication
- Browser Security Headers
- Content Security Policy (CSP)
- Subresource Integrity (SRI)
- And more...
Who Am I?
Hi, I'm Stephen Rees-Carter, and I've spent the past year conducting security audits on Laravel applications of all sizes. As you can imagine, I've seen a lot of great code, but I've also seen a some truly terrifying code, with the same mistakes made over and over again!
However, what I've seen most often are the small mistakes, the missing pieces, forgotten and overlooked pieces of code that introduce a subtle yet critical vulnerabilities. Just as bugs sneak into our code, so to do these vulnerabilities.
I want to teach you find and fix these subtle bugs before someone else exploits them!
My conference talks have been described as "like watching someone do a magic trick but the magic trick is terrifying", and this is the experience I'm hoping to replicate in this course... But this time, you'll be the one doing the magic tricks!
I hope you'll come on this security journey with me! If you've got any questions about the course, feel free to email me. You can also find me on Twitter and Mastodon.
Sign up for the course!
Sign up now and get early access to the modules as they are released,
and get a discount on the final price!
Team License
Feedback on the Course
Hey Stephen,
Just wanted to say thanks for making this course.
Loving the format, the gamification is working well with my brain 😊
It's getting me to think about this in ways I wouldn't have by just reading a book.
The last [XSS] challenge was just fun, didn't use the hints but
[redacted] 😊
Looking forward to the next challenges.
Thanks,
Matt
It is a really fun, and hands on course with exercises for you to learn as you do!
— Ana Lisboa (@_ana_lisboa_)
Feb 14, 2023
From Past Talks and Social Media
Clément: Here we go, nightmares all over again... 😱
Colin: Quick @James, take Forge down!
Alex: Aaaaaand now I'm goign to have security nightmares
Alex: Being Stephen back for every Laracon. I need to be scared straight about security every 6 months or so
~YouTube Live Chat
Alex: Literally every time Stephen talks, my mind is blown
Javier: Agree
Colin: Literally every time Stephen talks, I get nervous
~YouTube Live Chat
Christian: this is like watching someone do a magic trick but the magic trick is terrifying 🤯
~YouTube Live Chat
This will be great, just subscribed to the mailing list.
— Davor Minchorov (@davorminchorov)
November 13, 2022
I've been enjoying the Laravel Security newsletter, so I'm looking forward to this course.
Security is one of those topics we should all keep investing in as developers.
— Joel Clermont (@jclermont)
November 10, 2022
Jim: this guy always makes me nervous
Harm: He should
~YouTube Live Chat
Clément: How are we supposed to sleep after this talk? 😱
Gertjan: 🤯
~YouTube Live Chat
This course by @valorin looks extremely interesting! ☠️
— Andrea Marco Sartori (@cerbero90)
Feb 14, 2023
Mariusz: Thanks Stephen, now I'm going to have nightmares 🤣
~YouTube Live Chat
Looking forward to it.👍
— Hamza Ikram || Laravel Developer (@h_ik04)
November 11, 2022
Bought it! Haven’t started yet, but looking forward to. Think I saw two of your Laracon talks, which made it a no brained for me to buy the presale
— Pim Veelders (@PimVeelders)
Feb 14, 2023
Frequently Asked Questions
Who is this course for?
Laravel Developers of all skill levels, regardless of their security knowledge. The concepts will be explained for those without prior knowledge, and the challenges will range from easy to hard, so everyone can get something out of it.
What about Laravel Security in Depth?
The idea is that they compliment each other, rather than overlap and reuse content. I love writing the emails each week, so I definitely want to make it unique. The course is focused on specific vulnerabilities and how to find and fix them in your own code, so it will be a very practical look at things. While the newsletter will look more at concepts, implementations, recent changes in Laravel, etc, looking into security implementations. Also looking at concepts like the OWASP Top 10 - which will guide the course in a way, but won't be featured directly.
Does it require any special software?
No. Everything you need will be available in the browser, although it hasn't been optmised for mobile, so you'll need to use your computer.
How does the payment plan work?
For simplicity, the payment plan is created as a monthly Stripe subscription. The subscription will be automatically cancelled after the fixed length period. Access to modules within the course with be limited initially, with access to more modules opening up as each payment is completed. Full access to the course will be granted when the payment plan is completed.
Is there be team pricing?
Yes! Team pricing is available, as well as some additional features, such as tracking staff progress. Please send me an email to discuss your needs.
Is there be a PPP or Student discount?
Yes! Please send me an email and let me know your location/situation, and I'll see what I can do to help.
Can I get an invoice?
Absolutely. Payments will be processed through Stripe, which will generate an invoice for you.
What if I decide it's not for me?
No worries, just send me an email within 7 days of purchase, and I'll refund you, no questions asked.
What about [tax]?
Stripe should automatically handle any tax required on the purchase.