SlideShare ist ein Scribd-Unternehmen logo

Laravel Security Standards

Als PPTX, PDF herunterladen
Singsys Pte Ltd
Singsys Pte Ltd

As a part of the continual efforts to accelerate the skill quotient of our technical workforce, Singsys has embarked upon a series of ‘Technical Seminars’. Accordingly it’s very first version was conducted successfully enumerating ‘Laravel Security Standards’ by our Laravel Expert, Mr. Prasoon Srivastava, and Mr. Prabal Gupta being the Seminar Chair for this session.

Software
1 von 29
LARAVEL SECURITY STANDARDS - Prasoon Srivastava
▪ Reduce Laravel Vulnerabilities From CSRF (Cross Site Request Forgery) ▪ Protection against XSS (Cross Site Scripting) ▪ Prevent SQL injection By Avoiding Raw Queries ▪ Keep app dependencies up to date ▪ Never Display Errors and Exceptions on Production ▪ Do not store Sensitive data in Configuration file ▪ Log All the things ▪ Make Sure Permissions on Filesystem are limited ▪ Force HTTPS if Your Application is Exchanging Sensitive Information Key Points
Reduce Laravel Vulnerabilities From CSRF (Cross Site Request Forgery) ✓ Cross-site request forgeries are a type of malicious exploit whereby unauthorized commands are performed on behalf of an authenticated user. ✓Laravel typically uses CSRF tokens to make sure that external third parties couldn’t generate fake requests and should not breach the Laravel security vulnerabilities. ✓Laravel makes it easy to protect your application from cross-site request forgery (CSRF) attacks.
Reduce Laravel Vulnerabilities From CSRF (Cross Site Request Forgery)
Reduce Laravel Vulnerabilities From CSRF (Cross Site Request Forgery) How is a CSRF attack carried out? Assume you have an application that is used to send money to friends and for users to send money, they need to be signed in. Assume that the action to send money is also a simple form The make-believe form requires the email of the recipient and the amount to be sent. When the send button is clicked, a POST request is made to the application server to send the amount to the recipient. Everything seems okay and during testing, logged in users can send money to other users, which is what is expected.
Reduce Laravel Vulnerabilities From CSRF (Cross Site Request Forgery) An attacker who wants to hoodwink the system will very likely study the application for a while trying to locate vulnerabilities. They note the URL where the request is sent to and they know it needs to be a POST request with the email of the recipient and the amount you want to send. The attacker then creates a program that can be embedded in an image or in the webpage directly and executed when the image is clicked or executed when a link is clicked. When the script is executed, the server sees it as another regular request made from the logged in user and then processes it. This means that everyone authenticated to the target site visiting the attacker’s site will be open to a CSRF attack and may indeed be sending money they didn’t intend to send.
Reduce Laravel Vulnerabilities From CSRF (Cross Site Request Forgery) Carrying out your own CSRF attack Now, let’s look at how to do a simple CSRF attack on an application.
Reduce Laravel Vulnerabilities From CSRF (Cross Site Request Forgery) Laravel CSRF in Forms Defining your form fields in view, you should always include hidden CSRF token form fields to ensure that the CSRF protection middleware can validate the request by it. Hence by using @csrf in the form fields, Blade directory generates the secured fields to validate the process. <form method="POST" action="/employee"> @csrf ... </form>
Reduce Laravel Vulnerabilities From CSRF (Cross Site Request Forgery) Laravel CSRF Token Ajax Calls In Laravel, Middleware handles all the requests and doesn’t allow any POST request without the right CSRF token verification. Therefore, in order to proceed further, you must input the CSRF Token while sending the AJAX request. data: { "_token": "{!! csrf_token() !!}" } $.ajax({ type: "POST", data: {"_token": "{{ csrf_token() }}","id": id}, url: some_url, success: function(msg){ // response } });
Protection against XSS (Cross Site Scripting) ✓Cross-site scripting (XSS) attacks happen when attackers are able to place client-side JavaScript code in a page viewed by other users. ✓In our application, assuming that the name of our cat is not escaped, if we enter the following snippet of code as the value for the name, every visitor will be greeted with an alert message everywhere the name of our cat is displayed: Evil Cat <script>alert('Meow!')</script> ✓While this is a rather harmless script, it would be very easy to insert a longer script or link to an external script that steals the session or cookie values. ✓To avoid this kind of attack, you should never trust any user-submitted data or escape any dangerous characters. You should favor the double-brace syntax ({{ $value }}) in your Blade templates, and only use the {!! $value !!} syntax, where you're certain the data is safe to display in its raw format.
XSS
XSS I have created a very simple example The user could add and delete tasks in the app. I will not use controllers for such a small app and instead will create the functions directly in the routes.php file. // Display All Tasks Route::get('/', function () { $tasks = Task::orderBy('created_at', 'asc')->get(); return view('tasks', [ 'tasks' => $tasks ]); }); // Add A New Task Route::post('/task', function (Request $request) { $task = new Task; $task->name = $request->name; $task->save(); return redirect('/'); }); // Delete An Existing Task Route::delete('/task/{id}', function ($id) { Task::findOrFail($id)->delete(); return redirect('/'); });
XSS And the relevant code in the view that shows the tasks: @foreach ($tasks as $task) ... <!-- Task Name --> <td class="table-text"> <div>{{ $task->name }}</div> </td> ...
XSS Now instead of adding a task like I am supposed to, I am going to insert this: <script>alert("boom")</script>
XSSXSS Now anyone who lands on this page is going to see this:
XSS Always Use <div>{!! $task->names !!}</div> Inplace of <div>{{ $task->names }}</div>
Prevent SQL injection By Avoiding Raw Queries ✓An SQL injection vulnerability exists when an application inserts arbitrary and unfiltered user input in an SQL query. This user input can come from cookies, server variables, or, most frequently, through GET or POST input values. ✓These attacks are conducted to access or modify data that is not normally available and sometimes to disturb the normal functioning of the application. ✓By default, Laravel will protect you against this type of attack since both the query builder and Eloquent use PHP Data Objects (PDO) class behind the scenes. PDO uses prepared statements, which allows you to safely pass any parameters without having to escape and sanitize them.
Prevent SQL injection By Avoiding Raw Queries Consider for instance a form field used to supply an e- mail address which might be used for searching a user table. But instead of supplying an e-mail address the user searches for 'jason@example.com' or 1=1. Left unsecured, the resulting query might look like this: SELECT * FROM users WHERE email = 'abc@example.com' or 1=1 it is a simple logic expression that always evaluates to true, meaning when coupled with or, all records will be returned from the users table!
Prevent SQL injection By Avoiding Raw Queries $id = $request->get('id'); // Dangerous: Here's what we want to avoid: $result = DB::select( DB::raw("SELECT * FROM users WHERE id = $id") ); // Safe: $result = DB::table('users')->where('id', $id)->get(); // Even better: $user = AppUser::find($id); // Even *better*: public function myMethod(AppUser $user, Request $request);
Keep app dependencies up to date ✓Most PHP code relies on external, third- party dependencies. However, these need to be kept up to date, wherever possible, to ensure that any bug and security fixes are available to your code. ✓Ensure you’re using Composer as your dependency manager and keep up to date with all of your dependencies.
Never Display Errors and Exceptions on Production ✓While errors, warnings, and exceptions are helpful during development, if displayed in production or any other public-facing environment, they may expose sensitive information or intellectual property. ✓Ensure that this information is logged internally, and not exposed publicly.
Never Display Errors and Exceptions on Production ✓The debug option in your config/app.php configuration file determines how much information about an error is actually displayed to the user. By default, this option is set to respect the value of the APP_DEBUG environment variable, which is stored in your .env file. ✓For local development, you should set the APP_DEBUG environment variable to true. APP_DEBUG=true ✓In your production environment, this value should always be false. APP_DEBUG=false ✓ If the value is set to true in production, you risk exposing sensitive configuration values to your application's end users.
Do not store Sensitive data in Configuration file ✓Just like you shouldn’t store sensitive data in cache entries, you also should not store sensitive data in configuration files. ✓This includes ssh keys, access credentials, and API tokens. Store them in environment variables instead. ✓Always store sensitive data in .env file
Do not store Sensitive data in Configuration file TWILIO_SID=ACc3983b17046121c35104c2bca3dae2ec TWILIO_TOKEN=cb1bc684feff8ea0c37147dfd0f16c09 TWILIO_FROM=+18577633121 PAYPAL_ENV=sandbox PAYPAL_USERNAME=xyz.singsys.com PAYPAL_PASSWORD=VZEQNNPRML6F54CR PAYPAL_SIGN=AFcWxV21C7fd0v3bYYYRCpSSRl31A.t5R0DSvr2VkN.oaim U-BG2UthF PAYPAL_APPID=APP-80W284485P519543T PAYPAL_SANDBOX_EMAIL=abc-buyer@gmail.com
Log All the things ✓Regardless of whether you’re logging failed login attempts, password resets, or debugging information, make sure that you’re logging, and with an easy to use, and mature package, such as Monolog. ✓To help you learn more about what's happening within your application, Laravel provides robust logging services that allow you to log messages to files, the system error log, and even to Slack to notify your entire team. ✓Under the hood, Laravel utilizes the Monolog library, which provides support for a variety of powerful log handlers. Laravel makes it a cinch to configure these handlers, allowing you to mix and match them to customize your application's log handling.
Log All the things ✓You may write information to the logs using the Log facade. ✓logger provides the eight logging levels defined in the RFC 5424 specification: emergency, alert, critical, error, warning, notice, info and debug: ✓Log::emergency($message); ✓Log::alert($message); ✓Log::critical($message); ✓Log::error($message); ✓Log::warning($message); ✓Log::notice($message); ✓Log::info($message); ✓Log::debug($message); public function showProfile($id) { Log::info('Showing user profile for user: '.$id); return view('user.profile', ['user' => User::findOrFail($id)]); }
Make Sure Permissions on Filesystem are limited ✓PHP scripts should only be able to write in places you need to upload files of specifically write files. ✓This places should not be anywhere a PHP script can be executed by the server. Else, it open the way for an attacker to write a PHP file somewhere and to run arbitrary PHP code.
Force HTTPS if Your Application is Exchanging Sensitive Information ✓When you deploy your website on HTTP, all the data exchanged including passwords and others are sent in plain content. Thus could be easily stolen by anyone in between the transmission. So to keep this information safe, always deploy your web applications on HTTPS to safeguard its sensitive information. ✓You could simply setup SSL certificate on your website by getting little assistance from any Laravel developer who will shift your application from HTTP to HTTPS easily. While to hide certain routes, you could use the below defined filter which will redirect users to a secured route. Route::filter('https', function() { if ( ! Request::secure()) return Redirect::secure(URI::current()); });
Thank You

Empfohlen

JSON SQL Injection and the Lessons Learned
JSON SQL Injection and the Lessons LearnedJSON SQL Injection and the Lessons Learned
JSON SQL Injection and the Lessons LearnedKazuho Oku
 
SCULPT! YOUR! TESTS!
SCULPT! YOUR! TESTS!SCULPT! YOUR! TESTS!
SCULPT! YOUR! TESTS!Taras Oleksyn
 
How did i steal your database
How did i steal your databaseHow did i steal your database
How did i steal your databaseMostafa Siraj
 
JSON Fuzzing: New approach to old problems
JSON Fuzzing: New approach to old problemsJSON Fuzzing: New approach to old problems
JSON Fuzzing: New approach to old problemstitanlambda
 
Getting Started-with-Laravel
Getting Started-with-LaravelGetting Started-with-Laravel
Getting Started-with-LaravelMindfire Solutions
 
PHP Security
PHP SecurityPHP Security
PHP Securitymanugoel2003
 
Intro to Php Security
Intro to Php SecurityIntro to Php Security
Intro to Php SecurityDave Ross
 
Using the Tooling API to Generate Apex SOAP Web Service Clients
Using the Tooling API to Generate Apex SOAP Web Service ClientsUsing the Tooling API to Generate Apex SOAP Web Service Clients
Using the Tooling API to Generate Apex SOAP Web Service ClientsSalesforce Developers
 

Empfohlen

JSON SQL Injection and the Lessons Learned
JSON SQL Injection and the Lessons LearnedJSON SQL Injection and the Lessons Learned
JSON SQL Injection and the Lessons LearnedKazuho Oku
 
SCULPT! YOUR! TESTS!
SCULPT! YOUR! TESTS!SCULPT! YOUR! TESTS!
SCULPT! YOUR! TESTS!Taras Oleksyn
 
How did i steal your database
How did i steal your databaseHow did i steal your database
How did i steal your databaseMostafa Siraj
 
JSON Fuzzing: New approach to old problems
JSON Fuzzing: New approach to old problemsJSON Fuzzing: New approach to old problems
JSON Fuzzing: New approach to old problemstitanlambda
 
Getting Started-with-Laravel
Getting Started-with-LaravelGetting Started-with-Laravel
Getting Started-with-LaravelMindfire Solutions
 
PHP Security
PHP SecurityPHP Security
PHP Securitymanugoel2003
 
Intro to Php Security
Intro to Php SecurityIntro to Php Security
Intro to Php SecurityDave Ross
 
Using the Tooling API to Generate Apex SOAP Web Service Clients
Using the Tooling API to Generate Apex SOAP Web Service ClientsUsing the Tooling API to Generate Apex SOAP Web Service Clients
Using the Tooling API to Generate Apex SOAP Web Service ClientsSalesforce Developers
 
Apex Code Analysis Using the Tooling API and Canvas
Apex Code Analysis Using the Tooling API and CanvasApex Code Analysis Using the Tooling API and Canvas
Apex Code Analysis Using the Tooling API and CanvasSalesforce Developers
 
Using the Tooling API to Generate Apex SOAP Web Service Clients
Using the Tooling API to Generate Apex SOAP Web Service ClientsUsing the Tooling API to Generate Apex SOAP Web Service Clients
Using the Tooling API to Generate Apex SOAP Web Service ClientsDaniel Ballinger
 
Error Reporting in ZF2: form messages, custom error pages, logging
Error Reporting in ZF2: form messages, custom error pages, loggingError Reporting in ZF2: form messages, custom error pages, logging
Error Reporting in ZF2: form messages, custom error pages, loggingSteve Maraspin
 
Service approach for development REST API in Symfony2
Service approach for development REST API in Symfony2Service approach for development REST API in Symfony2
Service approach for development REST API in Symfony2Sumy PHP User Grpoup
 
XSS - Attacks & Defense
XSS - Attacks & DefenseXSS - Attacks & Defense
XSS - Attacks & DefenseBlueinfy Solutions
 
Complex Sites with Silex
Complex Sites with SilexComplex Sites with Silex
Complex Sites with SilexChris Tankersley
 
The Enterprise Wor/d/thy/Press
The Enterprise Wor/d/thy/PressThe Enterprise Wor/d/thy/Press
The Enterprise Wor/d/thy/PressJeroen van Dijk
 
Silex Cheat Sheet
Silex Cheat SheetSilex Cheat Sheet
Silex Cheat SheetAndréia Bohner
 
WordPress REST API hacking
WordPress REST API hackingWordPress REST API hacking
WordPress REST API hackingJeroen van Dijk
 
Designing CakePHP plugins for consuming APIs
Designing CakePHP plugins for consuming APIsDesigning CakePHP plugins for consuming APIs
Designing CakePHP plugins for consuming APIsNeil Crookes
 
Service approach for development Rest API in Symfony2
Service approach for development Rest API in Symfony2Service approach for development Rest API in Symfony2
Service approach for development Rest API in Symfony2Sumy PHP User Grpoup
 
YAP / Open Mail Overview
YAP / Open Mail OverviewYAP / Open Mail Overview
YAP / Open Mail OverviewJonathan LeBlanc
 
Desenvolvendo APIs usando Rails - Guru SC 2012
Desenvolvendo APIs usando Rails - Guru SC 2012Desenvolvendo APIs usando Rails - Guru SC 2012
Desenvolvendo APIs usando Rails - Guru SC 2012Rafael Felix da Silva
 
Silex: From nothing to an API
Silex: From nothing to an APISilex: From nothing to an API
Silex: From nothing to an APIchrisdkemper
 
Implementing access control with zend framework
Implementing access control with zend frameworkImplementing access control with zend framework
Implementing access control with zend frameworkGeorge Mihailov
 
The Enterprise Wor/d/thy/Press
The Enterprise Wor/d/thy/PressThe Enterprise Wor/d/thy/Press
The Enterprise Wor/d/thy/PressJeroen van Dijk
 
WordPress REST API hacking
WordPress REST API hackingWordPress REST API hacking
WordPress REST API hackingJeroen van Dijk
 
Development Security Framework based on Owasp Esapi for JSF2.0
Development Security Framework based on Owasp Esapi for JSF2.0Development Security Framework based on Owasp Esapi for JSF2.0
Development Security Framework based on Owasp Esapi for JSF2.0Rakesh Kachhadiya
 
Oracle APEX Performance
Oracle APEX PerformanceOracle APEX Performance
Oracle APEX PerformanceScott Wesley
 
Unit testing after Zend Framework 1.8
Unit testing after Zend Framework 1.8Unit testing after Zend Framework 1.8
Unit testing after Zend Framework 1.8Michelangelo van Dam
 
Joomla security nuggets
Joomla security nuggetsJoomla security nuggets
Joomla security nuggetsguestbd1cdca
 
Php Security By Mugdha And Anish
Php Security By Mugdha And AnishPhp Security By Mugdha And Anish
Php Security By Mugdha And AnishOSSCube
 

Weitere ähnliche Inhalte

Was ist angesagt?

Apex Code Analysis Using the Tooling API and Canvas
Apex Code Analysis Using the Tooling API and CanvasApex Code Analysis Using the Tooling API and Canvas
Apex Code Analysis Using the Tooling API and CanvasSalesforce Developers
 
Using the Tooling API to Generate Apex SOAP Web Service Clients
Using the Tooling API to Generate Apex SOAP Web Service ClientsUsing the Tooling API to Generate Apex SOAP Web Service Clients
Using the Tooling API to Generate Apex SOAP Web Service ClientsDaniel Ballinger
 
Error Reporting in ZF2: form messages, custom error pages, logging
Error Reporting in ZF2: form messages, custom error pages, loggingError Reporting in ZF2: form messages, custom error pages, logging
Error Reporting in ZF2: form messages, custom error pages, loggingSteve Maraspin
 
Service approach for development REST API in Symfony2
Service approach for development REST API in Symfony2Service approach for development REST API in Symfony2
Service approach for development REST API in Symfony2Sumy PHP User Grpoup
 
The Enterprise Wor/d/thy/Press
The Enterprise Wor/d/thy/PressThe Enterprise Wor/d/thy/Press
The Enterprise Wor/d/thy/PressJeroen van Dijk
 
WordPress REST API hacking
WordPress REST API hackingWordPress REST API hacking
WordPress REST API hackingJeroen van Dijk
 
Designing CakePHP plugins for consuming APIs
Designing CakePHP plugins for consuming APIsDesigning CakePHP plugins for consuming APIs
Designing CakePHP plugins for consuming APIsNeil Crookes
 
Service approach for development Rest API in Symfony2
Service approach for development Rest API in Symfony2Service approach for development Rest API in Symfony2
Service approach for development Rest API in Symfony2Sumy PHP User Grpoup
 
Desenvolvendo APIs usando Rails - Guru SC 2012
Desenvolvendo APIs usando Rails - Guru SC 2012Desenvolvendo APIs usando Rails - Guru SC 2012
Desenvolvendo APIs usando Rails - Guru SC 2012Rafael Felix da Silva
 
Silex: From nothing to an API
Silex: From nothing to an APISilex: From nothing to an API
Silex: From nothing to an APIchrisdkemper
 
Implementing access control with zend framework
Implementing access control with zend frameworkImplementing access control with zend framework
Implementing access control with zend frameworkGeorge Mihailov
 
The Enterprise Wor/d/thy/Press
The Enterprise Wor/d/thy/PressThe Enterprise Wor/d/thy/Press
The Enterprise Wor/d/thy/PressJeroen van Dijk
 
WordPress REST API hacking
WordPress REST API hackingWordPress REST API hacking
WordPress REST API hackingJeroen van Dijk
 
Development Security Framework based on Owasp Esapi for JSF2.0
Development Security Framework based on Owasp Esapi for JSF2.0Development Security Framework based on Owasp Esapi for JSF2.0
Development Security Framework based on Owasp Esapi for JSF2.0Rakesh Kachhadiya
 
Oracle APEX Performance
Oracle APEX PerformanceOracle APEX Performance
Oracle APEX PerformanceScott Wesley
 
Unit testing after Zend Framework 1.8
Unit testing after Zend Framework 1.8Unit testing after Zend Framework 1.8
Unit testing after Zend Framework 1.8Michelangelo van Dam
 

Was ist angesagt? (20)

Apex Code Analysis Using the Tooling API and Canvas
Apex Code Analysis Using the Tooling API and CanvasApex Code Analysis Using the Tooling API and Canvas
Apex Code Analysis Using the Tooling API and Canvas
 
Using the Tooling API to Generate Apex SOAP Web Service Clients
Using the Tooling API to Generate Apex SOAP Web Service ClientsUsing the Tooling API to Generate Apex SOAP Web Service Clients
Using the Tooling API to Generate Apex SOAP Web Service Clients
 
Error Reporting in ZF2: form messages, custom error pages, logging
Error Reporting in ZF2: form messages, custom error pages, loggingError Reporting in ZF2: form messages, custom error pages, logging
Error Reporting in ZF2: form messages, custom error pages, logging
 
Service approach for development REST API in Symfony2
Service approach for development REST API in Symfony2Service approach for development REST API in Symfony2
Service approach for development REST API in Symfony2
 
XSS - Attacks & Defense
XSS - Attacks & DefenseXSS - Attacks & Defense
XSS - Attacks & Defense
 
Complex Sites with Silex
Complex Sites with SilexComplex Sites with Silex
Complex Sites with Silex
 
The Enterprise Wor/d/thy/Press
The Enterprise Wor/d/thy/PressThe Enterprise Wor/d/thy/Press
The Enterprise Wor/d/thy/Press
 
Silex Cheat Sheet
Silex Cheat SheetSilex Cheat Sheet
Silex Cheat Sheet
 
WordPress REST API hacking
WordPress REST API hackingWordPress REST API hacking
WordPress REST API hacking
 
Designing CakePHP plugins for consuming APIs
Designing CakePHP plugins for consuming APIsDesigning CakePHP plugins for consuming APIs
Designing CakePHP plugins for consuming APIs
 
Service approach for development Rest API in Symfony2
Service approach for development Rest API in Symfony2Service approach for development Rest API in Symfony2
Service approach for development Rest API in Symfony2
 
YAP / Open Mail Overview
YAP / Open Mail OverviewYAP / Open Mail Overview
YAP / Open Mail Overview
 
Desenvolvendo APIs usando Rails - Guru SC 2012
Desenvolvendo APIs usando Rails - Guru SC 2012Desenvolvendo APIs usando Rails - Guru SC 2012
Desenvolvendo APIs usando Rails - Guru SC 2012
 
Silex: From nothing to an API
Silex: From nothing to an APISilex: From nothing to an API
Silex: From nothing to an API
 
Implementing access control with zend framework
Implementing access control with zend frameworkImplementing access control with zend framework
Implementing access control with zend framework
 
The Enterprise Wor/d/thy/Press
The Enterprise Wor/d/thy/PressThe Enterprise Wor/d/thy/Press
The Enterprise Wor/d/thy/Press
 
WordPress REST API hacking
WordPress REST API hackingWordPress REST API hacking
WordPress REST API hacking
 
Development Security Framework based on Owasp Esapi for JSF2.0
Development Security Framework based on Owasp Esapi for JSF2.0Development Security Framework based on Owasp Esapi for JSF2.0
Development Security Framework based on Owasp Esapi for JSF2.0
 
Oracle APEX Performance
Oracle APEX PerformanceOracle APEX Performance
Oracle APEX Performance
 
Unit testing after Zend Framework 1.8
Unit testing after Zend Framework 1.8Unit testing after Zend Framework 1.8
Unit testing after Zend Framework 1.8
 

Ähnlich wie Laravel Security Standards

Joomla security nuggets
Joomla security nuggetsJoomla security nuggets
Joomla security nuggetsguestbd1cdca
 
Php Security By Mugdha And Anish
Php Security By Mugdha And AnishPhp Security By Mugdha And Anish
Php Security By Mugdha And AnishOSSCube
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web AppsFrank Kim
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10Sastry Tumuluri
 
Web application attacks
Web application attacksWeb application attacks
Web application attackshruth
 
D:\Technical\Ppt\Sql Injection
D:\Technical\Ppt\Sql InjectionD:\Technical\Ppt\Sql Injection
D:\Technical\Ppt\Sql Injectionavishkarm
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSlawomir Jasek
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSecuRing
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009mirahman
 
PCI Security Requirements - secure coding
PCI Security Requirements - secure codingPCI Security Requirements - secure coding
PCI Security Requirements - secure codingHaitham Raik
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesCarol McDonald
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011Samvel Gevorgyan
 
Sql injection - security testing
Sql injection - security testingSql injection - security testing
Sql injection - security testingNapendra Singh
 
PHP and Rich Internet Applications
PHP and Rich Internet ApplicationsPHP and Rich Internet Applications
PHP and Rich Internet Applicationselliando dias
 

Ähnlich wie Laravel Security Standards (20)

Joomla security nuggets
Joomla security nuggetsJoomla security nuggets
Joomla security nuggets
 
Php Security By Mugdha And Anish
Php Security By Mugdha And AnishPhp Security By Mugdha And Anish
Php Security By Mugdha And Anish
 
Web Security 101
Web Security 101Web Security 101
Web Security 101
 
ieee
ieeeieee
ieee
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web Apps
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
 
D:\Technical\Ppt\Sql Injection
D:\Technical\Ppt\Sql InjectionD:\Technical\Ppt\Sql Injection
D:\Technical\Ppt\Sql Injection
 
WebApps_Lecture_15.ppt
WebApps_Lecture_15.pptWebApps_Lecture_15.ppt
WebApps_Lecture_15.ppt
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
Asp
AspAsp
Asp
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009
 
PCI Security Requirements - secure coding
PCI Security Requirements - secure codingPCI Security Requirements - secure coding
PCI Security Requirements - secure coding
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security Vulnerabilities
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
PHPUG Presentation
PHPUG PresentationPHPUG Presentation
PHPUG Presentation
 
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
 
Sql injection - security testing
Sql injection - security testingSql injection - security testing
Sql injection - security testing
 
PHP and Rich Internet Applications
PHP and Rich Internet ApplicationsPHP and Rich Internet Applications
PHP and Rich Internet Applications
 

Mehr von Singsys Pte Ltd

Technical Seminar Series: GIT Pull Requests Best Practices
Technical Seminar Series: GIT Pull Requests Best PracticesTechnical Seminar Series: GIT Pull Requests Best Practices
Technical Seminar Series: GIT Pull Requests Best PracticesSingsys Pte Ltd
 
Android OS - The Journey of most popular Operating System
Android OS - The Journey of most popular Operating SystemAndroid OS - The Journey of most popular Operating System
Android OS - The Journey of most popular Operating SystemSingsys Pte Ltd
 
How to do Memory Optimizations in Android
How to do Memory Optimizations in AndroidHow to do Memory Optimizations in Android
How to do Memory Optimizations in AndroidSingsys Pte Ltd
 
iOS Application Battery Optimization Techniques
iOS Application Battery Optimization TechniquesiOS Application Battery Optimization Techniques
iOS Application Battery Optimization TechniquesSingsys Pte Ltd
 
Android Battery optimization Android Apps
Android Battery optimization Android AppsAndroid Battery optimization Android Apps
Android Battery optimization Android AppsSingsys Pte Ltd
 
How to Create WordPress Website in Easy Steps
How to Create WordPress Website in Easy StepsHow to Create WordPress Website in Easy Steps
How to Create WordPress Website in Easy StepsSingsys Pte Ltd
 
Introduction to facebook sdk
Introduction to facebook sdkIntroduction to facebook sdk
Introduction to facebook sdkSingsys Pte Ltd
 
Html5 tutorial for beginners
Html5 tutorial for beginnersHtml5 tutorial for beginners
Html5 tutorial for beginnersSingsys Pte Ltd
 
Beginners css tutorial for web designers
Beginners css tutorial for web designersBeginners css tutorial for web designers
Beginners css tutorial for web designersSingsys Pte Ltd
 
Joomla 3 installation and management guide
Joomla 3 installation and management guideJoomla 3 installation and management guide
Joomla 3 installation and management guideSingsys Pte Ltd
 
Joomla Introduction & Installation Tutorial
Joomla Introduction & Installation TutorialJoomla Introduction & Installation Tutorial
Joomla Introduction & Installation TutorialSingsys Pte Ltd
 
Technical seo tips for web developers
Technical seo tips for web developersTechnical seo tips for web developers
Technical seo tips for web developersSingsys Pte Ltd
 
WordPress Website Design and Development
WordPress Website Design and DevelopmentWordPress Website Design and Development
WordPress Website Design and DevelopmentSingsys Pte Ltd
 
Points for Design and Development of SEO friendly websites
Points for Design and Development of SEO friendly websitesPoints for Design and Development of SEO friendly websites
Points for Design and Development of SEO friendly websitesSingsys Pte Ltd
 

Mehr von Singsys Pte Ltd (20)

Technical Seminar Series: GIT Pull Requests Best Practices
Technical Seminar Series: GIT Pull Requests Best PracticesTechnical Seminar Series: GIT Pull Requests Best Practices
Technical Seminar Series: GIT Pull Requests Best Practices
 
Android OS - The Journey of most popular Operating System
Android OS - The Journey of most popular Operating SystemAndroid OS - The Journey of most popular Operating System
Android OS - The Journey of most popular Operating System
 
How to do Memory Optimizations in Android
How to do Memory Optimizations in AndroidHow to do Memory Optimizations in Android
How to do Memory Optimizations in Android
 
iOS Application Battery Optimization Techniques
iOS Application Battery Optimization TechniquesiOS Application Battery Optimization Techniques
iOS Application Battery Optimization Techniques
 
Android Battery optimization Android Apps
Android Battery optimization Android AppsAndroid Battery optimization Android Apps
Android Battery optimization Android Apps
 
How to Create WordPress Website in Easy Steps
How to Create WordPress Website in Easy StepsHow to Create WordPress Website in Easy Steps
How to Create WordPress Website in Easy Steps
 
Basics of-linux
Basics of-linuxBasics of-linux
Basics of-linux
 
SoLoMo
SoLoMoSoLoMo
SoLoMo
 
Introduction to facebook sdk
Introduction to facebook sdkIntroduction to facebook sdk
Introduction to facebook sdk
 
Html5 tutorial for beginners
Html5 tutorial for beginnersHtml5 tutorial for beginners
Html5 tutorial for beginners
 
Beginners css tutorial for web designers
Beginners css tutorial for web designersBeginners css tutorial for web designers
Beginners css tutorial for web designers
 
Joomla 3 installation and management guide
Joomla 3 installation and management guideJoomla 3 installation and management guide
Joomla 3 installation and management guide
 
Joomla Introduction & Installation Tutorial
Joomla Introduction & Installation TutorialJoomla Introduction & Installation Tutorial
Joomla Introduction & Installation Tutorial
 
Basic of web design
Basic of web designBasic of web design
Basic of web design
 
Embedded Technology
Embedded TechnologyEmbedded Technology
Embedded Technology
 
Java Tutorial
Java TutorialJava Tutorial
Java Tutorial
 
Technical seo tips for web developers
Technical seo tips for web developersTechnical seo tips for web developers
Technical seo tips for web developers
 
WordPress Website Design and Development
WordPress Website Design and DevelopmentWordPress Website Design and Development
WordPress Website Design and Development
 
Being a designer
Being a designerBeing a designer
Being a designer
 
Points for Design and Development of SEO friendly websites
Points for Design and Development of SEO friendly websitesPoints for Design and Development of SEO friendly websites
Points for Design and Development of SEO friendly websites
 

Kürzlich hochgeladen

Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...Health
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceanilsa9823
 

Kürzlich hochgeladen (20)

Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
 

Laravel Security Standards

  • 1. LARAVEL SECURITY STANDARDS - Prasoon Srivastava
  • 2. ▪ Reduce Laravel Vulnerabilities From CSRF (Cross Site Request Forgery) ▪ Protection against XSS (Cross Site Scripting) ▪ Prevent SQL injection By Avoiding Raw Queries ▪ Keep app dependencies up to date ▪ Never Display Errors and Exceptions on Production ▪ Do not store Sensitive data in Configuration file ▪ Log All the things ▪ Make Sure Permissions on Filesystem are limited ▪ Force HTTPS if Your Application is Exchanging Sensitive Information Key Points
  • 3. Reduce Laravel Vulnerabilities From CSRF (Cross Site Request Forgery) ✓ Cross-site request forgeries are a type of malicious exploit whereby unauthorized commands are performed on behalf of an authenticated user. ✓Laravel typically uses CSRF tokens to make sure that external third parties couldn’t generate fake requests and should not breach the Laravel security vulnerabilities. ✓Laravel makes it easy to protect your application from cross-site request forgery (CSRF) attacks.
  • 4. Reduce Laravel Vulnerabilities From CSRF (Cross Site Request Forgery)
  • 5. Reduce Laravel Vulnerabilities From CSRF (Cross Site Request Forgery) How is a CSRF attack carried out? Assume you have an application that is used to send money to friends and for users to send money, they need to be signed in. Assume that the action to send money is also a simple form The make-believe form requires the email of the recipient and the amount to be sent. When the send button is clicked, a POST request is made to the application server to send the amount to the recipient. Everything seems okay and during testing, logged in users can send money to other users, which is what is expected.
  • 6. Reduce Laravel Vulnerabilities From CSRF (Cross Site Request Forgery) An attacker who wants to hoodwink the system will very likely study the application for a while trying to locate vulnerabilities. They note the URL where the request is sent to and they know it needs to be a POST request with the email of the recipient and the amount you want to send. The attacker then creates a program that can be embedded in an image or in the webpage directly and executed when the image is clicked or executed when a link is clicked. When the script is executed, the server sees it as another regular request made from the logged in user and then processes it. This means that everyone authenticated to the target site visiting the attacker’s site will be open to a CSRF attack and may indeed be sending money they didn’t intend to send.
  • 7. Reduce Laravel Vulnerabilities From CSRF (Cross Site Request Forgery) Carrying out your own CSRF attack Now, let’s look at how to do a simple CSRF attack on an application.
  • 8. Reduce Laravel Vulnerabilities From CSRF (Cross Site Request Forgery) Laravel CSRF in Forms Defining your form fields in view, you should always include hidden CSRF token form fields to ensure that the CSRF protection middleware can validate the request by it. Hence by using @csrf in the form fields, Blade directory generates the secured fields to validate the process. <form method="POST" action="/employee"> @csrf ... </form>
  • 9. Reduce Laravel Vulnerabilities From CSRF (Cross Site Request Forgery) Laravel CSRF Token Ajax Calls In Laravel, Middleware handles all the requests and doesn’t allow any POST request without the right CSRF token verification. Therefore, in order to proceed further, you must input the CSRF Token while sending the AJAX request. data: { "_token": "{!! csrf_token() !!}" } $.ajax({ type: "POST", data: {"_token": "{{ csrf_token() }}","id": id}, url: some_url, success: function(msg){ // response } });
  • 10. Protection against XSS (Cross Site Scripting) ✓Cross-site scripting (XSS) attacks happen when attackers are able to place client-side JavaScript code in a page viewed by other users. ✓In our application, assuming that the name of our cat is not escaped, if we enter the following snippet of code as the value for the name, every visitor will be greeted with an alert message everywhere the name of our cat is displayed: Evil Cat <script>alert('Meow!')</script> ✓While this is a rather harmless script, it would be very easy to insert a longer script or link to an external script that steals the session or cookie values. ✓To avoid this kind of attack, you should never trust any user-submitted data or escape any dangerous characters. You should favor the double-brace syntax ({{ $value }}) in your Blade templates, and only use the {!! $value !!} syntax, where you're certain the data is safe to display in its raw format.
  • 11. XSS
  • 12. XSS I have created a very simple example The user could add and delete tasks in the app. I will not use controllers for such a small app and instead will create the functions directly in the routes.php file. // Display All Tasks Route::get('/', function () { $tasks = Task::orderBy('created_at', 'asc')->get(); return view('tasks', [ 'tasks' => $tasks ]); }); // Add A New Task Route::post('/task', function (Request $request) { $task = new Task; $task->name = $request->name; $task->save(); return redirect('/'); }); // Delete An Existing Task Route::delete('/task/{id}', function ($id) { Task::findOrFail($id)->delete(); return redirect('/'); });
  • 13. XSS And the relevant code in the view that shows the tasks: @foreach ($tasks as $task) ... <!-- Task Name --> <td class="table-text"> <div>{{ $task->name }}</div> </td> ...
  • 14. XSS Now instead of adding a task like I am supposed to, I am going to insert this: <script>alert("boom")</script>
  • 15. XSSXSS Now anyone who lands on this page is going to see this:
  • 16. XSS Always Use <div>{!! $task->names !!}</div> Inplace of <div>{{ $task->names }}</div>
  • 17. Prevent SQL injection By Avoiding Raw Queries ✓An SQL injection vulnerability exists when an application inserts arbitrary and unfiltered user input in an SQL query. This user input can come from cookies, server variables, or, most frequently, through GET or POST input values. ✓These attacks are conducted to access or modify data that is not normally available and sometimes to disturb the normal functioning of the application. ✓By default, Laravel will protect you against this type of attack since both the query builder and Eloquent use PHP Data Objects (PDO) class behind the scenes. PDO uses prepared statements, which allows you to safely pass any parameters without having to escape and sanitize them.
  • 18. Prevent SQL injection By Avoiding Raw Queries Consider for instance a form field used to supply an e- mail address which might be used for searching a user table. But instead of supplying an e-mail address the user searches for 'jason@example.com' or 1=1. Left unsecured, the resulting query might look like this: SELECT * FROM users WHERE email = 'abc@example.com' or 1=1 it is a simple logic expression that always evaluates to true, meaning when coupled with or, all records will be returned from the users table!
  • 19. Prevent SQL injection By Avoiding Raw Queries $id = $request->get('id'); // Dangerous: Here's what we want to avoid: $result = DB::select( DB::raw("SELECT * FROM users WHERE id = $id") ); // Safe: $result = DB::table('users')->where('id', $id)->get(); // Even better: $user = AppUser::find($id); // Even *better*: public function myMethod(AppUser $user, Request $request);
  • 20. Keep app dependencies up to date ✓Most PHP code relies on external, third- party dependencies. However, these need to be kept up to date, wherever possible, to ensure that any bug and security fixes are available to your code. ✓Ensure you’re using Composer as your dependency manager and keep up to date with all of your dependencies.
  • 21. Never Display Errors and Exceptions on Production ✓While errors, warnings, and exceptions are helpful during development, if displayed in production or any other public-facing environment, they may expose sensitive information or intellectual property. ✓Ensure that this information is logged internally, and not exposed publicly.
  • 22. Never Display Errors and Exceptions on Production ✓The debug option in your config/app.php configuration file determines how much information about an error is actually displayed to the user. By default, this option is set to respect the value of the APP_DEBUG environment variable, which is stored in your .env file. ✓For local development, you should set the APP_DEBUG environment variable to true. APP_DEBUG=true ✓In your production environment, this value should always be false. APP_DEBUG=false ✓ If the value is set to true in production, you risk exposing sensitive configuration values to your application's end users.
  • 23. Do not store Sensitive data in Configuration file ✓Just like you shouldn’t store sensitive data in cache entries, you also should not store sensitive data in configuration files. ✓This includes ssh keys, access credentials, and API tokens. Store them in environment variables instead. ✓Always store sensitive data in .env file
  • 24. Do not store Sensitive data in Configuration file TWILIO_SID=ACc3983b17046121c35104c2bca3dae2ec TWILIO_TOKEN=cb1bc684feff8ea0c37147dfd0f16c09 TWILIO_FROM=+18577633121 PAYPAL_ENV=sandbox PAYPAL_USERNAME=xyz.singsys.com PAYPAL_PASSWORD=VZEQNNPRML6F54CR PAYPAL_SIGN=AFcWxV21C7fd0v3bYYYRCpSSRl31A.t5R0DSvr2VkN.oaim U-BG2UthF PAYPAL_APPID=APP-80W284485P519543T PAYPAL_SANDBOX_EMAIL=abc-buyer@gmail.com
  • 25. Log All the things ✓Regardless of whether you’re logging failed login attempts, password resets, or debugging information, make sure that you’re logging, and with an easy to use, and mature package, such as Monolog. ✓To help you learn more about what's happening within your application, Laravel provides robust logging services that allow you to log messages to files, the system error log, and even to Slack to notify your entire team. ✓Under the hood, Laravel utilizes the Monolog library, which provides support for a variety of powerful log handlers. Laravel makes it a cinch to configure these handlers, allowing you to mix and match them to customize your application's log handling.
  • 26. Log All the things ✓You may write information to the logs using the Log facade. ✓logger provides the eight logging levels defined in the RFC 5424 specification: emergency, alert, critical, error, warning, notice, info and debug: ✓Log::emergency($message); ✓Log::alert($message); ✓Log::critical($message); ✓Log::error($message); ✓Log::warning($message); ✓Log::notice($message); ✓Log::info($message); ✓Log::debug($message); public function showProfile($id) { Log::info('Showing user profile for user: '.$id); return view('user.profile', ['user' => User::findOrFail($id)]); }
  • 27. Make Sure Permissions on Filesystem are limited ✓PHP scripts should only be able to write in places you need to upload files of specifically write files. ✓This places should not be anywhere a PHP script can be executed by the server. Else, it open the way for an attacker to write a PHP file somewhere and to run arbitrary PHP code.
  • 28. Force HTTPS if Your Application is Exchanging Sensitive Information ✓When you deploy your website on HTTP, all the data exchanged including passwords and others are sent in plain content. Thus could be easily stolen by anyone in between the transmission. So to keep this information safe, always deploy your web applications on HTTPS to safeguard its sensitive information. ✓You could simply setup SSL certificate on your website by getting little assistance from any Laravel developer who will shift your application from HTTP to HTTPS easily. While to hide certain routes, you could use the below defined filter which will redirect users to a secured route. Route::filter('https', function() { if ( ! Request::secure()) return Redirect::secure(URI::current()); });