SlideShare a Scribd company logo

Laravel Security Standards

Download as pptx, pdf
Singsys Pte Ltd
Singsys Pte Ltd

As a part of the continual efforts to accelerate the skill quotient of our technical workforce, Singsys has embarked upon a series of ‘Technical Seminars’. Accordingly it’s very first version was conducted successfully enumerating ‘Laravel Security Standards’ by our Laravel Expert, Mr. Prasoon Srivastava, and Mr. Prabal Gupta being the Seminar Chair for this session.

1 of 29
Download to read offline
LARAVEL SECURITY STANDARDS - Prasoon Srivastava
▪ Reduce Laravel Vulnerabilities From CSRF (Cross Site Request Forgery) ▪ Protection against XSS (Cross Site Scripting) ▪ Prevent SQL injection By Avoiding Raw Queries ▪ Keep app dependencies up to date ▪ Never Display Errors and Exceptions on Production ▪ Do not store Sensitive data in Configuration file ▪ Log All the things ▪ Make Sure Permissions on Filesystem are limited ▪ Force HTTPS if Your Application is Exchanging Sensitive Information Key Points
Reduce Laravel Vulnerabilities From CSRF (Cross Site Request Forgery) ✓ Cross-site request forgeries are a type of malicious exploit whereby unauthorized commands are performed on behalf of an authenticated user. ✓Laravel typically uses CSRF tokens to make sure that external third parties couldn’t generate fake requests and should not breach the Laravel security vulnerabilities. ✓Laravel makes it easy to protect your application from cross-site request forgery (CSRF) attacks.
Reduce Laravel Vulnerabilities From CSRF (Cross Site Request Forgery)
Reduce Laravel Vulnerabilities From CSRF (Cross Site Request Forgery) How is a CSRF attack carried out? Assume you have an application that is used to send money to friends and for users to send money, they need to be signed in. Assume that the action to send money is also a simple form The make-believe form requires the email of the recipient and the amount to be sent. When the send button is clicked, a POST request is made to the application server to send the amount to the recipient. Everything seems okay and during testing, logged in users can send money to other users, which is what is expected.
Reduce Laravel Vulnerabilities From CSRF (Cross Site Request Forgery) An attacker who wants to hoodwink the system will very likely study the application for a while trying to locate vulnerabilities. They note the URL where the request is sent to and they know it needs to be a POST request with the email of the recipient and the amount you want to send. The attacker then creates a program that can be embedded in an image or in the webpage directly and executed when the image is clicked or executed when a link is clicked. When the script is executed, the server sees it as another regular request made from the logged in user and then processes it. This means that everyone authenticated to the target site visiting the attacker’s site will be open to a CSRF attack and may indeed be sending money they didn’t intend to send.
Reduce Laravel Vulnerabilities From CSRF (Cross Site Request Forgery) Carrying out your own CSRF attack Now, let’s look at how to do a simple CSRF attack on an application.
Reduce Laravel Vulnerabilities From CSRF (Cross Site Request Forgery) Laravel CSRF in Forms Defining your form fields in view, you should always include hidden CSRF token form fields to ensure that the CSRF protection middleware can validate the request by it. Hence by using @csrf in the form fields, Blade directory generates the secured fields to validate the process. <form method="POST" action="/employee"> @csrf ... </form>
Reduce Laravel Vulnerabilities From CSRF (Cross Site Request Forgery) Laravel CSRF Token Ajax Calls In Laravel, Middleware handles all the requests and doesn’t allow any POST request without the right CSRF token verification. Therefore, in order to proceed further, you must input the CSRF Token while sending the AJAX request. data: { "_token": "{!! csrf_token() !!}" } $.ajax({ type: "POST", data: {"_token": "{{ csrf_token() }}","id": id}, url: some_url, success: function(msg){ // response } });
Protection against XSS (Cross Site Scripting) ✓Cross-site scripting (XSS) attacks happen when attackers are able to place client-side JavaScript code in a page viewed by other users. ✓In our application, assuming that the name of our cat is not escaped, if we enter the following snippet of code as the value for the name, every visitor will be greeted with an alert message everywhere the name of our cat is displayed: Evil Cat <script>alert('Meow!')</script> ✓While this is a rather harmless script, it would be very easy to insert a longer script or link to an external script that steals the session or cookie values. ✓To avoid this kind of attack, you should never trust any user-submitted data or escape any dangerous characters. You should favor the double-brace syntax ({{ $value }}) in your Blade templates, and only use the {!! $value !!} syntax, where you're certain the data is safe to display in its raw format.
XSS
XSS I have created a very simple example The user could add and delete tasks in the app. I will not use controllers for such a small app and instead will create the functions directly in the routes.php file. // Display All Tasks Route::get('/', function () { $tasks = Task::orderBy('created_at', 'asc')->get(); return view('tasks', [ 'tasks' => $tasks ]); }); // Add A New Task Route::post('/task', function (Request $request) { $task = new Task; $task->name = $request->name; $task->save(); return redirect('/'); }); // Delete An Existing Task Route::delete('/task/{id}', function ($id) { Task::findOrFail($id)->delete(); return redirect('/'); });
XSS And the relevant code in the view that shows the tasks: @foreach ($tasks as $task) ... <!-- Task Name --> <td class="table-text"> <div>{{ $task->name }}</div> </td> ...
XSS Now instead of adding a task like I am supposed to, I am going to insert this: <script>alert("boom")</script>
XSSXSS Now anyone who lands on this page is going to see this:
XSS Always Use <div>{!! $task->names !!}</div> Inplace of <div>{{ $task->names }}</div>
Prevent SQL injection By Avoiding Raw Queries ✓An SQL injection vulnerability exists when an application inserts arbitrary and unfiltered user input in an SQL query. This user input can come from cookies, server variables, or, most frequently, through GET or POST input values. ✓These attacks are conducted to access or modify data that is not normally available and sometimes to disturb the normal functioning of the application. ✓By default, Laravel will protect you against this type of attack since both the query builder and Eloquent use PHP Data Objects (PDO) class behind the scenes. PDO uses prepared statements, which allows you to safely pass any parameters without having to escape and sanitize them.
Prevent SQL injection By Avoiding Raw Queries Consider for instance a form field used to supply an e- mail address which might be used for searching a user table. But instead of supplying an e-mail address the user searches for 'jason@example.com' or 1=1. Left unsecured, the resulting query might look like this: SELECT * FROM users WHERE email = 'abc@example.com' or 1=1 it is a simple logic expression that always evaluates to true, meaning when coupled with or, all records will be returned from the users table!
Prevent SQL injection By Avoiding Raw Queries $id = $request->get('id'); // Dangerous: Here's what we want to avoid: $result = DB::select( DB::raw("SELECT * FROM users WHERE id = $id") ); // Safe: $result = DB::table('users')->where('id', $id)->get(); // Even better: $user = AppUser::find($id); // Even *better*: public function myMethod(AppUser $user, Request $request);
Keep app dependencies up to date ✓Most PHP code relies on external, third- party dependencies. However, these need to be kept up to date, wherever possible, to ensure that any bug and security fixes are available to your code. ✓Ensure you’re using Composer as your dependency manager and keep up to date with all of your dependencies.
Never Display Errors and Exceptions on Production ✓While errors, warnings, and exceptions are helpful during development, if displayed in production or any other public-facing environment, they may expose sensitive information or intellectual property. ✓Ensure that this information is logged internally, and not exposed publicly.
Never Display Errors and Exceptions on Production ✓The debug option in your config/app.php configuration file determines how much information about an error is actually displayed to the user. By default, this option is set to respect the value of the APP_DEBUG environment variable, which is stored in your .env file. ✓For local development, you should set the APP_DEBUG environment variable to true. APP_DEBUG=true ✓In your production environment, this value should always be false. APP_DEBUG=false ✓ If the value is set to true in production, you risk exposing sensitive configuration values to your application's end users.
Do not store Sensitive data in Configuration file ✓Just like you shouldn’t store sensitive data in cache entries, you also should not store sensitive data in configuration files. ✓This includes ssh keys, access credentials, and API tokens. Store them in environment variables instead. ✓Always store sensitive data in .env file
Do not store Sensitive data in Configuration file TWILIO_SID=ACc3983b17046121c35104c2bca3dae2ec TWILIO_TOKEN=cb1bc684feff8ea0c37147dfd0f16c09 TWILIO_FROM=+18577633121 PAYPAL_ENV=sandbox PAYPAL_USERNAME=xyz.singsys.com PAYPAL_PASSWORD=VZEQNNPRML6F54CR PAYPAL_SIGN=AFcWxV21C7fd0v3bYYYRCpSSRl31A.t5R0DSvr2VkN.oaim U-BG2UthF PAYPAL_APPID=APP-80W284485P519543T PAYPAL_SANDBOX_EMAIL=abc-buyer@gmail.com
Log All the things ✓Regardless of whether you’re logging failed login attempts, password resets, or debugging information, make sure that you’re logging, and with an easy to use, and mature package, such as Monolog. ✓To help you learn more about what's happening within your application, Laravel provides robust logging services that allow you to log messages to files, the system error log, and even to Slack to notify your entire team. ✓Under the hood, Laravel utilizes the Monolog library, which provides support for a variety of powerful log handlers. Laravel makes it a cinch to configure these handlers, allowing you to mix and match them to customize your application's log handling.
Log All the things ✓You may write information to the logs using the Log facade. ✓logger provides the eight logging levels defined in the RFC 5424 specification: emergency, alert, critical, error, warning, notice, info and debug: ✓Log::emergency($message); ✓Log::alert($message); ✓Log::critical($message); ✓Log::error($message); ✓Log::warning($message); ✓Log::notice($message); ✓Log::info($message); ✓Log::debug($message); public function showProfile($id) { Log::info('Showing user profile for user: '.$id); return view('user.profile', ['user' => User::findOrFail($id)]); }
Make Sure Permissions on Filesystem are limited ✓PHP scripts should only be able to write in places you need to upload files of specifically write files. ✓This places should not be anywhere a PHP script can be executed by the server. Else, it open the way for an attacker to write a PHP file somewhere and to run arbitrary PHP code.
Force HTTPS if Your Application is Exchanging Sensitive Information ✓When you deploy your website on HTTP, all the data exchanged including passwords and others are sent in plain content. Thus could be easily stolen by anyone in between the transmission. So to keep this information safe, always deploy your web applications on HTTPS to safeguard its sensitive information. ✓You could simply setup SSL certificate on your website by getting little assistance from any Laravel developer who will shift your application from HTTP to HTTPS easily. While to hide certain routes, you could use the below defined filter which will redirect users to a secured route. Route::filter('https', function() { if ( ! Request::secure()) return Redirect::secure(URI::current()); });
Thank You
Ad

Recommended

JSON SQL Injection and the Lessons Learned
JSON SQL Injection and the Lessons LearnedJSON SQL Injection and the Lessons Learned
JSON SQL Injection and the Lessons Learned
Kazuho Oku
 
SCULPT! YOUR! TESTS!
SCULPT! YOUR! TESTS!SCULPT! YOUR! TESTS!
SCULPT! YOUR! TESTS!
Taras Oleksyn
 
How did i steal your database
How did i steal your databaseHow did i steal your database
How did i steal your database
Mostafa Siraj
 
JSON Fuzzing: New approach to old problems
JSON Fuzzing: New approach to old problemsJSON Fuzzing: New approach to old problems
JSON Fuzzing: New approach to old problems
titanlambda
 
Getting Started-with-Laravel
Getting Started-with-LaravelGetting Started-with-Laravel
Getting Started-with-Laravel
Mindfire Solutions
 
PHP Security
PHP SecurityPHP Security
PHP Security
manugoel2003
 
Intro to Php Security
Intro to Php SecurityIntro to Php Security
Intro to Php Security
Dave Ross
 
Using the Tooling API to Generate Apex SOAP Web Service Clients
Using the Tooling API to Generate Apex SOAP Web Service ClientsUsing the Tooling API to Generate Apex SOAP Web Service Clients
Using the Tooling API to Generate Apex SOAP Web Service Clients
Salesforce Developers
 
Apex Code Analysis Using the Tooling API and Canvas
Apex Code Analysis Using the Tooling API and CanvasApex Code Analysis Using the Tooling API and Canvas
Apex Code Analysis Using the Tooling API and Canvas
Salesforce Developers
 
Using the Tooling API to Generate Apex SOAP Web Service Clients
Using the Tooling API to Generate Apex SOAP Web Service ClientsUsing the Tooling API to Generate Apex SOAP Web Service Clients
Using the Tooling API to Generate Apex SOAP Web Service Clients
Daniel Ballinger
 
Error Reporting in ZF2: form messages, custom error pages, logging
Error Reporting in ZF2: form messages, custom error pages, loggingError Reporting in ZF2: form messages, custom error pages, logging
Error Reporting in ZF2: form messages, custom error pages, logging
Steve Maraspin
 
Service approach for development REST API in Symfony2
Service approach for development REST API in Symfony2Service approach for development REST API in Symfony2
Service approach for development REST API in Symfony2
Sumy PHP User Grpoup
 
XSS - Attacks & Defense
XSS - Attacks & DefenseXSS - Attacks & Defense
XSS - Attacks & Defense
Blueinfy Solutions
 
Complex Sites with Silex
Complex Sites with SilexComplex Sites with Silex
Complex Sites with Silex
Chris Tankersley
 
The Enterprise Wor/d/thy/Press
The Enterprise Wor/d/thy/PressThe Enterprise Wor/d/thy/Press
The Enterprise Wor/d/thy/Press
Jeroen van Dijk
 
Silex Cheat Sheet
Silex Cheat SheetSilex Cheat Sheet
Silex Cheat Sheet
Andréia Bohner
 
WordPress REST API hacking
WordPress REST API hackingWordPress REST API hacking
WordPress REST API hacking
Jeroen van Dijk
 
Designing CakePHP plugins for consuming APIs
Designing CakePHP plugins for consuming APIsDesigning CakePHP plugins for consuming APIs
Designing CakePHP plugins for consuming APIs
Neil Crookes
 
Service approach for development Rest API in Symfony2
Service approach for development Rest API in Symfony2Service approach for development Rest API in Symfony2
Service approach for development Rest API in Symfony2
Sumy PHP User Grpoup
 
YAP / Open Mail Overview
YAP / Open Mail OverviewYAP / Open Mail Overview
YAP / Open Mail Overview
Jonathan LeBlanc
 
Desenvolvendo APIs usando Rails - Guru SC 2012
Desenvolvendo APIs usando Rails - Guru SC 2012Desenvolvendo APIs usando Rails - Guru SC 2012
Desenvolvendo APIs usando Rails - Guru SC 2012
Rafael Felix da Silva
 
Silex: From nothing to an API
Silex: From nothing to an APISilex: From nothing to an API
Silex: From nothing to an API
chrisdkemper
 
Implementing access control with zend framework
Implementing access control with zend frameworkImplementing access control with zend framework
Implementing access control with zend framework
George Mihailov
 
The Enterprise Wor/d/thy/Press
The Enterprise Wor/d/thy/PressThe Enterprise Wor/d/thy/Press
The Enterprise Wor/d/thy/Press
Jeroen van Dijk
 
WordPress REST API hacking
WordPress REST API hackingWordPress REST API hacking
WordPress REST API hacking
Jeroen van Dijk
 
Development Security Framework based on Owasp Esapi for JSF2.0
Development Security Framework based on Owasp Esapi for JSF2.0Development Security Framework based on Owasp Esapi for JSF2.0
Development Security Framework based on Owasp Esapi for JSF2.0
Rakesh Kachhadiya
 
Oracle APEX Performance
Oracle APEX PerformanceOracle APEX Performance
Oracle APEX Performance
Scott Wesley
 
Unit testing after Zend Framework 1.8
Unit testing after Zend Framework 1.8Unit testing after Zend Framework 1.8
Unit testing after Zend Framework 1.8
Michelangelo van Dam
 
Joomla security nuggets
Joomla security nuggetsJoomla security nuggets
Joomla security nuggets
guestbd1cdca
 
Php Security By Mugdha And Anish
Php Security By Mugdha And AnishPhp Security By Mugdha And Anish
Php Security By Mugdha And Anish
OSSCube
 
Ad

More Related Content

What's hot (20)

Apex Code Analysis Using the Tooling API and Canvas
Apex Code Analysis Using the Tooling API and CanvasApex Code Analysis Using the Tooling API and Canvas
Apex Code Analysis Using the Tooling API and Canvas
Salesforce Developers
 
Using the Tooling API to Generate Apex SOAP Web Service Clients
Using the Tooling API to Generate Apex SOAP Web Service ClientsUsing the Tooling API to Generate Apex SOAP Web Service Clients
Using the Tooling API to Generate Apex SOAP Web Service Clients
Daniel Ballinger
 
Error Reporting in ZF2: form messages, custom error pages, logging
Error Reporting in ZF2: form messages, custom error pages, loggingError Reporting in ZF2: form messages, custom error pages, logging
Error Reporting in ZF2: form messages, custom error pages, logging
Steve Maraspin
 
Service approach for development REST API in Symfony2
Service approach for development REST API in Symfony2Service approach for development REST API in Symfony2
Service approach for development REST API in Symfony2
Sumy PHP User Grpoup
 
XSS - Attacks & Defense
XSS - Attacks & DefenseXSS - Attacks & Defense
XSS - Attacks & Defense
Blueinfy Solutions
 
Complex Sites with Silex
Complex Sites with SilexComplex Sites with Silex
Complex Sites with Silex
Chris Tankersley
 
The Enterprise Wor/d/thy/Press
The Enterprise Wor/d/thy/PressThe Enterprise Wor/d/thy/Press
The Enterprise Wor/d/thy/Press
Jeroen van Dijk
 
Silex Cheat Sheet
Silex Cheat SheetSilex Cheat Sheet
Silex Cheat Sheet
Andréia Bohner
 
WordPress REST API hacking
WordPress REST API hackingWordPress REST API hacking
WordPress REST API hacking
Jeroen van Dijk
 
Designing CakePHP plugins for consuming APIs
Designing CakePHP plugins for consuming APIsDesigning CakePHP plugins for consuming APIs
Designing CakePHP plugins for consuming APIs
Neil Crookes
 
Service approach for development Rest API in Symfony2
Service approach for development Rest API in Symfony2Service approach for development Rest API in Symfony2
Service approach for development Rest API in Symfony2
Sumy PHP User Grpoup
 
YAP / Open Mail Overview
YAP / Open Mail OverviewYAP / Open Mail Overview
YAP / Open Mail Overview
Jonathan LeBlanc
 
Desenvolvendo APIs usando Rails - Guru SC 2012
Desenvolvendo APIs usando Rails - Guru SC 2012Desenvolvendo APIs usando Rails - Guru SC 2012
Desenvolvendo APIs usando Rails - Guru SC 2012
Rafael Felix da Silva
 
Silex: From nothing to an API
Silex: From nothing to an APISilex: From nothing to an API
Silex: From nothing to an API
chrisdkemper
 
Implementing access control with zend framework
Implementing access control with zend frameworkImplementing access control with zend framework
Implementing access control with zend framework
George Mihailov
 
The Enterprise Wor/d/thy/Press
The Enterprise Wor/d/thy/PressThe Enterprise Wor/d/thy/Press
The Enterprise Wor/d/thy/Press
Jeroen van Dijk
 
WordPress REST API hacking
WordPress REST API hackingWordPress REST API hacking
WordPress REST API hacking
Jeroen van Dijk
 
Development Security Framework based on Owasp Esapi for JSF2.0
Development Security Framework based on Owasp Esapi for JSF2.0Development Security Framework based on Owasp Esapi for JSF2.0
Development Security Framework based on Owasp Esapi for JSF2.0
Rakesh Kachhadiya
 
Oracle APEX Performance
Oracle APEX PerformanceOracle APEX Performance
Oracle APEX Performance
Scott Wesley
 
Unit testing after Zend Framework 1.8
Unit testing after Zend Framework 1.8Unit testing after Zend Framework 1.8
Unit testing after Zend Framework 1.8
Michelangelo van Dam
 
Apex Code Analysis Using the Tooling API and Canvas
Apex Code Analysis Using the Tooling API and CanvasApex Code Analysis Using the Tooling API and Canvas
Apex Code Analysis Using the Tooling API and Canvas
Salesforce Developers
 
Using the Tooling API to Generate Apex SOAP Web Service Clients
Using the Tooling API to Generate Apex SOAP Web Service ClientsUsing the Tooling API to Generate Apex SOAP Web Service Clients
Using the Tooling API to Generate Apex SOAP Web Service Clients
Daniel Ballinger
 
Error Reporting in ZF2: form messages, custom error pages, logging
Error Reporting in ZF2: form messages, custom error pages, loggingError Reporting in ZF2: form messages, custom error pages, logging
Error Reporting in ZF2: form messages, custom error pages, logging
Steve Maraspin
 
Service approach for development REST API in Symfony2
Service approach for development REST API in Symfony2Service approach for development REST API in Symfony2
Service approach for development REST API in Symfony2
Sumy PHP User Grpoup
 
XSS - Attacks & Defense
XSS - Attacks & DefenseXSS - Attacks & Defense
XSS - Attacks & Defense
Blueinfy Solutions
 
Complex Sites with Silex
Complex Sites with SilexComplex Sites with Silex
Complex Sites with Silex
Chris Tankersley
 
The Enterprise Wor/d/thy/Press
The Enterprise Wor/d/thy/PressThe Enterprise Wor/d/thy/Press
The Enterprise Wor/d/thy/Press
Jeroen van Dijk
 
Silex Cheat Sheet
Silex Cheat SheetSilex Cheat Sheet
Silex Cheat Sheet
Andréia Bohner
 
WordPress REST API hacking
WordPress REST API hackingWordPress REST API hacking
WordPress REST API hacking
Jeroen van Dijk
 
Designing CakePHP plugins for consuming APIs
Designing CakePHP plugins for consuming APIsDesigning CakePHP plugins for consuming APIs
Designing CakePHP plugins for consuming APIs
Neil Crookes
 
Service approach for development Rest API in Symfony2
Service approach for development Rest API in Symfony2Service approach for development Rest API in Symfony2
Service approach for development Rest API in Symfony2
Sumy PHP User Grpoup
 
YAP / Open Mail Overview
YAP / Open Mail OverviewYAP / Open Mail Overview
YAP / Open Mail Overview
Jonathan LeBlanc
 
Desenvolvendo APIs usando Rails - Guru SC 2012
Desenvolvendo APIs usando Rails - Guru SC 2012Desenvolvendo APIs usando Rails - Guru SC 2012
Desenvolvendo APIs usando Rails - Guru SC 2012
Rafael Felix da Silva
 
Silex: From nothing to an API
Silex: From nothing to an APISilex: From nothing to an API
Silex: From nothing to an API
chrisdkemper
 
Implementing access control with zend framework
Implementing access control with zend frameworkImplementing access control with zend framework
Implementing access control with zend framework
George Mihailov
 
The Enterprise Wor/d/thy/Press
The Enterprise Wor/d/thy/PressThe Enterprise Wor/d/thy/Press
The Enterprise Wor/d/thy/Press
Jeroen van Dijk
 
WordPress REST API hacking
WordPress REST API hackingWordPress REST API hacking
WordPress REST API hacking
Jeroen van Dijk
 
Development Security Framework based on Owasp Esapi for JSF2.0
Development Security Framework based on Owasp Esapi for JSF2.0Development Security Framework based on Owasp Esapi for JSF2.0
Development Security Framework based on Owasp Esapi for JSF2.0
Rakesh Kachhadiya
 
Oracle APEX Performance
Oracle APEX PerformanceOracle APEX Performance
Oracle APEX Performance
Scott Wesley
 
Unit testing after Zend Framework 1.8
Unit testing after Zend Framework 1.8Unit testing after Zend Framework 1.8
Unit testing after Zend Framework 1.8
Michelangelo van Dam
 

Similar to Laravel Security Standards (20)

Joomla security nuggets
Joomla security nuggetsJoomla security nuggets
Joomla security nuggets
guestbd1cdca
 
Php Security By Mugdha And Anish
Php Security By Mugdha And AnishPhp Security By Mugdha And Anish
Php Security By Mugdha And Anish
OSSCube
 
Web Security 101
Web Security 101Web Security 101
Web Security 101
Michael Peters
 
ieee
ieeeieee
ieee
Radheshyam Dhakad
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web Apps
Frank Kim
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10
Sastry Tumuluri
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
hruth
 
D:\Technical\Ppt\Sql Injection
D:\Technical\Ppt\Sql InjectionD:\Technical\Ppt\Sql Injection
D:\Technical\Ppt\Sql Injection
avishkarm
 
WebApps_Lecture_15.ppt
WebApps_Lecture_15.pptWebApps_Lecture_15.ppt
WebApps_Lecture_15.ppt
OmprakashVerma56
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
Slawomir Jasek
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
SecuRing
 
Asp
AspAsp
Asp
Adil Jafri
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009
mirahman
 
PCI Security Requirements - secure coding
PCI Security Requirements - secure codingPCI Security Requirements - secure coding
PCI Security Requirements - secure coding
Haitham Raik
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security Vulnerabilities
Carol McDonald
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Anurag Srivastava
 
PHPUG Presentation
PHPUG PresentationPHPUG Presentation
PHPUG Presentation
Damon Cortesi
 
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
Samvel Gevorgyan
 
Sql injection - security testing
Sql injection - security testingSql injection - security testing
Sql injection - security testing
Napendra Singh
 
PHP and Rich Internet Applications
PHP and Rich Internet ApplicationsPHP and Rich Internet Applications
PHP and Rich Internet Applications
elliando dias
 
Joomla security nuggets
Joomla security nuggetsJoomla security nuggets
Joomla security nuggets
guestbd1cdca
 
Php Security By Mugdha And Anish
Php Security By Mugdha And AnishPhp Security By Mugdha And Anish
Php Security By Mugdha And Anish
OSSCube
 
Web Security 101
Web Security 101Web Security 101
Web Security 101
Michael Peters
 
ieee
ieeeieee
ieee
Radheshyam Dhakad
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web Apps
Frank Kim
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10
Sastry Tumuluri
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
hruth
 
D:\Technical\Ppt\Sql Injection
D:\Technical\Ppt\Sql InjectionD:\Technical\Ppt\Sql Injection
D:\Technical\Ppt\Sql Injection
avishkarm
 
WebApps_Lecture_15.ppt
WebApps_Lecture_15.pptWebApps_Lecture_15.ppt
WebApps_Lecture_15.ppt
OmprakashVerma56
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
Slawomir Jasek
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
SecuRing
 
Asp
AspAsp
Asp
Adil Jafri
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009
mirahman
 
PCI Security Requirements - secure coding
PCI Security Requirements - secure codingPCI Security Requirements - secure coding
PCI Security Requirements - secure coding
Haitham Raik
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security Vulnerabilities
Carol McDonald
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Anurag Srivastava
 
PHPUG Presentation
PHPUG PresentationPHPUG Presentation
PHPUG Presentation
Damon Cortesi
 
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
Samvel Gevorgyan
 
Sql injection - security testing
Sql injection - security testingSql injection - security testing
Sql injection - security testing
Napendra Singh
 
PHP and Rich Internet Applications
PHP and Rich Internet ApplicationsPHP and Rich Internet Applications
PHP and Rich Internet Applications
elliando dias
 
Ad

More from Singsys Pte Ltd (20)

Technical Seminar Series: GIT Pull Requests Best Practices
Technical Seminar Series: GIT Pull Requests Best PracticesTechnical Seminar Series: GIT Pull Requests Best Practices
Technical Seminar Series: GIT Pull Requests Best Practices
Singsys Pte Ltd
 
Android OS - The Journey of most popular Operating System
Android OS - The Journey of most popular Operating SystemAndroid OS - The Journey of most popular Operating System
Android OS - The Journey of most popular Operating System
Singsys Pte Ltd
 
How to do Memory Optimizations in Android
How to do Memory Optimizations in AndroidHow to do Memory Optimizations in Android
How to do Memory Optimizations in Android
Singsys Pte Ltd
 
iOS Application Battery Optimization Techniques
iOS Application Battery Optimization TechniquesiOS Application Battery Optimization Techniques
iOS Application Battery Optimization Techniques
Singsys Pte Ltd
 
Android Battery optimization Android Apps
Android Battery optimization Android AppsAndroid Battery optimization Android Apps
Android Battery optimization Android Apps
Singsys Pte Ltd
 
How to Create WordPress Website in Easy Steps
How to Create WordPress Website in Easy StepsHow to Create WordPress Website in Easy Steps
How to Create WordPress Website in Easy Steps
Singsys Pte Ltd
 
Basics of-linux
Basics of-linuxBasics of-linux
Basics of-linux
Singsys Pte Ltd
 
SoLoMo
SoLoMoSoLoMo
SoLoMo
Singsys Pte Ltd
 
Introduction to facebook sdk
Introduction to facebook sdkIntroduction to facebook sdk
Introduction to facebook sdk
Singsys Pte Ltd
 
Html5 tutorial for beginners
Html5 tutorial for beginnersHtml5 tutorial for beginners
Html5 tutorial for beginners
Singsys Pte Ltd
 
Beginners css tutorial for web designers
Beginners css tutorial for web designersBeginners css tutorial for web designers
Beginners css tutorial for web designers
Singsys Pte Ltd
 
Joomla 3 installation and management guide
Joomla 3 installation and management guideJoomla 3 installation and management guide
Joomla 3 installation and management guide
Singsys Pte Ltd
 
Joomla Introduction & Installation Tutorial
Joomla Introduction & Installation TutorialJoomla Introduction & Installation Tutorial
Joomla Introduction & Installation Tutorial
Singsys Pte Ltd
 
Basic of web design
Basic of web designBasic of web design
Basic of web design
Singsys Pte Ltd
 
Embedded Technology
Embedded TechnologyEmbedded Technology
Embedded Technology
Singsys Pte Ltd
 
Java Tutorial
Java TutorialJava Tutorial
Java Tutorial
Singsys Pte Ltd
 
Technical seo tips for web developers
Technical seo tips for web developersTechnical seo tips for web developers
Technical seo tips for web developers
Singsys Pte Ltd
 
WordPress Website Design and Development
WordPress Website Design and DevelopmentWordPress Website Design and Development
WordPress Website Design and Development
Singsys Pte Ltd
 
Being a designer
Being a designerBeing a designer
Being a designer
Singsys Pte Ltd
 
Points for Design and Development of SEO friendly websites
Points for Design and Development of SEO friendly websitesPoints for Design and Development of SEO friendly websites
Points for Design and Development of SEO friendly websites
Singsys Pte Ltd
 
Technical Seminar Series: GIT Pull Requests Best Practices
Technical Seminar Series: GIT Pull Requests Best PracticesTechnical Seminar Series: GIT Pull Requests Best Practices
Technical Seminar Series: GIT Pull Requests Best Practices
Singsys Pte Ltd
 
Android OS - The Journey of most popular Operating System
Android OS - The Journey of most popular Operating SystemAndroid OS - The Journey of most popular Operating System
Android OS - The Journey of most popular Operating System
Singsys Pte Ltd
 
How to do Memory Optimizations in Android
How to do Memory Optimizations in AndroidHow to do Memory Optimizations in Android
How to do Memory Optimizations in Android
Singsys Pte Ltd
 
iOS Application Battery Optimization Techniques
iOS Application Battery Optimization TechniquesiOS Application Battery Optimization Techniques
iOS Application Battery Optimization Techniques
Singsys Pte Ltd
 
Android Battery optimization Android Apps
Android Battery optimization Android AppsAndroid Battery optimization Android Apps
Android Battery optimization Android Apps
Singsys Pte Ltd
 
How to Create WordPress Website in Easy Steps
How to Create WordPress Website in Easy StepsHow to Create WordPress Website in Easy Steps
How to Create WordPress Website in Easy Steps
Singsys Pte Ltd
 
Basics of-linux
Basics of-linuxBasics of-linux
Basics of-linux
Singsys Pte Ltd
 
SoLoMo
SoLoMoSoLoMo
SoLoMo
Singsys Pte Ltd
 
Introduction to facebook sdk
Introduction to facebook sdkIntroduction to facebook sdk
Introduction to facebook sdk
Singsys Pte Ltd
 
Html5 tutorial for beginners
Html5 tutorial for beginnersHtml5 tutorial for beginners
Html5 tutorial for beginners
Singsys Pte Ltd
 
Beginners css tutorial for web designers
Beginners css tutorial for web designersBeginners css tutorial for web designers
Beginners css tutorial for web designers
Singsys Pte Ltd
 
Joomla 3 installation and management guide
Joomla 3 installation and management guideJoomla 3 installation and management guide
Joomla 3 installation and management guide
Singsys Pte Ltd
 
Joomla Introduction & Installation Tutorial
Joomla Introduction & Installation TutorialJoomla Introduction & Installation Tutorial
Joomla Introduction & Installation Tutorial
Singsys Pte Ltd
 
Basic of web design
Basic of web designBasic of web design
Basic of web design
Singsys Pte Ltd
 
Embedded Technology
Embedded TechnologyEmbedded Technology
Embedded Technology
Singsys Pte Ltd
 
Java Tutorial
Java TutorialJava Tutorial
Java Tutorial
Singsys Pte Ltd
 
Technical seo tips for web developers
Technical seo tips for web developersTechnical seo tips for web developers
Technical seo tips for web developers
Singsys Pte Ltd
 
WordPress Website Design and Development
WordPress Website Design and DevelopmentWordPress Website Design and Development
WordPress Website Design and Development
Singsys Pte Ltd
 
Being a designer
Being a designerBeing a designer
Being a designer
Singsys Pte Ltd
 
Points for Design and Development of SEO friendly websites
Points for Design and Development of SEO friendly websitesPoints for Design and Development of SEO friendly websites
Points for Design and Development of SEO friendly websites
Singsys Pte Ltd
 
Ad

Recently uploaded (20)

Wilcom Embroidery Studio Crack Free Latest 2025
Wilcom Embroidery Studio Crack Free Latest 2025Wilcom Embroidery Studio Crack Free Latest 2025
Wilcom Embroidery Studio Crack Free Latest 2025
Web Designer
 
How to Troubleshoot 9 Types of OutOfMemoryError
How to Troubleshoot 9 Types of OutOfMemoryErrorHow to Troubleshoot 9 Types of OutOfMemoryError
How to Troubleshoot 9 Types of OutOfMemoryError
Tier1 app
 
Meet the New Kid in the Sandbox - Integrating Visualization with Prometheus
Meet the New Kid in the Sandbox - Integrating Visualization with PrometheusMeet the New Kid in the Sandbox - Integrating Visualization with Prometheus
Meet the New Kid in the Sandbox - Integrating Visualization with Prometheus
Eric D. Schabell
 
Time Estimation: Expert Tips & Proven Project Techniques
Time Estimation: Expert Tips & Proven Project TechniquesTime Estimation: Expert Tips & Proven Project Techniques
Time Estimation: Expert Tips & Proven Project Techniques
Livetecs LLC
 
Adobe Media Encoder Crack FREE Download 2025
Adobe Media Encoder Crack FREE Download 2025Adobe Media Encoder Crack FREE Download 2025
Adobe Media Encoder Crack FREE Download 2025
zafranwaqar90
 
Why Tapitag Ranks Among the Best Digital Business Card Providers
Why Tapitag Ranks Among the Best Digital Business Card ProvidersWhy Tapitag Ranks Among the Best Digital Business Card Providers
Why Tapitag Ranks Among the Best Digital Business Card Providers
Tapitag
 
Wilcom Embroidery Studio Crack 2025 For Windows
Wilcom Embroidery Studio Crack 2025 For WindowsWilcom Embroidery Studio Crack 2025 For Windows
Wilcom Embroidery Studio Crack 2025 For Windows
Google
 
Exchange Migration Tool- Shoviv Software
Exchange Migration Tool- Shoviv SoftwareExchange Migration Tool- Shoviv Software
Exchange Migration Tool- Shoviv Software
Shoviv Software
 
[gbgcpp] Let's get comfortable with concepts
[gbgcpp] Let's get comfortable with concepts[gbgcpp] Let's get comfortable with concepts
[gbgcpp] Let's get comfortable with concepts
Dimitrios Platis
 
Top Magento Hyvä Theme Features That Make It Ideal for E-commerce.pdf
Top Magento Hyvä Theme Features That Make It Ideal for E-commerce.pdfTop Magento Hyvä Theme Features That Make It Ideal for E-commerce.pdf
Top Magento Hyvä Theme Features That Make It Ideal for E-commerce.pdf
evrigsolution
 
From Vibe Coding to Vibe Testing - Complete PowerPoint Presentation
From Vibe Coding to Vibe Testing - Complete PowerPoint PresentationFrom Vibe Coding to Vibe Testing - Complete PowerPoint Presentation
From Vibe Coding to Vibe Testing - Complete PowerPoint Presentation
Shay Ginsbourg
 
Beyond the code. Complexity - 2025.05 - SwiftCraft
Beyond the code. Complexity - 2025.05 - SwiftCraftBeyond the code. Complexity - 2025.05 - SwiftCraft
Beyond the code. Complexity - 2025.05 - SwiftCraft
Dmitrii Ivanov
 
Sequence Diagrams With Pictures (1).pptx
Sequence Diagrams With Pictures (1).pptxSequence Diagrams With Pictures (1).pptx
Sequence Diagrams With Pictures (1).pptx
aashrithakondapalli8
 
Download MathType Crack Version 2025???
Download MathType Crack Version 2025???Download MathType Crack Version 2025???
Download MathType Crack Version 2025???
Google
 
Artificial hand using embedded system.pptx
Artificial hand using embedded system.pptxArtificial hand using embedded system.pptx
Artificial hand using embedded system.pptx
bhoomigowda12345
 
Digital Twins Software Service in Belfast
Digital Twins Software Service in BelfastDigital Twins Software Service in Belfast
Digital Twins Software Service in Belfast
julia smits
 
How to avoid IT Asset Management mistakes during implementation_PDF.pdf
How to avoid IT Asset Management mistakes during implementation_PDF.pdfHow to avoid IT Asset Management mistakes during implementation_PDF.pdf
How to avoid IT Asset Management mistakes during implementation_PDF.pdf
victordsane
 
The-Future-is-Hybrid-Exploring-Azure’s-Role-in-Multi-Cloud-Strategies.pptx
The-Future-is-Hybrid-Exploring-Azure’s-Role-in-Multi-Cloud-Strategies.pptxThe-Future-is-Hybrid-Exploring-Azure’s-Role-in-Multi-Cloud-Strategies.pptx
The-Future-is-Hybrid-Exploring-Azure’s-Role-in-Multi-Cloud-Strategies.pptx
james brownuae
 
Serato DJ Pro Crack Latest Version 2025??
Serato DJ Pro Crack Latest Version 2025??Serato DJ Pro Crack Latest Version 2025??
Serato DJ Pro Crack Latest Version 2025??
Web Designer
 
Top 12 Most Useful AngularJS Development Tools to Use in 2025
Top 12 Most Useful AngularJS Development Tools to Use in 2025Top 12 Most Useful AngularJS Development Tools to Use in 2025
Top 12 Most Useful AngularJS Development Tools to Use in 2025
GrapesTech Solutions
 
Wilcom Embroidery Studio Crack Free Latest 2025
Wilcom Embroidery Studio Crack Free Latest 2025Wilcom Embroidery Studio Crack Free Latest 2025
Wilcom Embroidery Studio Crack Free Latest 2025
Web Designer
 
How to Troubleshoot 9 Types of OutOfMemoryError
How to Troubleshoot 9 Types of OutOfMemoryErrorHow to Troubleshoot 9 Types of OutOfMemoryError
How to Troubleshoot 9 Types of OutOfMemoryError
Tier1 app
 
Meet the New Kid in the Sandbox - Integrating Visualization with Prometheus
Meet the New Kid in the Sandbox - Integrating Visualization with PrometheusMeet the New Kid in the Sandbox - Integrating Visualization with Prometheus
Meet the New Kid in the Sandbox - Integrating Visualization with Prometheus
Eric D. Schabell
 
Time Estimation: Expert Tips & Proven Project Techniques
Time Estimation: Expert Tips & Proven Project TechniquesTime Estimation: Expert Tips & Proven Project Techniques
Time Estimation: Expert Tips & Proven Project Techniques
Livetecs LLC
 
Adobe Media Encoder Crack FREE Download 2025
Adobe Media Encoder Crack FREE Download 2025Adobe Media Encoder Crack FREE Download 2025
Adobe Media Encoder Crack FREE Download 2025
zafranwaqar90
 
Why Tapitag Ranks Among the Best Digital Business Card Providers
Why Tapitag Ranks Among the Best Digital Business Card ProvidersWhy Tapitag Ranks Among the Best Digital Business Card Providers
Why Tapitag Ranks Among the Best Digital Business Card Providers
Tapitag
 
Wilcom Embroidery Studio Crack 2025 For Windows
Wilcom Embroidery Studio Crack 2025 For WindowsWilcom Embroidery Studio Crack 2025 For Windows
Wilcom Embroidery Studio Crack 2025 For Windows
Google
 
Exchange Migration Tool- Shoviv Software
Exchange Migration Tool- Shoviv SoftwareExchange Migration Tool- Shoviv Software
Exchange Migration Tool- Shoviv Software
Shoviv Software
 
[gbgcpp] Let's get comfortable with concepts
[gbgcpp] Let's get comfortable with concepts[gbgcpp] Let's get comfortable with concepts
[gbgcpp] Let's get comfortable with concepts
Dimitrios Platis
 
Top Magento Hyvä Theme Features That Make It Ideal for E-commerce.pdf
Top Magento Hyvä Theme Features That Make It Ideal for E-commerce.pdfTop Magento Hyvä Theme Features That Make It Ideal for E-commerce.pdf
Top Magento Hyvä Theme Features That Make It Ideal for E-commerce.pdf
evrigsolution
 
From Vibe Coding to Vibe Testing - Complete PowerPoint Presentation
From Vibe Coding to Vibe Testing - Complete PowerPoint PresentationFrom Vibe Coding to Vibe Testing - Complete PowerPoint Presentation
From Vibe Coding to Vibe Testing - Complete PowerPoint Presentation
Shay Ginsbourg
 
Beyond the code. Complexity - 2025.05 - SwiftCraft
Beyond the code. Complexity - 2025.05 - SwiftCraftBeyond the code. Complexity - 2025.05 - SwiftCraft
Beyond the code. Complexity - 2025.05 - SwiftCraft
Dmitrii Ivanov
 
Sequence Diagrams With Pictures (1).pptx
Sequence Diagrams With Pictures (1).pptxSequence Diagrams With Pictures (1).pptx
Sequence Diagrams With Pictures (1).pptx
aashrithakondapalli8
 
Download MathType Crack Version 2025???
Download MathType Crack Version 2025???Download MathType Crack Version 2025???
Download MathType Crack Version 2025???
Google
 
Artificial hand using embedded system.pptx
Artificial hand using embedded system.pptxArtificial hand using embedded system.pptx
Artificial hand using embedded system.pptx
bhoomigowda12345
 
Digital Twins Software Service in Belfast
Digital Twins Software Service in BelfastDigital Twins Software Service in Belfast
Digital Twins Software Service in Belfast
julia smits
 
How to avoid IT Asset Management mistakes during implementation_PDF.pdf
How to avoid IT Asset Management mistakes during implementation_PDF.pdfHow to avoid IT Asset Management mistakes during implementation_PDF.pdf
How to avoid IT Asset Management mistakes during implementation_PDF.pdf
victordsane
 
The-Future-is-Hybrid-Exploring-Azure’s-Role-in-Multi-Cloud-Strategies.pptx
The-Future-is-Hybrid-Exploring-Azure’s-Role-in-Multi-Cloud-Strategies.pptxThe-Future-is-Hybrid-Exploring-Azure’s-Role-in-Multi-Cloud-Strategies.pptx
The-Future-is-Hybrid-Exploring-Azure’s-Role-in-Multi-Cloud-Strategies.pptx
james brownuae
 
Serato DJ Pro Crack Latest Version 2025??
Serato DJ Pro Crack Latest Version 2025??Serato DJ Pro Crack Latest Version 2025??
Serato DJ Pro Crack Latest Version 2025??
Web Designer
 
Top 12 Most Useful AngularJS Development Tools to Use in 2025
Top 12 Most Useful AngularJS Development Tools to Use in 2025Top 12 Most Useful AngularJS Development Tools to Use in 2025
Top 12 Most Useful AngularJS Development Tools to Use in 2025
GrapesTech Solutions
 

Laravel Security Standards

  • 1. LARAVEL SECURITY STANDARDS - Prasoon Srivastava
  • 2. ▪ Reduce Laravel Vulnerabilities From CSRF (Cross Site Request Forgery) ▪ Protection against XSS (Cross Site Scripting) ▪ Prevent SQL injection By Avoiding Raw Queries ▪ Keep app dependencies up to date ▪ Never Display Errors and Exceptions on Production ▪ Do not store Sensitive data in Configuration file ▪ Log All the things ▪ Make Sure Permissions on Filesystem are limited ▪ Force HTTPS if Your Application is Exchanging Sensitive Information Key Points
  • 3. Reduce Laravel Vulnerabilities From CSRF (Cross Site Request Forgery) ✓ Cross-site request forgeries are a type of malicious exploit whereby unauthorized commands are performed on behalf of an authenticated user. ✓Laravel typically uses CSRF tokens to make sure that external third parties couldn’t generate fake requests and should not breach the Laravel security vulnerabilities. ✓Laravel makes it easy to protect your application from cross-site request forgery (CSRF) attacks.
  • 4. Reduce Laravel Vulnerabilities From CSRF (Cross Site Request Forgery)
  • 5. Reduce Laravel Vulnerabilities From CSRF (Cross Site Request Forgery) How is a CSRF attack carried out? Assume you have an application that is used to send money to friends and for users to send money, they need to be signed in. Assume that the action to send money is also a simple form The make-believe form requires the email of the recipient and the amount to be sent. When the send button is clicked, a POST request is made to the application server to send the amount to the recipient. Everything seems okay and during testing, logged in users can send money to other users, which is what is expected.
  • 6. Reduce Laravel Vulnerabilities From CSRF (Cross Site Request Forgery) An attacker who wants to hoodwink the system will very likely study the application for a while trying to locate vulnerabilities. They note the URL where the request is sent to and they know it needs to be a POST request with the email of the recipient and the amount you want to send. The attacker then creates a program that can be embedded in an image or in the webpage directly and executed when the image is clicked or executed when a link is clicked. When the script is executed, the server sees it as another regular request made from the logged in user and then processes it. This means that everyone authenticated to the target site visiting the attacker’s site will be open to a CSRF attack and may indeed be sending money they didn’t intend to send.
  • 7. Reduce Laravel Vulnerabilities From CSRF (Cross Site Request Forgery) Carrying out your own CSRF attack Now, let’s look at how to do a simple CSRF attack on an application.
  • 8. Reduce Laravel Vulnerabilities From CSRF (Cross Site Request Forgery) Laravel CSRF in Forms Defining your form fields in view, you should always include hidden CSRF token form fields to ensure that the CSRF protection middleware can validate the request by it. Hence by using @csrf in the form fields, Blade directory generates the secured fields to validate the process. <form method="POST" action="/employee"> @csrf ... </form>
  • 9. Reduce Laravel Vulnerabilities From CSRF (Cross Site Request Forgery) Laravel CSRF Token Ajax Calls In Laravel, Middleware handles all the requests and doesn’t allow any POST request without the right CSRF token verification. Therefore, in order to proceed further, you must input the CSRF Token while sending the AJAX request. data: { "_token": "{!! csrf_token() !!}" } $.ajax({ type: "POST", data: {"_token": "{{ csrf_token() }}","id": id}, url: some_url, success: function(msg){ // response } });
  • 10. Protection against XSS (Cross Site Scripting) ✓Cross-site scripting (XSS) attacks happen when attackers are able to place client-side JavaScript code in a page viewed by other users. ✓In our application, assuming that the name of our cat is not escaped, if we enter the following snippet of code as the value for the name, every visitor will be greeted with an alert message everywhere the name of our cat is displayed: Evil Cat <script>alert('Meow!')</script> ✓While this is a rather harmless script, it would be very easy to insert a longer script or link to an external script that steals the session or cookie values. ✓To avoid this kind of attack, you should never trust any user-submitted data or escape any dangerous characters. You should favor the double-brace syntax ({{ $value }}) in your Blade templates, and only use the {!! $value !!} syntax, where you're certain the data is safe to display in its raw format.
  • 11. XSS
  • 12. XSS I have created a very simple example The user could add and delete tasks in the app. I will not use controllers for such a small app and instead will create the functions directly in the routes.php file. // Display All Tasks Route::get('/', function () { $tasks = Task::orderBy('created_at', 'asc')->get(); return view('tasks', [ 'tasks' => $tasks ]); }); // Add A New Task Route::post('/task', function (Request $request) { $task = new Task; $task->name = $request->name; $task->save(); return redirect('/'); }); // Delete An Existing Task Route::delete('/task/{id}', function ($id) { Task::findOrFail($id)->delete(); return redirect('/'); });
  • 13. XSS And the relevant code in the view that shows the tasks: @foreach ($tasks as $task) ... <!-- Task Name --> <td class="table-text"> <div>{{ $task->name }}</div> </td> ...
  • 14. XSS Now instead of adding a task like I am supposed to, I am going to insert this: <script>alert("boom")</script>
  • 15. XSSXSS Now anyone who lands on this page is going to see this:
  • 16. XSS Always Use <div>{!! $task->names !!}</div> Inplace of <div>{{ $task->names }}</div>
  • 17. Prevent SQL injection By Avoiding Raw Queries ✓An SQL injection vulnerability exists when an application inserts arbitrary and unfiltered user input in an SQL query. This user input can come from cookies, server variables, or, most frequently, through GET or POST input values. ✓These attacks are conducted to access or modify data that is not normally available and sometimes to disturb the normal functioning of the application. ✓By default, Laravel will protect you against this type of attack since both the query builder and Eloquent use PHP Data Objects (PDO) class behind the scenes. PDO uses prepared statements, which allows you to safely pass any parameters without having to escape and sanitize them.
  • 18. Prevent SQL injection By Avoiding Raw Queries Consider for instance a form field used to supply an e- mail address which might be used for searching a user table. But instead of supplying an e-mail address the user searches for 'jason@example.com' or 1=1. Left unsecured, the resulting query might look like this: SELECT * FROM users WHERE email = 'abc@example.com' or 1=1 it is a simple logic expression that always evaluates to true, meaning when coupled with or, all records will be returned from the users table!
  • 19. Prevent SQL injection By Avoiding Raw Queries $id = $request->get('id'); // Dangerous: Here's what we want to avoid: $result = DB::select( DB::raw("SELECT * FROM users WHERE id = $id") ); // Safe: $result = DB::table('users')->where('id', $id)->get(); // Even better: $user = AppUser::find($id); // Even *better*: public function myMethod(AppUser $user, Request $request);
  • 20. Keep app dependencies up to date ✓Most PHP code relies on external, third- party dependencies. However, these need to be kept up to date, wherever possible, to ensure that any bug and security fixes are available to your code. ✓Ensure you’re using Composer as your dependency manager and keep up to date with all of your dependencies.
  • 21. Never Display Errors and Exceptions on Production ✓While errors, warnings, and exceptions are helpful during development, if displayed in production or any other public-facing environment, they may expose sensitive information or intellectual property. ✓Ensure that this information is logged internally, and not exposed publicly.
  • 22. Never Display Errors and Exceptions on Production ✓The debug option in your config/app.php configuration file determines how much information about an error is actually displayed to the user. By default, this option is set to respect the value of the APP_DEBUG environment variable, which is stored in your .env file. ✓For local development, you should set the APP_DEBUG environment variable to true. APP_DEBUG=true ✓In your production environment, this value should always be false. APP_DEBUG=false ✓ If the value is set to true in production, you risk exposing sensitive configuration values to your application's end users.
  • 23. Do not store Sensitive data in Configuration file ✓Just like you shouldn’t store sensitive data in cache entries, you also should not store sensitive data in configuration files. ✓This includes ssh keys, access credentials, and API tokens. Store them in environment variables instead. ✓Always store sensitive data in .env file
  • 24. Do not store Sensitive data in Configuration file TWILIO_SID=ACc3983b17046121c35104c2bca3dae2ec TWILIO_TOKEN=cb1bc684feff8ea0c37147dfd0f16c09 TWILIO_FROM=+18577633121 PAYPAL_ENV=sandbox PAYPAL_USERNAME=xyz.singsys.com PAYPAL_PASSWORD=VZEQNNPRML6F54CR PAYPAL_SIGN=AFcWxV21C7fd0v3bYYYRCpSSRl31A.t5R0DSvr2VkN.oaim U-BG2UthF PAYPAL_APPID=APP-80W284485P519543T PAYPAL_SANDBOX_EMAIL=abc-buyer@gmail.com
  • 25. Log All the things ✓Regardless of whether you’re logging failed login attempts, password resets, or debugging information, make sure that you’re logging, and with an easy to use, and mature package, such as Monolog. ✓To help you learn more about what's happening within your application, Laravel provides robust logging services that allow you to log messages to files, the system error log, and even to Slack to notify your entire team. ✓Under the hood, Laravel utilizes the Monolog library, which provides support for a variety of powerful log handlers. Laravel makes it a cinch to configure these handlers, allowing you to mix and match them to customize your application's log handling.
  • 26. Log All the things ✓You may write information to the logs using the Log facade. ✓logger provides the eight logging levels defined in the RFC 5424 specification: emergency, alert, critical, error, warning, notice, info and debug: ✓Log::emergency($message); ✓Log::alert($message); ✓Log::critical($message); ✓Log::error($message); ✓Log::warning($message); ✓Log::notice($message); ✓Log::info($message); ✓Log::debug($message); public function showProfile($id) { Log::info('Showing user profile for user: '.$id); return view('user.profile', ['user' => User::findOrFail($id)]); }
  • 27. Make Sure Permissions on Filesystem are limited ✓PHP scripts should only be able to write in places you need to upload files of specifically write files. ✓This places should not be anywhere a PHP script can be executed by the server. Else, it open the way for an attacker to write a PHP file somewhere and to run arbitrary PHP code.
  • 28. Force HTTPS if Your Application is Exchanging Sensitive Information ✓When you deploy your website on HTTP, all the data exchanged including passwords and others are sent in plain content. Thus could be easily stolen by anyone in between the transmission. So to keep this information safe, always deploy your web applications on HTTPS to safeguard its sensitive information. ✓You could simply setup SSL certificate on your website by getting little assistance from any Laravel developer who will shift your application from HTTP to HTTPS easily. While to hide certain routes, you could use the below defined filter which will redirect users to a secured route. Route::filter('https', function() { if ( ! Request::secure()) return Redirect::secure(URI::current()); });
  翻译: