ePrivacy and GPDR Cookie Consent by Cookie Consent
How your Laravel application can get hacked, and how to prevent that from happening by Antti Rössi – Digitalmunition

Videos 1591220461_maxresdefault.jpg

Published on June 3rd, 2020 📆 | 6609 Views ⚑


How your Laravel application can get hacked, and how to prevent that from happening by Antti Rössi

Europe’s Leading Laravel Conference


Tagged with:

47 Responses to How your Laravel application can get hacked, and how to prevent that from happening by Antti Rössi

  1. Thank you very much for this Antti!

  2. Noor Ahmed says:

    So you are actually having fun when we are silenced. """" That silence is priceless """"" and then you clap for your self . . . . too funny

  3. Very scaring ! worth watching.

  4. thanks a lot man i really dont know how to thank laravel and laracon also you .. its very helpfully keep going thanks again

  5. thanks. give me the link of the project from git

  6. well that was saying laravel isnt so secure? bc at some validation methods we have to run functions like file size that you mentioned could trigger some exploits. that means the most low level functions in php are not that secure. then you say validation is the solution? well that looks like a way to just end your presentation not a real solution. and again im not a laravel expert so you might have a point from experts view? idk.

  7. Thank you Antti, very informative talk!

  8. How do I validate phar content inside image? Should I get the content of the image and replace the data related to phar content?

  9. Need that explaining in slow motion. Also to go back and check my apps for fixing this if needed 😉 thanks for the home work

  10. i liked the object injection part

  11. Well that was a wakeup call! Guess I should do a security check of all my applications now

  12. Very informative, thank you.

  13. Holy crap, that was so interesting to watch, amazing talk!

  14. wow. this is an amazingly done wakeup video.

  15. Holy shit.. this guy is amazing.. and on the other hand I have some applications to check now lol

  16. How to protect against the phar attack

  17. real finnish Jedi showing a way to the Dark Side

  18. Britt B says:

    It really kills me just how often I see these kinds of vulnerabilities in projects I've inherited.
    One of the very first things I was ever taught about programming was "input is evil." And I was taught that again and again and again across maybe half the classes I took. So, I have to wonder if this is a symptom of "self-taught" development, or if I just had the good fortune to have professors that were appropriately paranoid.

  19. Great topics to improve our applications!

  20. If you're reading this after seeing the reverse shell please go and look at your network egress rules. Only allow egress on ports you need to IPs, ranges and protocols you expect to be talking to. Combo that with "Does my application need exec or shell_exec?". If the answer is "no", disable them. If the answer is "yes, but I could do it another way", then do that.

    This guy just showed you how a pen tester/bad actor will pop your box 9/10 times. The steps above will mitigate a lot of what you just saw. As for the image exploit, when you get an image read it in using the gd library and write it to a new file to strip any "surprises" that might be hiding in there.

    But above all else remember, keep your software up to date and users are assholes!

  21. Does anyone has a code block example to prevent from the phar:// in image upload?

  22. Holy Shit, I have to go through a lot of code to verify 🙁 but thank you so much for for making everyone aware of these threats.
    loved the thought "Educate Other people" .

    Thank you so much for such a nice talk and also for educating 🙂 I really appreciate that.

  23. Thank you very much! Learned lots from this video and talk

  24. All the devs in the audience is like whaaat the hell. They are probably thinking of all the application they have deployed with these practices and now they want to fix those 🤔 but they don't know which project to start from 😅

  25. I need to watch more videos like this, I just hacked my application in production. I need to fix up

  26. It's a lot of homework for millions of developers Lol.

  27. It's just general security things, but customized for Laravel.

  28. Wow man, Very informative

  29. Rod Elias says:

    Awesome talk! Thanks a lot!

  30. A good watch. Reason why in any API I build, I wrap everything in validations and checks. All requests, all files, not even as much as a sniff goes by without checking it. But that Scheduler command in reverse bash… O_O…

  31. Sam WD says:

    Ofcourse raw is never secured.

  32. Holy fuck, might have to check some stuff…

  33. Sorry my ignorance, but number 1, the guy just spent half of this video in mysql injection, who is the basic and is fixed a long time ago in any basic mysql instalation and others stuff apear the person need have shell acess, for me if is this all is bullshit, I am tired of people talking about hacker and this stuff, but using things and atacks of years ago…

  34. being on a third party hosting kinda takes the load off my back and worry though. But the image trick is really neat, although it requires remote execution privilege on the host which is disabled in almost all hosting platforms.

  35. Lock this guy in prison..😒

  36. What language is more popular in Netherlands, PHP or Python?

  37. Wow now i wish i was there in person

  38. RealFreezd says:

    I love the crowd reaction at 27:27 "I just got root access to your server" Pans camera to crowd fidgeting, scratching head, jaw-dropped, others laughing. 🤣️

  39. what information you have given to protect from hacking is not enough if some one go on your advise and give me task lets hack it now i will hack it in a minutes i not only the best hacker i have also strong and powerful command on programming
    every programmer do not know hacking and every hacker do not know the how to program but they just always find weakness in source
    i the person who aware of both
    round about 13 year is my experience in hacking and development

  40. Sooo $_GET['sort'] is bad… 😝

  41. I really don't get this talk, all the validation and stuff is basics? And I mean who executes shell code from their web application??? thats like using eval in js. Never ever seen a use case for things like that.

Leave a Reply

Your email address will not be published. Required fields are marked *