Sent on

The Many Forms of Missing Authorisation!


Hey there!

It's been a while since I last sent out an email, and even longer since there was an update to Practical Laravel Security. The wait is now over, and I'm really happy to be introducing a new module and kicking off 2024 with a new push to complete the course!

First up, let me introduce the new module:

Missing Authorisation!

The Missing Authorisation module encompases a number of related vulnerabilities and weaknesses, all geared around the same topic: failing to authorise user actions sufficiently.

Within the theory section, we start by looking into the mot obvious example, Insecure Direct Object References (IDOR), both with numeric IDs, as well as the risks associated with UUIDs. Following on from that, we take a look at incomplete and insecure cryptography - different ways cryptography could be implemented wrong. After that, we off to find exposed routes, which is a great way to find admin endpoints that should have authorisation checks but don't! 😱 The module finishes by discussing related records and why they are important to consider.

It wouldn't be a PLS Attack module without some challenges, and Missing Authorisation introduces 6 new interactive challenges:

  1. Incremental IDOR!

  2. UUID Leakage!

  3. Incomplete Cryptography!

  4. As Simple As CRUD!

  5. Beware the SPA!

  6. Predictable Hashing!

The last challenge in particular is one I quite enjoyed putting together, but beware you'll probbaly need a couple of hints. (There are 5 hints in total!)

If you've already signed up, you can find the new module here.

What's Next?

Up next this week are the Defend modules that go with Missing Authorisation, covering the primary tools you need to resolve Missing Authorisation issues in your apps.

The modules are:

  • Policy Objects

  • Gates

  • Signed URLs

  • HMAC Hashes

I'll let you know when they are live!

Following on, we'll turn back to another Attack module. I'm not sure what module it will be yet - if you have any requests, let me know!

Haven't Signed Up Yet?

Practical Laravel Security is currently in Early-Access while I build out the modules, which means it's on sale for signficantly less than the full price when it's completed. This means that now is the perfect time to sign up!

If you sig up for the Early-Access right now, you'll get:

  1. The discounted price.

  2. Access to the 4x Attack and 6x Defend modules, with immediate access to all new modules as they are released.

  3. Access to the 24x interactive hacking challenges.

  4. Access to the exclusive Discord server - when you can ask any security questions, or chat about security topics. (We've had some really good discussions in there already.)

Have I convinced you yet?

Sign Up!

There are also Team Licenses available, if you'd like to get your whole team into the course. Reach out directly for more details - or pass this email on your team leader and poke them until they sign you up! 😉

Finally, thanks for your interest in Practical Laravel Security! I'm really excited by the course and where it's going, and it's great to have you along with me.

I hope you have a great week!

Thanks,
Stephen