Stephen Rees-Carter
@valorin.bsky.social
Friendly Hacker, Speaker, and PHP & Laravel Security Specialist.🕵️
I write securinglaravel.com and hack stuff on stage for fun. 😈
I'm found elsewhere too: https://pinkary.com/@valorin 🪄
I write securinglaravel.com and hack stuff on stage for fun. 😈
I'm found elsewhere too: https://pinkary.com/@valorin 🪄
Would I do something like that?
September 25, 2025 at 4:09 AM
Would I do something like that?
I normally love light mode, but there is something about Nightwatch in dark mode that just works for me... 🤷
Pretty sure I've got only three dark mode apps now: Terminal, PhpStorm, and Nightwatch.
Pretty sure I've got only three dark mode apps now: Terminal, PhpStorm, and Nightwatch.
August 10, 2025 at 12:49 AM
I normally love light mode, but there is something about Nightwatch in dark mode that just works for me... 🤷
Pretty sure I've got only three dark mode apps now: Terminal, PhpStorm, and Nightwatch.
Pretty sure I've got only three dark mode apps now: Terminal, PhpStorm, and Nightwatch.
As requested, I'm working on it... 🤓
July 28, 2025 at 4:57 AM
As requested, I'm working on it... 🤓
Off to a good start this week: I thought @dyrynda.au was supposed to be in the air already, but I got my timing slightly wrong... 🤦
Still, it's not all bad, now he'll spend his entire 15 hour flight wondering what I'm up to. 😈
Still, it's not all bad, now he'll spend his entire 15 hour flight wondering what I'm up to. 😈
July 28, 2025 at 12:47 AM
Off to a good start this week: I thought @dyrynda.au was supposed to be in the air already, but I got my timing slightly wrong... 🤦
Still, it's not all bad, now he'll spend his entire 15 hour flight wondering what I'm up to. 😈
Still, it's not all bad, now he'll spend his entire 15 hour flight wondering what I'm up to. 😈
One week in, I finally found a juicy one! 😈
Boom! SVG XSS FTW!! 🎉
The best bit? When I told my client, they were shocked as they said they'd already checked for this.
SVGs are HTML - don't blindly trust them when they come from user input.
Boom! SVG XSS FTW!! 🎉
The best bit? When I told my client, they were shocked as they said they'd already checked for this.
SVGs are HTML - don't blindly trust them when they come from user input.
July 21, 2025 at 9:09 PM
One week in, I finally found a juicy one! 😈
Boom! SVG XSS FTW!! 🎉
The best bit? When I told my client, they were shocked as they said they'd already checked for this.
SVGs are HTML - don't blindly trust them when they come from user input.
Boom! SVG XSS FTW!! 🎉
The best bit? When I told my client, they were shocked as they said they'd already checked for this.
SVGs are HTML - don't blindly trust them when they come from user input.
It'll be pretty obvious in my case too, AWS send me $0 bills every month. No idea why, because I don't actually use any AWS services. 🤣
July 17, 2025 at 7:21 AM
It'll be pretty obvious in my case too, AWS send me $0 bills every month. No idea why, because I don't actually use any AWS services. 🤣
Identifying email billing scams is such a hard problem that AWS has decided to change their billing emails domain from the clearly very confusing and hard to identify "email.amazon.com" to the totally simple and not-suspicious-in-any-way "tax-and-invoicing.us-east-1.amazonaws.com".
WTF AWS??!! 🤦
WTF AWS??!! 🤦
July 17, 2025 at 12:43 AM
Identifying email billing scams is such a hard problem that AWS has decided to change their billing emails domain from the clearly very confusing and hard to identify "email.amazon.com" to the totally simple and not-suspicious-in-any-way "tax-and-invoicing.us-east-1.amazonaws.com".
WTF AWS??!! 🤦
WTF AWS??!! 🤦
Brisbane Winter. 😎
July 12, 2025 at 3:18 AM
Brisbane Winter. 😎
June 30, 2025 at 12:40 AM
Found a nice spot to work on Part 2 of my Deep Dive into the Laravel Starter Kits - hopefully tackling all three: Volt, Vue, and React! 🤞
I wasn't a fan of the Livewire with Blade kit, so I'm curious to see how these go... 🧐
If you missed part 1: securinglaravel.com/in-depth-a-d...
I wasn't a fan of the Livewire with Blade kit, so I'm curious to see how these go... 🧐
If you missed part 1: securinglaravel.com/in-depth-a-d...
June 18, 2025 at 11:09 AM
Found a nice spot to work on Part 2 of my Deep Dive into the Laravel Starter Kits - hopefully tackling all three: Volt, Vue, and React! 🤞
I wasn't a fan of the Livewire with Blade kit, so I'm curious to see how these go... 🧐
If you missed part 1: securinglaravel.com/in-depth-a-d...
I wasn't a fan of the Livewire with Blade kit, so I'm curious to see how these go... 🧐
If you missed part 1: securinglaravel.com/in-depth-a-d...
It's comments like these that make all the work I put into my big articles like securinglaravel.com/in-depth-a-d... so worth it! 🥰
May 21, 2025 at 1:02 AM
It's comments like these that make all the work I put into my big articles like securinglaravel.com/in-depth-a-d... so worth it! 🥰
w00t! Securing Laravel has hit 4,000 subscribers! 🎉
Thanks for all the support over the last 4 years, you give me the momentum to keep writing each week.
To celebrate, I've hidden a suitable premium subscription discount somewhere on the site... see if you can find it. 😈
Thanks for all the support over the last 4 years, you give me the momentum to keep writing each week.
To celebrate, I've hidden a suitable premium subscription discount somewhere on the site... see if you can find it. 😈
May 13, 2025 at 11:05 AM
w00t! Securing Laravel has hit 4,000 subscribers! 🎉
Thanks for all the support over the last 4 years, you give me the momentum to keep writing each week.
To celebrate, I've hidden a suitable premium subscription discount somewhere on the site... see if you can find it. 😈
Thanks for all the support over the last 4 years, you give me the momentum to keep writing each week.
To celebrate, I've hidden a suitable premium subscription discount somewhere on the site... see if you can find it. 😈
I'm totally not begging for subscribers, but I just need 20 more to hit 4k. 🥺 🙏 😇
securinglaravel.com
securinglaravel.com
April 25, 2025 at 12:37 AM
I'm totally not begging for subscribers, but I just need 20 more to hit 4k. 🥺 🙏 😇
securinglaravel.com
securinglaravel.com
I love seeing even one 👍 show up after sending out a in depth article on Securing Laravel. 🥰
It means someone cared enough to read through the whole article, get to the very bottom, find the ratings "👍👎💬" buttons and click the little 👍. Makes the time spent so worth it.
It means someone cared enough to read through the whole article, get to the very bottom, find the ratings "👍👎💬" buttons and click the little 👍. Makes the time spent so worth it.
April 15, 2025 at 12:12 PM
I love seeing even one 👍 show up after sending out a in depth article on Securing Laravel. 🥰
It means someone cared enough to read through the whole article, get to the very bottom, find the ratings "👍👎💬" buttons and click the little 👍. Makes the time spent so worth it.
It means someone cared enough to read through the whole article, get to the very bottom, find the ratings "👍👎💬" buttons and click the little 👍. Makes the time spent so worth it.
Since my security review of the Laravel Starter Kits has stalled for <reasons>, I've embarked on a new In Depth article.
👉 In Depth: What Actually Is MFA? 👈
What do you folks wanna know?
I'll try and answer as many Questions in the article.
👉 In Depth: What Actually Is MFA? 👈
What do you folks wanna know?
I'll try and answer as many Questions in the article.
April 8, 2025 at 10:09 AM
Since my security review of the Laravel Starter Kits has stalled for <reasons>, I've embarked on a new In Depth article.
👉 In Depth: What Actually Is MFA? 👈
What do you folks wanna know?
I'll try and answer as many Questions in the article.
👉 In Depth: What Actually Is MFA? 👈
What do you folks wanna know?
I'll try and answer as many Questions in the article.
Proud pentester moment:
One of my clients just hit me with a @thinkstcanary.canary.tools Canary Token! 🤩 🐷🔑
One of my clients just hit me with a @thinkstcanary.canary.tools Canary Token! 🤩 🐷🔑
April 2, 2025 at 8:46 AM
Proud pentester moment:
One of my clients just hit me with a @thinkstcanary.canary.tools Canary Token! 🤩 🐷🔑
One of my clients just hit me with a @thinkstcanary.canary.tools Canary Token! 🤩 🐷🔑
This is gonna be a fun one! 🤓
If you have any security questions about the new Laravel Starter Kits, let me know and I'll try to fit it in!
If you have any security questions about the new Laravel Starter Kits, let me know and I'll try to fit it in!
March 18, 2025 at 8:57 AM
This is gonna be a fun one! 🤓
If you have any security questions about the new Laravel Starter Kits, let me know and I'll try to fit it in!
If you have any security questions about the new Laravel Starter Kits, let me know and I'll try to fit it in!
Delivering XSS payloads via User Agent strings. 😈
February 20, 2025 at 1:21 AM
Delivering XSS payloads via User Agent strings. 😈
Ok #Laravel folks, without looking anything up, what do you think this code does?
Broadcast::channel('users.{id}', function (User $user, $id) {
return (bool) $user->id == $id;
});
Broadcast::channel('users.{id}', function (User $user, $id) {
return (bool) $user->id == $id;
});
February 14, 2025 at 12:13 AM
Ok #Laravel folks, without looking anything up, what do you think this code does?
Broadcast::channel('users.{id}', function (User $user, $id) {
return (bool) $user->id == $id;
});
Broadcast::channel('users.{id}', function (User $user, $id) {
return (bool) $user->id == $id;
});
There is something disturbing about AI options in Microsoft Notepad... but also kinda fun. 🤣
February 12, 2025 at 1:53 AM
There is something disturbing about AI options in Microsoft Notepad... but also kinda fun. 🤣
Love to see these numbers each morning, and getting very close to 4,000 subscribers! 🎉
February 3, 2025 at 12:17 AM
Love to see these numbers each morning, and getting very close to 4,000 subscribers! 🎉
Well this is a new one... What's going on here? 🧐
There are a few different aspects to this one, they definitely get points for creativity. 🤣
There are a few different aspects to this one, they definitely get points for creativity. 🤣
January 29, 2025 at 8:10 PM
Well this is a new one... What's going on here? 🧐
There are a few different aspects to this one, they definitely get points for creativity. 🤣
There are a few different aspects to this one, they definitely get points for creativity. 🤣
I may or may not be trolling... 😇
(But seriously, this probably wouldn't have happened in MySQL...)
(But seriously, this probably wouldn't have happened in MySQL...)
January 6, 2025 at 12:00 PM
I may or may not be trolling... 😇
(But seriously, this probably wouldn't have happened in MySQL...)
(But seriously, this probably wouldn't have happened in MySQL...)
Yikes, top 0.01% for @bearmccreary.bsky.social!
I guess I do listen to that soundtrack pretty constantly...
I guess I do listen to that soundtrack pretty constantly...
December 5, 2024 at 2:04 AM
Yikes, top 0.01% for @bearmccreary.bsky.social!
I guess I do listen to that soundtrack pretty constantly...
I guess I do listen to that soundtrack pretty constantly...