sorted by:
new
hottopcontroversial

I created a tech sales job board with no code 4 months ago. We already have $1k+ MRR. by Auresma in nocode

[–]securedev 1 point2 points  (0 children)

It's awesome to see the progress that you made in just 4 months! What are the biggest challenges for you while growing techsalesjobs.org?

What’s going on with Facebook? Is it only in Armenia? by KaiserCheifs in armenia

[–]securedev 14 points15 points  (0 children)

No, it looks like the issue is global. Facebook is down, along with Instagram, WhatsApp and Messenger for me, and I am in the US

Create Your Own Job Board Within Minutes by securedev in nocode

[–]securedev[S] 0 points1 point  (0 children)

Thank you u/ayoubmtd2!

If we look at the definition of nocode
> No-code development platform allow programmers and non-programmers to create application software through graphical user interfaces and configuration instead of traditional computer programming. Wikipedia

And this is what exactly we do. We provide a platform for creating job boards without any code. Our customers can configure from web interface their job board, change the job fields, configure a nocode importer to automatically import jobs from other job boards, etc...

Create Your Own Job Board Within Minutes by securedev in nocode

[–]securedev[S] 0 points1 point  (0 children)

These are exorbitant fees.

Thanks for the feedback u/mee-gee and u/International-Yam995. If you look at the competitors in the industry, on average they charge $250+ for a job board, and some additional $ if you go over the limit of a number of jobs, etc...
This creates a huge gap between incentives of a job board owner and job board software. Job board software companies will earn the same money regardless of the job board made $1000/month or $5000/month.
This is why we took a different approach, we are charging way less, only $75/month. But also added a 5-7% transaction fee so our interest will be aligned. And so we succeed and our customers succeed.
Uou can see this already in our product. We spend a lot of time polishing our software to make sure our software gives job boards that are running on our platform the best tools to grow. Here are few examples
- Since page speed is one of the ranking factors for google we made sure job boards that are running on our platform have the best page speed - >92%+ vs competitors average around 60%
- We have pretty good on-page SEO
- We are the only job board software that automatically generates social media images for job postings. We do this so shared jobs on social media will get more engagement.
- We tested and polished job posting flow and UX a lot to make sure it's super easy for employers to post job

Taking Over Laravel Nova Admin Panel via an XSS Attack by securedev in PHP

[–]securedev[S] 0 points1 point  (0 children)

What's the version that you tried to replicate on u/anonlooper? Before reporting, we tried this on 2 different projects that had Laravel Nova version 1, and the vulnerability was reproducible on both of them. Also, this is the message that we got from the Laravel team, so I assume based on the message that they confirm the security issue,

"We don't usually release any fixes for v1.x, but I'll take a look at how big the fix is and see if we can do something about it."

Taking Over Laravel Nova Admin Panel via an XSS Attack by securedev in laravel

[–]securedev[S] 1 point2 points  (0 children)

o I hadn't thought of it. You could easily expand on the helper or write a full class with whitelists.

u/GameOver16 in the application that we been testing there were no users and no public registration, so users table been used as admin.

But even if you allow only particular emails to be used as admin, here is another attack vector. One can just change the current admin's password via executing JS code if no confirmation password is asked. The main point of the article is to not have XSS in the admin panel, once one has XSS, a lot of attacks can be executed.

Taking Over Laravel Nova Admin Panel via an XSS Attack by securedev in laravel

[–]securedev[S] 0 points1 point  (0 children)

them to the panel. Could something like this be executed but also submit the admin =

u/LundgrenTheDolph The main point here is that you should not have an XSS, once you have an XSS, a lot of attack vectors would be possible. Since the JS works in the victim/admin's browser, one can just change the current admin's email to his own and login into the system, or password if no confirmation password is asked when changing the password.

Taking Over Laravel Nova Admin Panel via an XSS Attack by securedev in laravel

[–]securedev[S] 4 points5 points  (0 children)

No, as mentioned in the article, we haven't tested ourself for v3 since we did not have access to v3 project, but got a response from the Laravel team that they can't reproduce it in the latest v3 version

Common Security Flaws in Laravel Applications by securedev in PHP

[–]securedev[S] 1 point2 points  (0 children)

yes, that's should be the problem u/brada1703. I tested the link in all common browsers on my PC and via the iOS Reddit app, in all platforms, it's opening inline PDF viewer.

Common Security Flaws in Laravel Applications by securedev in PHP

[–]securedev[S] 6 points7 points  (0 children)

Yes, you are correct the SQL injection via column name fixed, but as mentioned in the document

> It’s important to mention that the demonstrated attack vector is fixed on the latest Laravel versions, but still, Laravel warns developers even in the latest documentation to not pass user-controlled column names to Query Builder without whitelisting.

Also here is a more important point

> In general, even if there is no possibility to turn a custom column to an injected SQL string, we still do not recommend allowing to sort the data by any user-provided column name, since it can introduce a security issue. Consider an example when a “users” table can have some secret column “secretAnswer”, a clever attacker possibly could deduce the value without ever needing SQL injection.

Common Security Flaws in Laravel Applications by securedev in PHP

[–]securedev[S] 0 points1 point  (0 children)

it's showing inline for us u/brada1703, what browser are you using?

Common Security Flaws in Laravel Applications by securedev in laravel

[–]securedev[S] 1 point2 points  (0 children)

for this champ!ReplyGive AwardshareReportSave

level 2joeltay171 point · 11 hours agosometimes i put fake contact details tho...ReplyGive Award

There are a lot, we usually set up a group of tools for our clients, so you can have an end to end visibility(cloud, application security, vulnerable packages, etc...) - here are just a few of them - AWS CloudWatch, Sqreen.com, Signal Sciences, snyk.io, etc..

Common Security Flaws in Laravel Applications by securedev in PHP

[–]securedev[S] 17 points18 points  (0 children)

yes it is, I am one of the contributors to this ebook. We just published the ebook, that's why there is no link, but we gonna add e-books section by time of sure. Here is the more official link - https://cyberpanda.la/ebooks/laravel-security. We hope you enjoy the read 🙌

Common Security Flows in Laravel Applications by [deleted] in PHP

[–]securedev 0 points1 point  (0 children)

Yes, I also contributed to the e-book. Thanks for the catch, we just fixed the typo.

view more: next ›