Broken Access Control in Symfony: Secure Your Routes

🚨 Broken Access Control in Symfony: How to Spot and Stop It

Broken Access Control is one of the most critical and most exploited vulnerabilities found in web applications today—and Symfony, despite its power and flexibility, is not immune to this security pitfall.

In this blog, we’ll explore how broken access control occurs in Symfony apps, give you practical coding examples, show you how to detect it using our free Website Security Checker tool, and guide you on securing your Symfony project effectively.

��� Also read more security posts on our main blog at: https://www.pentesttesting.com/blog/

🧨 What is Broken Access Control?

Broken Access Control occurs when users can access resources or perform actions outside their intended permissions. For example, a user accessing an admin dashboard without being an admin.

Symfony applications, if not properly configured, may be prone to:

Privilege Escalation

Insecure Direct Object References (IDOR)

Forced Browsing

🔍 Real-Life Vulnerability Scenario

Consider this route definition in a routes.yaml or annotation-based controller:

/** * @Route("/admin/dashboard", name="admin_dashboard") */ public function adminDashboard() { // Only admin should access this return new Response("Welcome to admin panel"); }

If no access control is applied, any authenticated (or sometimes even unauthenticated) user can access it by simply visiting /admin/dashboard.

🛠 How to Fix: Use Symfony Access Control

✅ Method 1: Role-Based Access Control via security.yaml

access_control: - { path: ^/admin, roles: ROLE_ADMIN }

This restricts any route starting with /admin to users with the ROLE_ADMIN.

✅ Method 2: Using Annotations

use Sensio\Bundle\FrameworkExtraBundle\Configuration\IsGranted; /** * @Route("/admin/dashboard", name="admin_dashboard") * @IsGranted("ROLE_ADMIN") */ public function adminDashboard() { return new Response("Welcome to admin panel"); }

This ensures only admins can access the route, keeping unauthorized users out.

👨‍💻 Vulnerable Code Example: IDOR in Symfony

/** * @Route("/user/{id}", name="user_profile") */ public function viewUser(User $user) { return $this->render('profile.html.twig', [ 'user' => $user, ]); }

Anyone could access any user's profile by changing the id in the URL. Dangerous!

✅ Secure Fix:

public function viewUser(User $user, Security $security) { if ($security->getUser() !== $user) { throw $this->createAccessDeniedException(); } return $this->render('profile.html.twig', [ 'user' => $user, ]); }

🧪 Test for Broken Access Control

You can easily check your Symfony site for broken access control vulnerabilities using our Website Vulnerability Scanner.

📸 Screenshot of our free tool webpage:

Screenshot of the free tools webpage where you can access security assessment tools.

📸 Screenshot of a vulnerability assessment report (detected broken access control):

An Example of a vulnerability assessment report generated with our free tool, providing insights into possible vulnerabilities.

Try it now for free 👉 Website Vulnerability Scanner

✅ Best Practices to Prevent Broken Access Control in Symfony

Always Define Roles and Permissions

Use Security Voters for Complex Logic

Don’t Rely on Client-side Role Checks

Implement Logging and Monitoring for Suspicious Access Attempts

Run Regular Security Audits using tools like ours

📚 Final Thoughts

Symfony gives you all the tools to build secure applications—but you need to configure them wisely. Broken access control is easy to introduce but also easy to fix when you know what to look for.

If you haven’t already, scan your site now with our free tool and find hidden access control issues before attackers do.

➡️ Check Now on https://free.pentesttesting.com/ ➡️ More security insights on our blog

Essentials You Need to Become a Web Developer

HTML, CSS, and JavaScript Mastery

Text Editor/Integrated Development Environment (IDE): Popular choices include Visual Studio Code, Sublime Text.

Version Control/Git: Platforms like GitHub, GitLab, and Bitbucket allow you to track changes, collaborate with others, and contribute to open-source projects.

Responsive Web Design Skills: Learn CSS frameworks like Bootstrap or Flexbox and master media queries

Understanding of Web Browsers: Familiarize yourself with browser developer tools for debugging and testing your code.

Front-End Frameworks: for example : React, Angular, or Vue.js are powerful tools for building dynamic and interactive web applications.

Back-End Development Skills: Understanding server-side programming languages (e.g., Node.js, Python, Ruby , php) and databases (e.g., MySQL, MongoDB)

Web Hosting and Deployment Knowledge: Platforms like Heroku, Vercel , Netlify, or AWS can help simplify this process.

Basic DevOps and CI/CD Understanding

Soft Skills and Problem-Solving: Effective communication, teamwork, and problem-solving skills

Confidence in Yourself: Confidence is a powerful asset. Believe in your abilities, and don't be afraid to take on challenging projects. The more you trust yourself, the more you'll be able to tackle complex coding tasks and overcome obstacles with determination.

Lies, damned lies, and Uber

I'm on tour with my new, nationally bestselling novel The Bezzle! Catch me TONIGHT in PHOENIX (Changing Hands, Feb 29) then Tucson (Mar 10-11), San Francisco (Mar 13), and more!

Uber lies about everything, especially money. Oh, and labour. Especially labour. And geometry. Especially geometry! But especially especially money. They constantly lie about money.

Uber are virtuosos of mendacity, but in Toronto, the company has attained a heretofore unseen hat-trick: they told a single lie that is dramatically, materially untruthful about money, labour and geometry! It's an achievement for the ages.

Here's how they did it.

For several decades, Toronto has been clobbered by the misrule of a series of far-right, clownish mayors. This was the result of former Ontario Premier Mike Harris's great gerrymander of 1998, when the city of Toronto was amalgamated with its car-dependent suburbs. This set the tone for the next quarter-century, as these outlying regions – utterly dependent on Toronto for core economic activity and massive subsidies to pay the unsustainable utility and infrastructure bills for sprawling neighborhoods of single-family homes – proceeded to gut the city they relied on.

These "conservative" mayors – the philanderer, the crackhead, the sexual predator – turned the city into a corporate playground, swapping public housing and rent controls for out-of-control real-estate speculation and trading out some of the world's best transit for total car-dependency. As part of that decay, the city rolled out the red carpet for Uber, allowing the company to put as many unlicensed taxis as they wanted on the city's streets.

Now, it's hard to overstate the dire traffic situation in Toronto. Years of neglect and underinvestment in both the roads and the transit system have left both in a state of near collapse and it's not uncommon for multiple, consecutive main arteries to shut down without notice for weeks, months, or, in a few cases, years. The proliferation of Ubers on the road – driven by desperate people trying to survive the city's cost-of-living catastrophe – has only exacerbated this problem.

Uber, of course, would dispute this. The company insists – despite all common sense and peer-reviewed research – that adding more cars to the streets alleviates traffic. This is easily disproved: there just isn't any way to swap buses, streetcars, and subways for cars. The road space needed for all those single-occupancy cars pushes everything further apart, which means we need more cars, which means more roads, which means more distance between things, and so on.

It is an undeniable fact that geometry hates cars. But geometry loathes Uber. Because Ubers have all the problems of single-occupancy vehicles, and then they have the separate problem that they just end up circling idly around the city's streets, waiting for a rider. The more Ubers there are on the road, the longer each car ends up waiting for a passenger:

https://www.sfgate.com/technology/article/Uber-Lyft-San-Francisco-pros-cons-ride-hailing-13841277.php

Anything that can't go on forever eventually stops. After years of bumbling-to-sinister municipal rule, Toronto finally reclaimed its political power and voted in a new mayor, Olivia Chow, a progressive of long tenure and great standing (I used to ring doorbells for her when she was campaigning for her city council seat). Mayor Chow announced that she was going to reclaim the city's prerogative to limit the number of Ubers on the road, ending the period of Uber's "self-regulation."

Uber, naturally, lost its shit. The company claims to be more than a (geometrically impossible) provider of convenient transportation for Torontonians, but also a provider of good jobs for working people. And to prove it, the company has promised to pay its drivers "120% of minimum wage." As I write for Ricochet, that's a whopper, even by Uber's standards:

https://ricochet.media/en/4039/uber-is-lying-again-the-company-has-no-intention-of-paying-drivers-a-living-wage

Here's the thing: Uber is only proposing to pay 120% of the minimum wage while drivers have a passenger in the vehicle. And with the number of vehicles Uber wants on the road, most drivers will be earning nothing most of the time. Factor in that unpaid time, as well as expenses for vehicles, and the average Toronto Uber driver stands to make $2.50 per hour (Canadian):

https://ridefair.ca/wp-content/uploads/2024/02/Legislated-Poverty.pdf

Now, Uber's told a lot of lies over the years. Right from the start, the company implicitly lied about what it cost to provide an Uber. For its first 12 years, Uber lost $0.41 on every dollar it brought in, lighting tens of billions in investment capital provided by the Saudi royals on fire in an effort to bankrupt rival transportation firms and disinvestment in municipal transit.

Uber then lied to retail investors about the business-case for buying its stock so that the House of Saud and other early investors could unload their stock. Uber claimed that they were on the verge of producing a self-driving car that would allow them to get rid of drivers, zero out their wage bill, and finally turn a profit. The company spent $2.5b on this, making it the most expensive Big Store in the history of cons:

https://www.theinformation.com/articles/infighting-busywork-missed-warnings-how-uber-wasted-2-5-billion-on-self-driving-cars

After years, Uber produced a "self-driving car" that could travel one half of one American mile before experiencing a potentially lethal collision. Uber quietly paid another company $400m to take this disaster off its hands:

https://www.economist.com/business/2020/12/10/why-is-uber-selling-its-autonomous-vehicle-division

The self-driving car lie was tied up in another lie – that somehow, automation could triumph over geometry. Robocabs, we were told, would travel in formations so tight that they would finally end the Red Queen's Race of more cars – more roads – more distance – more cars. That lie wormed its way into the company's IPO prospectus, which promised retail investors that profitability lay in replacing every journey – by car, cab, bike, bus, tram or train – with an Uber ride:

https://www.reuters.com/article/idUSKCN1RN2SK/

The company has been bleeding out money ever since – though you wouldn't know it by looking at its investor disclosures. Every quarter, Uber trumpets that it has finally become profitable, and every quarter, Hubert Horan dissects its balance sheets to find the accounting trick the company thought of this time. There was one quarter where Uber declared profitability by marking up the value of stock it held in Uber-like companies in other countries.

How did it get this stock? Well, Uber tried to run a business in those countries and it was such a total disaster that they had to flee the country, selling their business to a failing domestic competitor in exchange for stock in its collapsing business. Naturally, there's no market for this stock, which, in Uber-land, means you can assign any value you want to it. So that one quarter, Uber just asserted that the stock had shot up in value and voila, profit!

https://www.nakedcapitalism.com/2022/02/hubert-horan-can-uber-ever-deliver-part-twenty-nine-despite-massive-price-increases-uber-losses-top-31-billion.html

But all of those lies are as nothing to the whopper that Uber is trying to sell to Torontonians by blanketing the city in ads: the lie that by paying drivers $2.50/hour to fill the streets with more single-occupancy cars, they will turn a profit, reduce the city's traffic, and provide good jobs. Uber says it can vanquish geometry, economics and working poverty with the awesome power of narrative.

In other words, it's taking Toronto for a bunch of suckers.

If you'd like an essay-formatted version of this post to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:

https://pluralistic.net/2024/02/29/geometry-hates-uber/#toronto-the-gullible

Image: Rob Sinclair (modified) https://commons.wikimedia.org/wiki/File:Night_skyline_of_Toronto_May_2009.jpg

CC BY 2.0 https://creativecommons.org/licenses/by-sa/2.0/deed.en

komaedas have you tried straw.page?

(i hope you don't mind if i make a big ollllle webdev post off this!)

i have never tried straw.page but it looks similar to carrd and other WYSIWYG editors (which is unappealing to me, since i know html/css/js and want full control of the code. and can't hide secrets in code comments.....)

my 2 cents as a web designer is if you're looking to learn web design or host long-term web projects, WYSIWYG editors suck doodooass. you don't learn the basics of coding, someone else does it for you! however, if you're just looking to quickly host images, links to your other social medias, write text entries/blogposts, WYSIWYG can be nice.

toyhouse, tumblr, deviantart, a lot of sites implement WYSIWYG for their post editors as well, but then you can run into issues relying on their main site features for things like the search system, user profiles, comments, etc. but it can be nice to just login to your account and host your information in one place, especially on a platform that's geared towards that specific type of information. (toyhouse is a better example of this, since you have a lot of control of how your profile/character pages look, even without a premium account) carrd can be nice if you just want to say "here's where to find me on other sites," for example. but sometimes you want a full website!

---------------------------------------

neocities hosting

currently, i host my website on neocities, but i would say the web2.0sphere has sucked some doodooass right now and i'm fiending for something better than it. it's a static web host, e.g. you can upload text, image, audio, and client-side (mostly javascript and css) files, and html pages. for the past few years, neocities' servers have gotten slower and slower and had total blackouts with no notices about why it's happening... and i'm realizing they host a lot of crypto sites that have crypto miners that eat up a ton of server resources. i don't think they're doing anything to limit bot or crypto mining activity and regular users are taking a hit.

↑ page 1 on neocitie's most viewed sites we find this site. this site has a crypto miner on it, just so i'm not making up claims without proof here. there is also a very populated #crypto tag on neocities (has porn in it tho so be warned...).

---------------------------------------

dynamic/server-side web hosting

$5/mo for neocities premium seems cheap until you realize... The Beautiful World of Server-side Web Hosting!

client-side AKA static web hosting (neocities, geocities) means you can upload images, audio, video, and other files that do not interact with the server where the website is hosted, like html, css, and javascript. the user reading your webpage does not send any information to the server like a username, password, their favourite colour, etc. - any variables handled by scripts like javascript will be forgotten when the page is reloaded, since there's no way to save it to the web server. server-side AKA dynamic web hosting can utilize any script like php, ruby, python, or perl, and has an SQL database to store variables like the aforementioned that would have previously had nowhere to be stored.

there are many places in 2024 you can host a website for free, including: infinityfree (i use this for my test websites :B has tons of subdomains to choose from) [unlimited sites, 5gb/unlimited storage], googiehost [1 site, 1gb/1mb storage], freehostia [5 sites/1 database, 250mb storage], freehosting [1 site, 10gb/unlimited storage]

if you want more features like extra websites, more storage, a dedicated e-mail, PHP configuration, etc, you can look into paying a lil shmoney for web hosting: there's hostinger (this is my promocode so i get. shmoney. if you. um. 🗿🗿🗿) [$2.40-3.99+/mo, 100 sites/300 databases, 100gb storage, 25k visits/mo], a2hosting [$1.75-12.99+/mo, 1 site/5 databases, 10gb/1gb storage], and cloudways [$10-11+/mo, 25gb/1gb]. i'm seeing people say to stay away from godaddy and hostgator. before you purchase a plan, look up coupons, too! (i usually renew my plan ahead of time when hostinger runs good sales/coupons LOL)

here's a big webhost comparison chart from r/HostingHostel circa jan 2024.

---------------------------------------

domain names

most of the free website hosts will give you a subdomain like yoursite.has-a-cool-website-69.org, and usually paid hosts expect you to bring your own domain name. i got my domain on namecheap (enticing registration prices, mid renewal prices), there's also porkbun, cloudflare, namesilo, and amazon route 53. don't use godaddy or squarespace. make sure you double check the promo price vs. the actual renewal price and don't get charged $120/mo when you thought it was $4/mo during a promo, certain TLDs (endings like .com, .org, .cool, etc) cost more and have a base price (.car costs $2,300?!?). look up coupons before you purchase these as well!

namecheap and porkbun offer something called "handshake domains," DO NOT BUY THESE. 🤣🤣🤣 they're usually cheaper and offer more appealing, hyper-specific endings like .iloveu, .8888, .catgirl, .dookie, .gethigh, .♥, .❣, and .✟. I WISH WE COULD HAVE THEM but they're literally unusable. in order to access a page using a handshake domain, you need to download a handshake resolver. every time the user connects to the site, they have to provide proof of work. aside from it being incredibly wasteful, you LITERALLY cannot just type in the URL and go to your own website, you need to download a handshake resolver, meaning everyday internet users cannot access your site.

---------------------------------------

hosting a static site on a dynamic webhost

you can host a static (html/css/js only) website on a dynamic web server without having to learn PHP and SQL! if you're coming from somewhere like neocities, the only thing you need to do is configure your website's properties. your hosting service will probably have tutorials to follow for this, and possibly already did some steps for you. you need to point the nameserver to your domain, install an SSL certificate, and connect to your site using FTP for future uploads. FTP is a faster, alternative way to upload files to your website instead of your webhost's file upload system; programs like WinSCP or FileZilla can upload using FTP for you.

if you wanna learn PHP and SQL and really get into webdev, i wrote a forum post at Mysidia Adoptables here, tho it's sorted geared at the mysidia script library itself (Mysidia Adoptables is a free virtual pet site script, tiny community. go check it out!)

---------------------------------------

file storage & backups

a problem i have run into a lot in my past like, 20 years of internet usage (/OLD) is that a site that is free, has a small community, and maybe sounds too good/cheap to be true, has a higher chance of going under. sometimes this happens to bigger sites like tinypic, photobucket, and imageshack, but for every site like that, there's like a million of baby sites that died with people's files. host your files/websites on a well-known site, or at least back it up and expect it to go under!

i used to host my images on something called "imgjoe" during the tinypic/imageshack era, it lasted about 3 years, and i lost everything hosted on there. more recently, komaedalovemail had its webpages hosted here on tumblr, and tumblr changed its UI so custom pages don't allow javascript, which prevented any new pages from being edited/added. another test site i made a couple years ago on hostinger's site called 000webhost went under/became a part of hostinger's paid-only plans, so i had to look very quickly for a new host or i'd lose my test site.

if you're broke like me, looking into physical file storage can be expensive. anything related to computers has gone through baaaaad inflation due to crypto, which again, I Freaquing Hate, and is killing mother nature. STOP MINING CRYPTO this is gonna be you in 1 year

...um i digress. ANYWAYS, you can archive your websites, which'll save your static assets on The Internet Archive (which could use your lovely donations right now btw), and/or archive.today (also taking donations). having a webhost service with lots of storage and automatic backups can be nice if you're worried about file loss or corruption, or just don't have enough storage on your computer at home!

if you're buying physical storage, be it hard drive, solid state drive, USB stick, whatever... get an actual brand like Western Digital or Seagate and don't fall for those cheap ones on Amazon that claim to have 8,000GB for $40 or you're going to spend 13 days in windows command prompt trying to repair the disk and thenthe power is gong to go out in your shit ass neighvborhood and you have to run it tagain and then Windows 10 tryes to update and itresets the /chkdsk agin while you're awayfrom town nad you're goig to start crytypting and kts just hnot going tot br the same aever agai nikt jus not ggiog to be the saeme

---------------------------------------

further webhosting options

there are other Advanced options when it comes to web hosting. for example, you can physically own and run your own webserver, e.g. with a computer or a raspberry pi. r/selfhosted might be a good place if you're looking into that!

if you know or are learning PHP, SQL, and other server-side languages, you can host a webserver on your computer using something like XAMPP (Apache, MariaDB, PHP, & Perl) with minimal storage space (the latest version takes up a little under 1gb on my computer rn). then, you can test your website without needing an internet connection or worrying about finding a hosting plan that can support your project until you've set everything up!

there's also many PHP frameworks which can be useful for beginners and wizards of the web alike. WordPress is one which you're no doubt familiar with for creating blog posts, and Bluehost is a decent hosting service tailored to WordPress specifically. there's full frameworks like Laravel, CakePHP, and Slim, which will usually handle security, user authentication, web routing, and database interactions that you can build off of. Laravel in particular is noob-friendly imo, and is used by a large populace, and it has many tutorials, example sites built with it, and specific app frameworks.

---------------------------------------

addendum: storing sensitive data

if you decide to host a server-side website, you'll most likely have a login/out functionality (user authentication), and have to store things like usernames, passwords, and e-mails. PLEASE don't launch your website until you're sure your site security is up to snuff!

when trying to check if your data is hackable... It's time to get into the Mind of a Hacker. OWASP has some good cheat sheets that list some of the bigger security concerns and how to mitigate them as a site owner, and you can look up filtered security issues on the Exploit Database.

this is kind of its own topic if you're coding a PHP website from scratch; most frameworks securely store sensitive data for you already. if you're writing your own PHP framework, refer to php.net's security articles and this guide on writing an .htaccess file.

---------------------------------------

but. i be on that phone... :(

ok one thing i see about straw.page that seems nice is that it advertises the ability to make webpages from your phone. WYSIWYG editors in general are more capable of this. i only started looking into this yesterday, but there ARE source code editor apps for mobile devices! if you have a webhosting plan, you can download/upload assets/code from your phone and whatnot and code on the go. i downloaded Runecode for iphone. it might suck ass to keep typing those brackets.... we'll see..... but sometimes you're stuck in the car and you're like damn i wanna code my site GRRRR I WANNA CODE MY SITE!!!

↑ code written in Runecode, then uploaded to Hostinger. Runecode didn't tell me i forgot a semicolon but Hostinger did... i guess you can code from your webhost's file uploader on mobile but i don't trust them since they tend not to autosave or prompt you before closing, and if the wifi dies idk what happens to your code.

---------------------------------------

ANYWAYS! HAPPY WEBSITE BUILDING~! HOPE THIS HELPS~!~!~!

-Mod 12 @eeyes

[Took a real long time to finally be posted but here they are..]

NEGATIVE Sector PHP Reference Sheets!

.

.

.

.

•Much like their positive counterparts, They work as a group but they lack the respect and kindness with each other, which is the distinct opposite to their positive selves.

•They don't have any 'friends' nor allies, Well, except for Relyt and Ebeohp.

•Allem, the 'team leader', forbids them from making any connections without her knowledge but these two goes behind her back and makes ammends with a few individuals, The LTDFCD, especially.

•Relyt and Ebeohp were always seen as the weaker ones so it was easy for them to be underestimated a lot, Sometimes Hiamerej would snitch on them IF he ever catches them in the act.

•Nave and Allem were the tougher ones in the group so they lead the fighting just fine, Hiamerej isn't exactly anything special so he's just the useful sidekick or the human shield, second to Relyt.

•After the events of Operation P.O.O.L., Allem went back into hiding while the rest of the sector were mingling with the new normal without -Numbuh 4's control.

•It was quite concerning because she's always been under Yllaw's command and ever since he's taken away, she doesn't know what to do with herself. But she'll come around, eventually. Just a little push.

★Fun fact; Allem and Ardnassela used to date! Although, broke it off because Allem kept pushing Ardnassela away and ghosted her whenever she's not in DNK missions, At least Allem cared enough that maybe she's hurting her so she was the one who let go.

She didn't like the idea of her finding someone new at first but soon came to accept it. She looked so happy, Who is she to get in the way of that.

(Special thanks and credits to @kandykatz for the ideas of their designs, I loved theirs so much and kept a few things here and there with some slight changes but props to them for the overall idea!! Thank you awesome moot!!💙)

[Package for Sector PHP]

Mourning AU (AU Belongs to @artsygirl0315 )

"Sector PHP,

I first wanna give all of you my deepest apologies for the trespassing. Please understand that there were no bad or malicious intentions... I only wanted to check up on you guys. Rest assured, I'm safe and ok, I was let out with a warning.

Though... I miss you all very much... It pains me to see you three in the current states you're in. I want to help... In anyway possible. So please... For Tyler if he reads this letter, contact me if.. You ever do... Need my help. I won't hesitate to rush over there and give you all the love and help you need... Even if it costs my own life.

Just, all I ask from you guys for now is to at least... Stay safe and my contact info is always open to you three if anything.

In the meantime, accept these gifts. It's... To hopefully help you three have some sort of closure. It works for me when I lost my brother. I hope this works in your favors too.

Love you all,

Gianna (Numbuh 72) "

Analog:

"I was able to finally build up courage to attempt my visit to Sector PHP recently... But... Sadly didn't go too well. Phoebe wouldn't let me in so I could comfort the Sector... Since they are under Tyler's orders.

So instead... I decided to send Luna and Everest to deliver a present to the graveyard. Hopefully Phoebe would notice it and hand it to Tyler. I need to get to them somehow...

After all, "They" asked me to be there for the team when needed most from our last conversation.

I must do everything to the best of my ability to fulfill their request.

For now once Everest and Luna deliver the present... I can only wait and see if Tyler and the others will ever be ready for my help... And... To prevent Alice from getting to them or me. I can lose control now... Must stand strong for their sakes."

- Numbuh 72, Signing off

Avoid enterprise rent a car

They will have police officers order a warrant on you and have you arrested

https://www.sfchronicle.com/bayarea/justinphillips/article/rental-cars-stolen-justice-california-18523186.php

https://www.8newsnow.com/news/local-news/woman-suing-after-renting-a-car-in-las-vegas-i-would-not-rent-a-car-again-never/

Also, avoid hertz

Can a blorbo be a transitional object?

I am back on my bullshit with some therapy-related thoughts.

First, definitions.

What is a blorbo?

Since we're on Tumblr, ya'll probably know what a blorbo is, but if you somehow don't, it is The Character. The one you obsess over. The one you're constantly spinning around in your brain. Thinking about them can bring you comfort and/or distraction.

Of course, I have a blorbo, which is probably A HUGE SHOCKER given I never talk/write/draw/get a tattoo of him. Nope, couldn't be me. (Yes, I consider Squall my #1 Blorbo)

What is a transitional object?

Transitional objects, or "comfort objects," are (usually) physical objects that a child will use to feel comfort when separated from a caregiver. Think about your baby blanket. Or that one stuffed animal you carried everywhere. That object helps a kid self-soothe and feel in control. These objects are especially helpful around bedtime for helping the child sleep.

Sometimes, kids will personify a transitional object as a way of more safely expressing their own wants/needs/concerns. I have a client who brings her transitional object (Monkey) to session with her, and sometimes we have this friend "participate" in the art directives--that is, the client will do the exercise for Monkey. Monkey's art is usually more revealing than hers.

You can probably already see where I am going with this...

Here's the thought

In my "Human Development" class tonight, we were talking about how transitional objects function in attachment theory, especially in the context of children. When I was a child, my transitional object was the TY Beanie Baby Tiny the Chihuahua. I slept with her every night and carried her everywhere. Having her created a sense of security and comfort. Everyone in class shared our childhood objects, and all of us, one way or another, had moved on from it.

Transitional objects are called that because they help children transition from using mom/caregiver as a "secure base" (if mom/caregiver and child have healthy attachment, child feels more comfortable socializing with strangers or having new experiences while mom/caregiver is present) to using the object as that base. Eventually, we socially develop to not need the "secure base" at all, and so we grow out of needing the thread-bare blanket or the stuffed dragon your uncle gave you.

HOWEVER, many adults continue to have transitional objects to help manage anxiety. In fact, I've been in PHP programs where they are encouraged. I carried around a stone that said "May the Force be with you" on it for a while, which I fidgeted with for grounding and read for encouragement. For some people, their car is that object. Doing some reading, a phone can serve that purpose, even.

As I was doing some (very light) research on the transitional objects of adults, I also noticed that "photographs" and "documents" were mentioned. While these are still physical objects, I imagine the idea of them is more comforting than the actual print or paper. (I would love to know if anyone has thoughts about this from personal experience.) Another thing that interested me was that pets have been characterized as transitional objects within literature. The connection you have with an animal can be comforting in a similar way. Personally, I am not sure how I feel about that (my dog is not an object!), but this implies that transitional objects could have value that transcends their physicality.

That is, if ideas and relationships can be the meaning behind a transitional object, how are blorbos not transitional objects?

What do we do with our blorbos?

We:

Think about them, which provides distraction and comfort

Carry images of them (our blogs, camera rolls, plushies, stickers, even tattoos) because looking at them brings us positive feelings

Make them our secure base--We can potentially feel more comfortable socializing if they are "present" (in the conversation)

Put them in situations! And sometimes these situations reflect things we struggle with ourselves (for me, this was Squall and Laguna's estrangement in Chaos Theory)

And many of us will think about our blorbos in situations before we fall asleep to help us drift off!!!

Personally, if I am emotionally dysregulated, I will often go into my little fanfiction world, and it helps me calm down. I 100% do this before sleep, almost every night. And Squall has served as a secure base for me to explore art/writing, time and time again.

And now thinking back, when I really embraced Squall as my blorbo, the conditions were right to make me seek a transitional object. I was 11 and had just moved 30 minutes away from my childhood home. It was a big change for me, where I lost most of what I knew, including my friends. I felt isolated and insecure in this new unknown place. It was then that I played FFVIII myself and it really helped me adjust to the new environment and feel more stable... because Squall is my transitional object!

Bonus Observation

Where do we talk about our blorbos? This hellsite. What else do we all have on this hellsite? Anxiety (or some form of ND). Honestly, do you know a person with a blorbo who is neurotypical?

I think as adults it is hard to find a physical socially acceptable transitional object--so when we are facing a lot of anxiety, we use media as an in-our-pocket source of comfort.

Conclusion

I think a blorbo can and does serve many of the functions of a transitional object, especially in terms of self-soothing. A blorbo, just like a transitional object, provides a secure base for exploration, emotional regulation, and comfort enough to induce sleep.

My planned thesis for my graduate program capstone is all about how obsessing over a piece of media can be a pathway for healing (that's not exactly the thesis, just shorthand), and this is just another lens to understand the person-media relationship through.

I am curious to know if this resonates or if I am just extra weird. I am making a lot of assumptions above about what is "normal" for a fandom person on Tumblr. If I was to really look into this, I'd have to conduct interviews to see how other people use/see their blorbos.

I have a lot more research to do about attachment theory and transitional objects. There may be a concept that means a "transitional idea" as opposed to a physical object. I am also curious what this means in the context of hyperfixation.

Whether or not a blorbo is generally a transitional object for us fandom people, Squall is absolutely a transitional object for me.

(I have been so stressed about this class and I have a free hour and what do I do? I write an essay about developmental psychology anyway... smh.)

Post Human Studies: The Unreal State

This week, students, we return to the concept of Post Human Polities - PHP - as opposed to Post Human Species - PHS - as established in our previous lecture on the Progress Cult. As loathe as I am to bring up the maniacs behind the Progress Cult, if you can all forgive my editorializing, today's lecture deals with one of their successor PHPs, the Unreal State. The Unreal State most likely has deep ties to the social thought behind the Progress Cult which was Anarchoacademic Liberism.

For reasons you will come to understand, I hope, most of today's statements regarding the Unreal State must be coached in uncertainties. First however, let us discuss and attempt if not to define than circle a definition for Anarchoacademic Liberism. Anarchoacademic Liberism is an attempt at a revival of old Earthen ideologies of futurism and anarchism as understood by the Provost Major of the Progress Cult. To his understanding, anarchism was simply abolishing any and all social taboos and understandings as well as abolition of most state functions and futurism was putting ultimate faith in any and all new emergent technologies regardless of ethics behind them. As a student of Earthen and Human philosophies and ideologies, I must question where the Provost Major gained his understanding. The Provost Major thusly structured what remained of the Progress Cults state apparatus after various academic institutions supposing they would be best at encouraging the acquisition of information.

After the Applied Military Theories and the dissolution of the Progress Cult's holdings following the Provost Major's death, one of the break away polities was the Unreal State. The Unreal State was like many other successors to the Progress Cult, charismatic leaders putting their own spin on Anarchoacademic Liberism. However, the Unreal State took it one step forward, and began an assault against the very fundamental laws of reality.

This is now where things will have to enter supposition. Everything after this is conjecture. There are three possibilities to what the current Unreal State is.

The first is this, there is a pocket of space in what was once a Progress Cult controlled system once was. The Unreal State as much as it exists exists there, in space that no longer follows the same rules, if any, as the rest of reality if the space follows any rules at all. The Unreal State has managed to create a rupture in reality that in a system whose name can no longer be recorded on any form of media, believe me experts in the field of memetic hazardous storage have tried. Now that we have established that Unreal State now lies entirely within this rupture and potentially other ruptures comes the questions of those people who claim to be from the Unreal State. Those individuals we met claiming to be Citizens of the Land That Isn't and are displaying high levels of universal dissociation are from this Unreality and seek to spread its dissolution of reality with a fever that rivals adherents of the Green Orthodox Bible. Attempts to enter these gaping holes in reality, which now include what once was Mercury of the Sol System, more or less than resounding failures with to this dates no contact being able to be established or return trips emerging.

The second is this there is a pocket of space in what was once a Progress Cult controlled system once was. The second possible explanation is that these ruptures in space time are actually more akin wormholes, portals to a place we do not yet understand where only those who have spent long periods exposed to the Unreal State can survive, or those become citizens there. We have heard reports from surviving Citizens that have return that the state is engaged now and not just the war against the very fabric of reality but against those that maintain it and those beyond the veil. They claim knowledge of Cthulhiods, named after the Old Earthen Occultist’s Erotic Creation’s writing, and other creatures of the firmament such as Angels of Vangel. These citizens that they alone of humanity take the war for liberation to new fronts, they fulfill the work in words promised by humanity for years before. Whoever is part of this work they have emerged to changed, part of the universal disassociation is that in parlance some of you might laugh at they seem to clip through objects that were steady as possible they no longer react in the right ways on a physiochemical level to external interactions. Most worrisome part of this is that this does not seem to be isolated and is capable of spreading it is how Mercury once a famed center of medical research was dissolved and in the place where it once rotated now is a gaping Mall visible through the solar system at all times. It has made Earth's first colony Venus, turn itself into a fortificated world and reinforce the paranoia in isolation of the Martian gardeners. That of the four cradle worlds of mankind, on has been lost already, is a portent of doom.

The third is this there is a pocket of space in what was once a Progress Cult controlled system once was. This one is the most comforting one to me, all individuals claiming to be from the Unreal State are charlatans and delusional. The Unreal State does not in any form exist and it is merely a galactic Boogeyman. That all previous suppositions can be simply explained away through a clever trick of the hand and a heavy heavy dose of ignorance. This however is the least likely.

The one confirmed fragment I have found consistent is this.

"In the Unreal State, the whole of the law is this: There shall be no Law, neither against murder nor that yoke of gravity, and to oppose all other laws shall be your duty."

Even speaking of the Unreal State is fraught with the fact almost nothing is confirmed there are many suppositions many ideas of things that could be known but in the end what is confirmed is a little more than dust in the wind. I hope against hope to whatever deities that there truly are if they are benevolent in this world, that the Unreal State is simply a fiction of already unstable cultists. For the consider anymore of what it's potential truths imply makes me jealous of those with cybernetic implants who may cleanse their mind.

Now students, if any of you here are truly real or here, the lecture is over. Class dismissed. I hope to see you in some form again soon. I need a drink of coffee. Is this still recording?

Prevent HTTP Parameter Pollution in Laravel with Secure Coding

Understanding HTTP Parameter Pollution in Laravel

HTTP Parameter Pollution (HPP) is a web security vulnerability that occurs when an attacker manipulates multiple HTTP parameters with the same name to bypass security controls, exploit application logic, or perform malicious actions. Laravel, like many PHP frameworks, processes input parameters in a way that can be exploited if not handled correctly.

In this blog, we’ll explore how HPP works, how it affects Laravel applications, and how to secure your web application with practical examples.

How HTTP Parameter Pollution Works

HPP occurs when an application receives multiple parameters with the same name in an HTTP request. Depending on how the backend processes them, unexpected behavior can occur.

Example of HTTP Request with HPP:

GET /search?category=electronics&category=books HTTP/1.1 Host: example.com

Different frameworks handle duplicate parameters differently:

PHP (Laravel): Takes the last occurrence (category=books) unless explicitly handled as an array.

Express.js (Node.js): Stores multiple values as an array.

ASP.NET: Might take the first occurrence (category=electronics).

If the application isn’t designed to handle duplicate parameters, attackers can manipulate input data, bypass security checks, or exploit business logic flaws.

Impact of HTTP Parameter Pollution on Laravel Apps

HPP vulnerabilities can lead to:

✅ Security Bypasses: Attackers can override security parameters, such as authentication tokens or access controls. ✅ Business Logic Manipulation: Altering shopping cart data, search filters, or API inputs. ✅ WAF Evasion: Some Web Application Firewalls (WAFs) may fail to detect malicious input when parameters are duplicated.

How Laravel Handles HTTP Parameters

Laravel processes query string parameters using the request() helper or Input facade. Consider this example:

use Illuminate\Http\Request; Route::get('/search', function (Request $request) { return $request->input('category'); });

If accessed via:

GET /search?category=electronics&category=books

Laravel would return only the last parameter, category=books, unless explicitly handled as an array.

Exploiting HPP in Laravel (Vulnerable Example)

Imagine a Laravel-based authentication system that verifies user roles via query parameters:

Route::get('/dashboard', function (Request $request) { if ($request->input('role') === 'admin') { return "Welcome, Admin!"; } else { return "Access Denied!"; } });

An attacker could manipulate the request like this:

GET /dashboard?role=user&role=admin

If Laravel processes only the last parameter, the attacker gains admin access.

Mitigating HTTP Parameter Pollution in Laravel

1. Validate Incoming Requests Properly

Laravel provides request validation that can enforce strict input handling:

use Illuminate\Http\Request; use Illuminate\Support\Facades\Validator; Route::get('/dashboard', function (Request $request) { $validator = Validator::make($request->all(), [ 'role' => 'required|string|in:user,admin' ]); if ($validator->fails()) { return "Invalid Role!"; } return $request->input('role') === 'admin' ? "Welcome, Admin!" : "Access Denied!"; });

2. Use Laravel’s Input Array Handling

Explicitly retrieve parameters as an array using:

$categories = request()->input('category', []);

Then process them safely:

Route::get('/search', function (Request $request) { $categories = $request->input('category', []); if (is_array($categories)) { return "Selected categories: " . implode(', ', $categories); } return "Invalid input!"; });

3. Encode Query Parameters Properly

Use Laravel’s built-in security functions such as:

e($request->input('category'));

or

htmlspecialchars($request->input('category'), ENT_QUOTES, 'UTF-8');

4. Use Middleware to Filter Requests

Create middleware to sanitize HTTP parameters:

namespace App\Http\Middleware; use Closure; use Illuminate\Http\Request; class SanitizeInputMiddleware { public function handle(Request $request, Closure $next) { $input = $request->all(); foreach ($input as $key => $value) { if (is_array($value)) { $input[$key] = array_unique($value); } } $request->replace($input); return $next($request); } }

Then, register it in Kernel.php:

protected $middleware = [ \App\Http\Middleware\SanitizeInputMiddleware::class, ];

Testing Your Laravel Application for HPP Vulnerabilities

To ensure your Laravel app is protected, scan your website using our free Website Security Scanner.

Screenshot of the free tools webpage where you can access security assessment tools.

You can also check the website vulnerability assessment report generated by our tool to check Website Vulnerability:

An Example of a vulnerability assessment report generated with our free tool, providing insights into possible vulnerabilities.

Conclusion

HTTP Parameter Pollution can be a critical vulnerability if left unchecked in Laravel applications. By implementing proper validation, input handling, middleware sanitation, and secure encoding, you can safeguard your web applications from potential exploits.

🔍 Protect your website now! Use our free tool for a quick website security test and ensure your site is safe from security threats.

For more cybersecurity updates, stay tuned to Pentest Testing Corp. Blog! 🚀

Hello!! I hope you are doing well. Your art is so freaking amazing 👏 I'm just enjoying my time looking at all of it!!! I did have a question tho-- how did you make your webcomic website? I'm curious of the all the steps you took!

this is going to expose my age and personality, but my website making process has two steps in total

-- get the domain/hosting (mine is over at a finnish hosting site) -- code it

and when i say code i mean like, some real mid 2000s shit when i was 13 years old. straight up barebones html and css. there are many good actual website makers these days, but i am a self-proclaimed control freak nincompoop so to me it has always appeared faster to just 'make it from scratch' to get exactly what i wanted (i owe w3schools.com my everything by now probably). i figured -- worked for me a nigh decade ago why wouldn't it now? its still just a string of links is it not (and while it was A THING to have back in the day, am glad iframes are no longer around). i have upgraded my game with some very rudimentary php since ye olden days, but even that i only use for one of the graphic novels. turns out you can really make updating a website and layouts and stuff easier by making a composite out of multiple files and then updating the parts separately. SO NEAT. i will acknowledge that while i thought of responsiveness in the coding process, it is probably not perfect. this is my blatant mirror marketing, since i personally prefer to read things on bigger screens and it is the headscape the art was made etc etc. as such, i'll just take this opportunity and formally apologize to everyone on mobile if the experience is atrocious at your end. with that said -- thank you for the kind words and the question! they brought much joy and nostalgia to my afternoon <3

That is SO COOL that you're doing your own gallery for your art. Very clever. I'd love if it caught on with other artists. Is it hosted somewhere, or are you building it yourself?

I've got my own website and hosting, and I'm using third-party software to run my gallery.

I would love to see more of the old school web galleries catching on, but the biggest hurdles today are 1) finding web hosting, and 2) knowing how to build a site.

Neocities is a superb place to learn, and they have generous free hosting and extremely affordable membership options, and no ads, ever. They're funded entirely by their supporters, rather like AO3, so they're not beholden to ad companies—which means they don't have to police content (apart from the typical "nothing in violation of state/federal/international law" as stated under the Offensive Material and the Lawful Use section in their Terms). It's actually a fantastic place for artists to upload their mature art*.

*But you can't hotlink without being a paid supporter. Hotlinking is embedding images on sites outside of where the image is hosted. So if you wanted to use Neocities as a place to upload your nsfw art so you could post it on AO3, you'd need to pay for that ability. But still, having a gallery where you can direct people to your art is pretty sweet.

The only drawback to Neocities that I've seen is that you're limited to doing everything with HTML/CSS and Java, and for experienced web devs who are used to managing their own databases and working with PHP and installing whatever software they want, basically having complete control over every aspect of their site, Neocities is a bit limited. But for new and intermediate web builders, this shouldn't be a problem. There are lots cool ways to build your own website and have a gallery and just play around and pretend it's 1997 again. (Again? For some, maybe.)

I've got a Neocities site that I occasionally tinker with. Who knows, maybe if enough people join up we can start a DP web ring or a Pompep Club like how fandom used to do back in the early internet days.

(I am not associated with Neocities.org or being paid to promote their services. I just really like what they're doing.)

Zombie AU + Sector PHP | KND AU(?)

Part three of this AU, Meet Raven! They have little to no coordination with their body as their stitches usually come loose but luckily they (one of them) knows how to stitch.

They have quite a voice that leave mouths agape, even themselves.

More Zombie AU facts for the zombies psychology:

-Zombies with different eye colors in each eye tend to have more of a co-pilot situation. Meaning both individual's consciousness can take control whenever or feel as though their own person in one body. Such as Tyler+Jeremiah or Tyler+Mella.

-Zombies with no difference in eye colors such as Phoebe+Mella tend to have more coordination and don't need to control individually but can take over as one, These are the more in-depth fusions who can still keep a stable function.

-The zombies can be with whomever in multiple fusions, An example is Tyler or Mella as they're found in more fusions than one so there isn't much of a limit so long it's a fusion. Meaning, there can be more than just two people in one fusion but that's up to who one interprets them.

That's all I got, Hope y'all are doing fantastic!! Stay you, stay awesome!!💙

Marvel Trumps Hate is looking for people to join our team!

Consider this our official announcement: Marvel Trumps Hate is coming back for our sixth year! 

We’re preparing for another awesome auction, and the first thing on our to-do list is finding a server mod, developer, and two designers. Please note that if you’re on the event team, you can still participate in the auction! On the flip side, if you only want to help out as a team member, you’re not obligated to offer fanworks or bid on anything in the auction.

If you’re interested in joining our team, please email [email protected] and include the following information:

Confirmation that you’re over 18

The best way to contact you

What position you’re applying for: server mod, developer, or designer

Availability: Please let us know what time zone you’re in and what days/how many hours per week you can commit to MTH from the start of September to the start of November

Server mod - Please state if you have any experience modding a Discord server or other community. Server mods will be expected to field questions about MTH, make sure the server rules are being followed, and handle any disagreements that may occur. This requires patience and good interpersonal skills

Developer - We’re looking for someone who is familiar with coding/programming in PHP, particularly writing and modifying Wordpress plugins. CSS and HTML will also be helpful. You’ll be working with the dev team to update the auction system on the website, mostly searching already written code to make tweaks to its function and appearance and using basic back-end Wordpress controls to keep the site functional and up-to-date. Once sign-ups and bidding go live in October, you’ll help make sure everything is running smoothly and provide some tech support for the rest of the mod team in case of issues

Designer - If you love making graphics/edits, help us make pretty event and creator banners (event banner examples: x, x, x, creator banner examples: x)! Photoshop access is required. Please provide us with examples of your work 

Please don’t hesitate to contact us if you have any questions. You can reach us by email, Tumblr Messenger, askbox, or Twitter DM. Thank you!

Supercharge Your Web Presence with Netcup and Exclusive Voucher Deals!

Looking for powerful, reliable, and affordable web hosting solutions? Look no further than netcup! Whether you need a robust VPS, a dedicated root server, or a feature-rich web hosting package, netcup has you covered. And to make their offerings even sweeter, we have an exclusive collection of vouchers to help you save big!

VPS Hosting:

Netcup offers a diverse range of VPS solutions, from the entry-level VPS 1000 G11, perfect for small websites and applications, to the powerhouse VPS 8000 G11, boasting 16 vCores and 2 TB of blazing-fast NVMe storage.

VPS 1000 G11: Ideal for beginners! 4 vCores, 8 GB RAM, 256 GB SSD. Get your first month FREE!

VPS 2000 G11: Best value VPS! 8 vCores, 16 GB RAM, 512 GB SSD. Get it FREE for the first month!

VPS 3000 G11: Serious performance! 10 vCores, 24 GB RAM, 768 GB SSD. Enjoy a FREE month!

VPS 4000 G11: The ultimate performance VPS! 12 vCores, 32 GB RAM, 1 TB SSD. Get it FREE for the first month!

VPS 6000 G11: The beast is here! 14 vCores, 48 GB RAM, 1.5 TB SSD. Claim your FREE month!

VPS 8000 G11: Unstoppable performance! 16 vCores, 64 GB RAM, 2 TB SSD. Claim your FREE month now!

Dedicated Root Servers:

Netcup's dedicated root servers are perfect for demanding projects that require maximum performance and control.

RS 1000 G11: A fantastic entry-level server with 4 dedicated cores and 256 GB NVMe SSD. Get two months FREE!

RS 2000 G11: 8 dedicated cores, 16 GB RAM, 512 GB NVMe SSD, 2.5 Gbit/s network. Get a FREE month!

RS 4000 G9.5: A high-tier server with 12 cores, 32 GB RAM, and 1 TB NVMe SSD. Perfect for resource-intensive tasks.

RS 8000 G11: The ultimate powerhouse with 16 cores, 64 GB RAM, and 2 TB NVMe SSD. Get a FREE month!

Web Hosting:

Netcup's web hosting packages offer a perfect blend of performance, features, and affordability.

WebHosting 2000: Perfect for your first website! 150 GB SSD, 512 MB PHP. Get 30% off!

WebHosting 4000: Powerful & versatile! 500 GB SSD, 25 databases, Ruby & Node.js. 30% off for a limited time!

WebHosting 8000: The best just got better! 1 TB SSD, 50 databases, 1 GB PHP. 30% off!

Exclusive Voucher Deals:

We offer a constantly updated selection of netcup vouchers, including:

Free months on VPS and root servers

Significant discounts on web hosting packages

Cart-wide vouchers for savings on any netcup product

Don't miss out on these incredible deals! Visit our website today to browse our selection of netcup vouchers and supercharge your online presence with powerful and affordable hosting solutions.

Visit: https://netcup-vouchers.com/de/ or https://netcup-vouchers.com

PHP rent a car Cluj Mercedes-Benz GLE

PHP rent a car Cluj office brings luxury and innovation to the roads of Romania!

Discover the Mercedes-Benz GLE from our offer and be surprised by: ✔️ E-ACTIVE BODY CONTROL – The suspension that redefines comfort behind the wheel. ✔️ 4MATIC – Advanced all-wheel drive for limitless adventures. ✔️ Active traffic jam assistance – Traffic becomes easier than ever. ✔️ Superlative safety – The active cornering braking function protects your every maneuver. ✔️ Generous space and premium comfort – Ideal for the whole family.

Choose performance, style and safety at every kilometer! Book now directly on the website or contact us for more information.