Laravel

Open-source PHP-based web framework for building web applications

  • The MVC design pattern separates the application’s logic (Model) from the user interface (View), and defines clear responsibilities for handling user input (Controller).

  • Uses Eloquent ORM for interacting with the database, providing an elegant and secure ActiveRecord implementation (automatically escapes parameters in queries).

Authorization/Authentication

  • Offers Passport full OAuth2 server implementation.

  • Sanctum: A simple way to authenticate SPAs (Single Page Applications) and mobile applications using simple token-based authentication.

  • Uses bcrypt by default for hashing passwords.

Session Management

  • Automatically generates a CSRF token for every active user session.

  • The session ID is typically stored in the user's browser under a cookie like laravel_session.

  • The cookies should have HttpOnly enabled. Check it at config/session.php:

'secure' => env('SESSION_SECURE_COOKIE', null),
'http_only' => true,

  • Modify session data and investigate the requests to know the type of driver being used by the application.

Session Drivers

File: Default Driver.

  • Ensure that the session files aren't in a location that is not publicly accessible. (storage/framework/sessions).

Database: Normally use it when persistence across multiple servers is needed

  • Check the session table access control and database's connections.

Redis: Normally use when the application needs high-performance.

  • Ensure that is properly configured

Cookie: Session data is stored directly in a cookie in the client-side

  • Check the cookie is not storing sensitive data.

  • When the session expires. Check that the session data and the client’s cookie have been removed or invalidated.

Encryption

  • Support AES-256-CBC encryption.

  • Uses an API for encrypting and decrypting data with automatic key management.

Enumeration

Tools: Laravel Security and Laravel Auditing.

  • Check if .env, storage/ are publicly accessible.

    • In the .env file; Check APP_DEBUG=false.

  • Ensure that Debugbar is not enabled.

  • Check if the application validate the URL during redirects.

  • Check all form's CSRF tokens.

  • Check that model's properties properly handle mass assignment. ($fillable or $guarded on Eloquent models).

  • IDOR: Check validation on user input for model binding in routes:

Route::get('user/{id}', ...)
WhiteBox
Show available routes
php artisan route:list
Regenerate application keys
php artisan key:generate
Rrefresh config caches
php artisan config:cache
Status of database migrations
php artisan migrate:status
Roll back migrations
php artisan migrate:rollback
Seeding the database
php artisan db:seed
PreviousWordpressNextExpress

Last updated