Laravel

Open-source PHP-based web framework for building web applications

The MVC design pattern separates the application’s logic (Model) from the user interface (View), and defines clear responsibilities for handling user input (Controller).
Uses Eloquent ORM for interacting with the database, providing an elegant and secure ActiveRecord implementation (automatically escapes parameters in queries).

Authorization/Authentication

Offers Passport full OAuth2 server implementation.
Sanctum: A simple way to authenticate SPAs (Single Page Applications) and mobile applications using simple token-based authentication.
Uses bcrypt by default for hashing passwords.

Session Management

Automatically generates a CSRF token for every active user session.

The session ID is typically stored in the user's browser under a cookie like laravel_session.

The cookies should have HttpOnly enabled. Check it at config/session.php:

'secure' => env('SESSION_SECURE_COOKIE', null),
'http_only' => true,

Modify session data and investigate the requests to know the type of driver being used by the application.

`Session Drivers`

File: Default Driver.

Ensure that the session files aren't in a location that is not publicly accessible. (storage/framework/sessions).

Database: Normally use it when persistence across multiple servers is needed

Check the session table access control and database's connections.

Redis: Normally use when the application needs high-performance.

Ensure that is properly configured

Cookie: Session data is stored directly in a cookie in the client-side

Check the cookie is not storing sensitive data.

When the session expires. Check that the session data and the client’s cookie have been removed or invalidated.

Encryption

Support AES-256-CBC encryption.
Uses an API for encrypting and decrypting data with automatic key management.

Enumeration

Tools: Laravel Security and Laravel Auditing.

Check if .env, storage/ are publicly accessible.
- In the .env file; Check APP_DEBUG=false.

Ensure that Debugbar is not enabled.

Check if the application validate the URL during redirects.

Check all form's CSRF tokens.

Check that model's properties properly handle mass assignment. ($fillable or $guarded on Eloquent models).

IDOR: Check validation on user input for model binding in routes:

Route::get('user/{id}', ...)

WhiteBox

Show available routes

php artisan route:list

Regenerate application keys

php artisan key:generate

Rrefresh config caches

php artisan config:cache

Status of database migrations

php artisan migrate:status

Roll back migrations

php artisan migrate:rollback

Seeding the database

php artisan db:seed

PreviousWordpress NextExpress

Last updated 1 day ago

Laravel

Open-source PHP-based web framework for building web applications

The MVC design pattern separates the application’s logic (Model) from the user interface (View), and defines clear responsibilities for handling user input (Controller).
Uses Eloquent ORM for interacting with the database, providing an elegant and secure ActiveRecord implementation (automatically escapes parameters in queries).

Authorization/Authentication

Offers Passport full OAuth2 server implementation.
Sanctum: A simple way to authenticate SPAs (Single Page Applications) and mobile applications using simple token-based authentication.
Uses bcrypt by default for hashing passwords.

Session Management

Automatically generates a CSRF token for every active user session.

The session ID is typically stored in the user's browser under a cookie like laravel_session.

The cookies should have HttpOnly enabled. Check it at config/session.php:

'secure' => env('SESSION_SECURE_COOKIE', null),
'http_only' => true,

Modify session data and investigate the requests to know the type of driver being used by the application.

`Session Drivers`

File: Default Driver.

Ensure that the session files aren't in a location that is not publicly accessible. (storage/framework/sessions).

Database: Normally use it when persistence across multiple servers is needed

Check the session table access control and database's connections.

Redis: Normally use when the application needs high-performance.

Ensure that is properly configured

Cookie: Session data is stored directly in a cookie in the client-side

Check the cookie is not storing sensitive data.

When the session expires. Check that the session data and the client’s cookie have been removed or invalidated.

Encryption

Support AES-256-CBC encryption.
Uses an API for encrypting and decrypting data with automatic key management.

Enumeration

Tools: Laravel Security and Laravel Auditing.

Check if .env, storage/ are publicly accessible.
- In the .env file; Check APP_DEBUG=false.

Ensure that Debugbar is not enabled.

Check if the application validate the URL during redirects.

Check all form's CSRF tokens.

Check that model's properties properly handle mass assignment. ($fillable or $guarded on Eloquent models).

IDOR: Check validation on user input for model binding in routes:

Route::get('user/{id}', ...)

WhiteBox

Show available routes

php artisan route:list

Regenerate application keys

php artisan key:generate

Rrefresh config caches

php artisan config:cache

Status of database migrations

php artisan migrate:status

Roll back migrations

php artisan migrate:rollback

Seeding the database

php artisan db:seed

PreviousWordpress NextExpress

Last updated 1 day ago