Highest Voted 'laravel' Questions - IT Security Stack Exchange

6

votes

2 answers

Why does this Laravel CSRF vulnerability work?

Recently Laravel 4 was updated to address a security concern: there was a CSRF vulnerability in their code. Here's the old code: if (Session::token() != Input::get('_token')) { throw new Illuminate\Session\TokenMismatchException; } And here's…

php csrf laravel

asked Nov 24 '14 at 12:57

Jason

63
3

2

votes

2 answers

Is there any way an attacker can access the server and modify the site (php) code?

I recently had a breach on my site (laravel). I got aware of it after I tried to pull the code from github and found out that some files were modified. The files modified were mostly storage - logs/cache and index.php had error_reporting(E_ALL) in…

php remote-code-execution laravel

asked Mar 07 '21 at 08:28

php.prg

21
3

2

votes

1 answer

Missing HTTPOnly Cookie Attribute in Laravel 7

I have a Laravel site, I thought I patched this issue already. I got these in my session.php 'secure' => true, 'http_only' => true, But OpenVas still detected that I still need to it. It also listed it 3 times Am I missing anything else ? or…

php http cookies openvas laravel

asked May 28 '20 at 22:22

code-8

125
1
7

2

votes

2 answers

How to detect website active routes?

I'm building a website using Laravel and I'm just thinking about security. I would like to know if there is a way for attacker to detect all active web routes for a website ? For…

web-application web laravel

asked Jan 31 '19 at 10:11

OrangeSpider

31
1
4

2

votes

1 answer

Limit rights for user applications

I have a website, where users are available to upload small applications which runs 24/7 on my server. So if the user upload an application, some folders will be created: /{USER_ID}/{APP_ID}/ (if the user folder already exists, the /{USER_ID}/…

php ubuntu laravel

asked Oct 17 '18 at 17:50

xKushGene

21
1

1

vote

2 answers

SQL Injection detected

I was loading my sites front end and watching the responses in burpsuite when I noticed a response which contained a very verbose sql error "message": "SQLSTATE[22P02]: Invalid text representation: 7 ERROR: invalid input syntax for type bigint:…

sql-injection laravel

asked Jan 24 '22 at 13:36

David

95
1
7

1

vote

0 answers

Identifying Source of Malware Attack on Laravel App

We have a Laravel 5.6.x application running as a REST backend with PHP 7 on one of our servers. The server uses CentOS with WHM/cPanel/PhpMyAdmin Recently that server issued a maldet warning (our malware detector) after it saw some strange PHP files…

malware php laravel

asked Jun 17 '20 at 15:34

Ablancore

11
2

1

vote

1 answer

Session sync between two web apps on the same domain

I have a Laravel 6 site, and a legacy Drupal 7 site. Both are served under the same domain, and both share the same user database table. I'd like users to be able to log in via Laravel (never via Drupal) and then browse between the two systems…

session-management drupal laravel

asked Feb 11 '20 at 03:57

jeff-h

113
4

1

vote

0 answers

laravel-poc-CVE-2018-15133

I want to test laravel exploit POC based on https://github.com/kozmic/laravel-poc-CVE-2018-15133/ I did docker steps to reach laravel home page on localhost:8000 then I got API key and simply I put APIKEY in PHP command to find header. When I sent…

exploit laravel

asked Aug 19 '19 at 11:13

james

11
1

0

votes

1 answer

Hidden Input prevent value changing - Laravel

So I was testing my application for some vulerabilities and found one that I missed: this puts the ID of the current event during the checkout into the database. Of course…

encryption laravel

asked Mar 31 '22 at 17:38

user160241

0

votes

1 answer

How to secure Laravel website against the ongoing massive exploitation

My website built upon Laravel is currently under attack. Only the index.php file was changed, and by that I mean that every line of code is inserted above the original Laravel code. So this code executes before the legitimate Laravel code. It is…

web-application php breach incident-analysis laravel

asked Oct 13 '21 at 13:52

Hassan Nasir

1

0

votes

1 answer

What should I worry about when attaching a token to a request manually?

I'm developing a platform that has 2 parts: An API written using Laravel, that integrates with the database and provided data in a restful state. Multiple fronts that connect to the API and perform different tasks. Laravel suggests that you should…

csrf authorization token laravel

asked Aug 29 '21 at 02:06

Johansson

111
3

0

votes

0 answers

Taking html, js, css input from the user

We are building a multitenancy web app with Laravel (+Blade), each user can create a store (tenancy), and have a control panel where they can edit the store settings and styling, to edit the store styling, we thought about letting the user opt to…

xss javascript html laravel

asked Aug 12 '21 at 08:23

RedZ

101
1

0

votes

2 answers

How do I protect a Laravel backend API from hijacking/CSRF when there is a React frontend?

I'm finding it really hard to find a solution to make secure requests via our API without a potential hacker being able to see sensitive secret information via Google Chrome dev tools (or any browser's dev tools), as React tends to show everything…

csrf api jwt react laravel

asked Dec 14 '20 at 19:30

Bilal

3
2

0

votes

2 answers

Security breach from contact form in Laravel 5.8.36?

the most bizarre thing happened, someone fount out the smtp mail driver credentials from a Laravel project, which are stored in the .env. The credentials are used for a contact form. The .env was in production and the debug was set to false…

smtp laravel

asked Aug 28 '20 at 08:24

Don40

1

Questions tagged [laravel]