In Depth: A Deep Dive into Laravel's New Starter Kits! (pt 2)
[In Depth #36] It's time to review the Livewire Volt, Vue, and React Starter Kits! Let's see what vulnerabilities are hiding under the surface, and just how easy it is to fix them... 🧐
Last month we dived into the first of the new Laravel Starter Kits - Livewire with Blade, and today we're going to (hopefully) get through the rest of them! This is part of our larger series on Authentication, and Laravel 12.
We dived quite deep into the mechanics of Laravel Authentication system in Part 1, so we won't need to do that again - unless there are significant differences. Instead, I'm going to look at implementation and other unique aspects of the kits. This is one of the reasons I started with the Livewire with Blade Kit - it was supposed to present a traditional feel, but that's not quite how it turned out though...
What I said last time is still true: I haven't looked at the Livewire with Volt, Vue or React Starter Kits yet, so I'll be looking at them with fresh eyes. I'll also be installing a fresh copy today, so any updates and fixes since release (and my last article) will be included. If I find any significant security issues, I'll be notifying the Laravel team, and either carefully omitting them or delaying the article entirely.
So let's get into it...
Livewire with Volt
Given we started with the Livewire with Blade kit last time, it feels appropriate to start with the other Livewire kit. I'm expecting it to feel pretty similar - just with code moved from Controllers into Blade templates...
index.php scripts with app logic and HTML interspersed - introducing many structural XSS and SQLi vulnerabilities.Volt may not suffer from these out of the box, but it opens the door for many lazy development practices that will lead to vulnerabilities. It also blurs the line between what data is sent to the browser and what is kept protected - which is something Livewire suffers from too - which can easily lead to data leaks and bypasses.
All of that said, I'll be reviewing the Volt Starter Kit from a security point of view - based on what is actually there, not my fears for the technology itself.
Let's dive into it!
valorin@Ubuntu-24.04.Eowyn:~/dev/securinglaravel$ laravel new
_ _
| | | |
| | __ _ _ __ __ ___ _____| |
| | / _` | __/ _` \ \ / / _ \ |
| |___| (_| | | | (_| |\ V / __/ |
|______\__,_|_| \__,_| \_/ \___|_|
┌ What is the name of your project? ───────────────────────────┐
│ livewire-volt │
└──────────────────────────────────────────────────────────────┘
┌ Which starter kit would you like to install? ────────────────┐
│ Livewire │
└──────────────────────────────────────────────────────────────┘
┌ Which authentication provider do you prefer? ────────────────┐
│ Laravel's built-in authentication │
└──────────────────────────────────────────────────────────────┘
┌ Would you like to use Laravel Volt? ─────────────────────────┐
│ Yes │
└──────────────────────────────────────────────────────────────┘
┌ Which testing framework do you prefer? ──────────────────────┐
│ Pest │
└──────────────────────────────────────────────────────────────┘laravel new → Livewire → Volt
