In Depth: Laravel Security Audits Top 10 (2024)!

[In Depth #31] Here are the Top 10 security issues I've found during my security audits, highlighting the areas we as a community need to improve our security.

In Depth: Laravel Security Audits Top 10 (2024)!

Back in April 2023 I put together my list of Top 10 issues discovered during my security audits. The list was (and still is) incredibly popular, and presented a good look at the issues Laravel developers need to be aware of.

While preparing for my Laracon AU 2024 talk, I decided to refresh the list. I covered some of these issues during the talk, and will share the recording when it's released, and now it's time to reveal the full list...

Laravel Security Audits Top 10 (2024)

  1. Cross-Site Scripting (XSS)
  2. Committed Credentials & Admin Emails
  3. Outdated & Vulnerable Dependencies
  4. Insecure Cryptography
  5. Missing Authorisation
  6. Missing Content Security Policy (CSP)
  7. Missing HTTP Strict Transport Security (HSTS)
  8. Missing Subresource Integrity (SRI)
  9. Type Juggling & Timing Attacks
  10. Insufficient Rate Limiting

Hopefully nothing on this list is a surprise - with one exception (#9), all were on the last list, and we've talked about these topics many times on Securing Laravel. I've linked to past articles so you can learn more about anything you're unfamiliar with.

So rather than summarise each of these topics, we're going to look at the why. Why are each of these issues on the Top 10, where they ranked last year, and why I believe it's so important that you need to be aware of them.

#1 - XSS Rises to the Top

#1 - Cross-Site Scripting (XSS)

Believe it or not, seeing XSS (Cross-Site Scripting) in the #1 spot was actually a surprise to me! Partly because it sat down the list at #7 last time, but also it just didn't feel overly common in my memory. Yet from reviewing my findings, there was actually quite a lot of it to be found. As a side note, it actually ranked lower compared to dependencies (which topped my raw number count), but the severity of XSS elevated it to the top.

🤔
I suspect XSS should have been higher than #7 last time. That list was mostly based on the raw numbers, while I've made some judgement calls this year, to more accurately represent severities.

The types of XSS I encountered were varied, both in terms of where it was hiding, and severity. So let's take a look at the various ways it snuck in: