In Depth: Pentesting Laravel part 1 - Passive Scans

[In Depth #27] Let me walk you through my process of conducting a Laravel Security Audit and Penetration Test, starting with the passive scans that usually find a lot of low-hanging fruit!

In Depth: Pentesting Laravel part 1 - Passive Scans
🕵️
This is Part One of the Pentesting Laravel series. If you've finished this one, head over to Part Two, to continue the pentest with configs, dependencies, and routes.

I've been asked many times about the process I follow when performing a Laravel Security Audit and Penetration Test. While I could have written up a lifeless checklist, I thought it would be far more interesting to walk you through my entire process, step-by-step, in a series of In Depth posts. We'll be using Chirper from the Laravel Bootcamp as a starting point, although I've introduced a couple of vulnerabilities and misconfigurations for us to find along the way. (Because doing this with a secure application would be boring!)

Welcome to Part One, where we'll be covering the first thing I do during even audit: passive scans against the code and production/staging URLs. These checks always find a bunch of low-hanging fruit early in the process, and give me a good feel for the security level of the rest of the app.

To make it easier for you to refer to this article later, I'll include a checklist at the end of all the steps we tool. But now, let's get started!

Dropbear Scanner

If you've seen my "Th1nk Lik3 a H4cker" Laracon talk, you'll have seen me using Dropbear before - it's my command-line security scanner and hacking toolkit. (Note, I have plans to open source it, but there are a few bits tied to my laptop I need to decouple first.)

The first thing I do when starting an audit is run a dropbear scan across both the code repository and the production and/or staging URLs.

It looks something like this:

Dropbear Scanner Output (there is more, but it makes for a long screenshot!)

I'll also head over to securityheaders.com and run a scan there too:

Security Headers Scan Report

I don't need to use Security Headers - it doesn't tell me anything more than what Dropbear does - but it presents the data in nice way, which I will often screenshot in my reports. It may also highlight new security headers I need to be aware of.

Another scanner that's worth checking out, which I often use too is the one built by ephort over at: https://ephort.dk/scanner.

ephort's scanner highlighting missing security headers

When those are finished, it's time to work through each of the findings.

Missing Security Headers

Required headers
  ❌ content-security-policy
  ❌ content-security-policy-report-only
  ❌ permissions-policy
  ❌ referrer-policy
  ❌ strict-transport-security
  ✅ x-content-type-options
  ✅ x-frame-options
  ❌ <meta> tag content-security-policy

As we can see from the above, the following headers are missing: