In Depth: Pentesting Laravel part 2 - Configs, Dependencies, and Routes

[In Depth #28] Continuing our Laravel Security Audit and Penetration Test, we're looking into configs and dependences, and following threads to discover 4 CRITICAL vulnerabilities!

In Depth: Pentesting Laravel part 2 - Configs, Dependencies, and Routes
🕵️
This is Part Two of the Pentesting Laravel series, reviewing configs, dependencies, and following their threads into vulnerable routes.

If you've missed any of the previous parts, go check those out first:
Part 1: Passive Scans
Part 2: Configs, Dependencies, and Routes
Part 3: Looking for "Interesting" Code
Part 4: Reading Code Pays Off!

Picking up where we left off last time, we've got our vulnerable variant of Chirper from the Laravel Bootcamp, and have completed the initial passive scans. The next steps are to start to dig deeper into the app, get a feel for the structure and level of security we're expecting to encounter, plus look for some common vulnerabilities and weaknesses.

As per Part One, I'll include a checklist at the end for your reference. So let's get started!

Reviewing Bootstrap & Config Files

We touched on this briefly in Part One, where I talked about manually reviewing a bunch of files, including config/*.php, for committed secrets and API keys. After the passive scans are complete, I take a more in-depth approach to reviewing these files. This time it's not about finding secrets, but looking for weak (or vulnerable) configurations that could be exploited.

Since we've got a Laravel 11 app, let's first check out the files in the bootstrap/ folder:

<?php

use Illuminate\Foundation\Application;
use Illuminate\Foundation\Configuration\Exceptions;
use Illuminate\Foundation\Configuration\Middleware;

return Application::configure(basePath: dirname(__DIR__))
    ->withRouting(
        web: __DIR__.'/../routes/web.php',
        commands: __DIR__.'/../routes/console.php',
        health: '/up',
    )
    ->withMiddleware(function (Middleware $middleware) {
        $middleware->trustProxies('*');
    })
    ->withExceptions(function (Exceptions $exceptions) {
        //
    })->create();

bootstrap/app.php

<?php

return [
    App\Providers\AppServiceProvider::class,
    App\Providers\HorizonServiceProvider::class,
];

bootstrap/providers.php

Two things immediately jump out at me from these files - can you spot them?