In Depth: Pentesting Laravel part 2 - Configs, Dependencies, and Routes

Picking up where we left off last time, we've got our vulnerable variant of Chirper from the Laravel Bootcamp, and have completed the initial passive scans. The next steps are to start to dig deeper into the app, get a feel for the structure and level of security we're expecting to encounter, plus look for some common vulnerabilities and weaknesses.

As per Part One, I'll include a checklist at the end for your reference. So let's get started!

Reviewing Bootstrap & Config Files

We touched on this briefly in Part One, where I talked about manually reviewing a bunch of files, including config/*.php, for committed secrets and API keys. After the passive scans are complete, I take a more in-depth approach to reviewing these files. This time it's not about finding secrets, but looking for weak (or vulnerable) configurations that could be exploited.

Since we've got a Laravel 11 app, let's first check out the files in the bootstrap/ folder:

<?php

use Illuminate\Foundation\Application;
use Illuminate\Foundation\Configuration\Exceptions;
use Illuminate\Foundation\Configuration\Middleware;

return Application::configure(basePath: dirname(__DIR__))
    ->withRouting(
        web: __DIR__.'/../routes/web.php',
        commands: __DIR__.'/../routes/console.php',
        health: '/up',
    )
    ->withMiddleware(function (Middleware $middleware) {
        $middleware->trustProxies('*');
    })
    ->withExceptions(function (Exceptions $exceptions) {
        //
    })->create();

<?php

return [
    App\Providers\AppServiceProvider::class,
    App\Providers\HorizonServiceProvider::class,
];

Two things immediately jump out at me from these files - can you spot them?