Security Tip: Don't Forget to Test Your Signed URLs!

[Tip #88] Signed URLs are awesome, but if you forget to check they are working - you may be leaving a massive vulnerability just waiting to be exploited...

Security Tip: Don't Forget to Test Your Signed URLs!

Signed URLs are one of my favourite Laravel features, and I've written about them many times, however, there is one aspect I don't believe I've covered yet: Testing!

We all know we should be writing tests alongside our code, but are you just testing the "happy-path" (i.e. only successful results), or are you checking failure states too?

It's important to check all the failure states you can think of. This means checking for failing validation, failing authorisation, invalid inputs, and even modified URLs.

As such, when it comes to testing your routes which use Signed URLs, make sure you:

  1. Check any URLs or redirects are correctly generating Signed URLs.

To make testing redirects easier, you can use Laravel's assertRedirectToSignedRoute() assertion to check Signed URLs are correctly generated. (docs)

  1. Check the routes which should be signed are actually validating the signature.

Make sure you test requests with modified signatures, missing signatures, and modified parameters, and ensure you get an 403 response any time an invalid URL is provided.

🧐
I always check for Signed URLs when conducting a Penetration Test, as I'll occasionally find routes which are missing the signature verification from the target route - allowing me to spoof URLs and get up to some mischief.