Security Tip: Watch out for Resource Authorisation

[Tip#50] Watch out when you mix Resource Controllers and Authorisation with custom Controller Actions and custom routes... you may find you're lacking authorisation without realising it!

Security Tip: Watch out for Resource Authorisation

⚠️ Thinking about a Laravel Security Audit and Penetration Test? I have limited spaces available in September & October, reach out now to book yours in, before I’m booked out! 🕵️

Watch out for Resource Authorisation

During a recent security audit, I discovered heavy use of Resource Controllers and Resource Controller Authorisation. It’s a common pattern and one I’m very familiar with, but there was a twist this time…

Checkout their routes1:

Route::get('/books/all', [BookController::class, 'all']);
Route::get('/books/export', [BookController::class, 'export']);
Route::resource('book', BookController::class);

And the controller looked like this:

class BookController extends Controller
    public function __construct()
        $this->authorizeResource(Book::class, 'book');

    public function all(Request $request)
        return ...;

    // Typical resource actions

    public function export(Request $request)
        return ...;

Now I can see exactly what they were thinking here: `authorizeResource()` handles authorisation for controller actions, so they don’t need any manual `authorize()` calls. But guess what happens when a non-standard action is used?

Authorisation is skipped entirely, allowing any authenticated user full access to these extra endpoints! 😱

In my example it’s called Books, but what if it was Users, or Patients, or Contracts? You can quickly see the problem here, as any authenticated user can access any of these unprotected routes.

My Recommendation: Avoid mixing authorisation systems and either use resource controller authorisation without custom actions, or authorise on every action. It’s more tedious, but makes you less likely to forget authorisation. Or, as I’ve said before, if you put authorisation on your routes via middleware, it's harder to forget and easier to review.

During my audit I was able to create a free trial user, and discover (via Ziggy2) unprotected routes that provided me with their entire client database, all via an unprotected export route in their admin tools! Super easy to find and exploit, and they completely missed it.

This is the reason I do my Security Audits - issues like these can be so easily overlooked by dev teams, who are so used to seeing their own code and making assumptions without realising it. Often it takes an independent 3rd party with fresh eyes to look at your code before vulnerabilities are discovered, and it’s far better for that 3rd party to be a friendly hacker working for you than a malicious hacker working against you.

Looking to learn more?
OWASP Tip: A10:2021 – Server-Side Request Forgery (SSRF)
▶️ OWASP In Depth: A08:2021 – Software and Data Integrity Failures

A Few Notes

  1. Laracon US is coming in two weeks, and I will be there! The schedule hasn’t been announced yet, but keep an eye out for the jetlagged Aussie3 and come see my talk! I’ll be running my interactive hacking talk which I did at Laracon EU, so bring your devices and have some fun hacking!

  2. I’ve launched a brand new Laravel Security Reviews service with limited places and a discounted price, aimed at solo devs and small teams who can’t afford a full security audit. It’s aimed at finding the common weaknesses, misconfigurations, and missing security layers I most commonly find during audits.

  3. Substack now supports Referral Rewards! So go tell all of your friends (and enemies) to sign up to Securing Laravel and you can earn a 1, 3 or 6 month paid subscription!

  4. Social Media… I’m now on T2 (I have invites too, if you want one!) and Bluesky (sorry, no invites yet), in addition to Twitter and Mastodon, so if you’re on any of those, come find me! My full list is at:

  5. is starting his own Substack all about building and scaling APIs in PHP and Laravel, so head over and check that out too!

  6. And finally, just a reminder that I’m planning on debunking the different myths and claims that “PHP is insecure”. Please send any claims and myths in my direction! 🔥🤓

  1. All details have been carefully obfuscated to protect the privacy of my client. 🤐

  2. I really need to write a proper article about Ziggy, it’s not a simple case of “Ziggy good” or “Ziggy bad”. On the whole, it's a great tool. But it can be easily used against you.

  3. Note, there may be more than one jetlagged aussie, given some of the other Laravel team members coming too!