Laravel is a popular web development framework written in PHP, which powers many websites worldwide. True to its popularity, it has a strong development community contributing to its growth in various spheres of web app development.
It is also a widely recommended framework for secure web app development. But every framework has its pitfalls that get fixed in the upcoming patches and updates. You need to be aware of the existing vulnerabilities and make sure your applications can overcome those issues.
Currently, Laravel has one such issue that puts web applications at security risk when you launch your web apps in debug mode. Here is a brief rundown on the actual issue, its security implications and how to deal with it.
So, what’s wrong with Laravel?
Laravel has long been praised for its user authentication mechanism that helps build secure web apps fairly quickly compared to similar web development frameworks. But in recent times, it has been observed that apps based on Laravel have been the target of several credential stuffing attacks and accidental credential exposure.
Data breaches and leaks like this can be a serious issue if left alone and could cause irreparable damage to the app’s credibility and, subsequently, affect the user experience.
On further investigation, it was found that the actual problem arises when the web applications go live with the debug mode turned on.
Developers usually use the debug mode to build apps with relaxed security restrictions to allow for better error analysis and bug fixes. This mode is supposed to be turned on only when the app is under development, as it inherently exposes private information for better data access and program flow analysis.
When you launch a web app with its debug mode still on, it presents an opportunity for hackers to access sensitive data exposed by default in the debug mode.
The sensitive data exposed could include passwords, keys, database information and more that should be hidden from the user or encrypted in ideal cases.
When your app goes live with debug mode still on, this data can be easily accessed via your API calls or environmental variables.
Additionally, if you place the Laravel application files in a way that the application is served out of the web directory, all files will be made accessible to an unauthorized user leading to data leakage. In this case, the .env file containing sensitive information is exposed over the internet, and anyone who knows the URL path to your web directory will be able to access it right from their browser.
Laravel and Possible Security Implications
While this may seem like a simple issue at the outset, it leaves your site vulnerable to several cyber attacks. Hackers may not know which site has its environmental variables exposed and will try a brute force method to grab the sensitive data with a specially crafted HTTP request payload.
If your site is live with debug mode on, hackers can use the HTTP request to access your debug page and get details such as the database information, password and private keys.
What can you do?
While this issue is not exactly a bug or a vulnerability, it is often a result of carelessness on the developer’s part. Simple steps that are overlooked can cause such serious issues, while the fix is simply to make sure you implement the best practices and launch your web apps to go live only in production mode.
Here is what you essentially need to do to fix the issue.
- Always make turn off the debug mode when your app goes live.
- Have a checklist of items to complete and score off before taking your site live. Make sure you always turn off debug mode when launching the site in a production environment.
- Appoint responsible release masters who can take accountability of the release process and ensure a bug-free release for every single update you make to your site.
- Be cautious when moving the files around. Follow the best practices and security recommendations for organizing your folder structure and files of your Laravel app.
- Never put sensitive information such as the .env file in the direct web directory ever. Always make sure you review your code, file structures before getting your site to go live.
These mistakes happen quite frequently and thus require proper enforcement of security practices.
A recent scan by hacken.io found that more than 550 IPs had this issue, completely exposing the dev environmental variables.
Being aware of the known vulnerabilities and taking the necessary precautions will keep your site and web apps healthy and secure at all times. This can prevent malicious use of your site resources and help you make the best use of the default security features provided by Laravel. Keep yourself updated on the latest finds, patches and security updates to ensure a healthy functioning web app.