Bug Hunting: Laravel Debug Mode give me some Credentials Informations
- Intro
Before I explain how I can find this bug on public website, maybe I will a little bit tell you about laravel framework for build and construct a website.
- Definition
Laravel, a PHP framework available as open source, stands out for its robustness and user-friendly nature. It adheres to the model-view-controller design pattern and efficiently repurposes components from diverse frameworks, contributing to the development of well-organized and practical web applications. The resulting web application is characterized by enhanced structure and pragmatism.
Laravel boasts a comprehensive set of features that integrate fundamental elements seen in other PHP frameworks, such as CodeIgniter. Also, Laravel has the most extensive and thorough documentation and video tutorial library of any modern web application framework and exhibits remarkable scalability with PHP’s inherently scalable characteristics.
- Proof of Concept
Well how I found this bug was seems funny, on the search bar I try to inject special character for testing SQLi and XSS but I got redirect to error page.
I recognized this page is Laravel Debug Mode run on production environment with contain full of credentials informations such db, mail, redis username & password and etc…
- Conclusion
Running Laravel in debug mode on a public website can expose sensitive information and potential security vulnerabilities. Debug mode provides detailed error messages, stack traces, and other debugging information, which is useful during development but should be disabled in a production environment | (Disable the debug mode by setting APP_DEBUG to false).
Reference:
