laravel-unsafe-validator
laravel-unsafe-validator
Found a request argument passed to an
Likelihood: HIGH
Confidence: MEDIUM
CWE:
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection
ignore()
definition in a Rule constraint. This can lead to SQL injection.Likelihood: HIGH
Confidence: MEDIUM
CWE:
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection
laravel-cookie-long-timeout
laravel-cookie-long-timeout
laravel-cookie-same-site
laravel-cookie-same-site
laravel-cookie-null-domain
laravel-cookie-null-domain
laravel-dangerous-model-construction
laravel-dangerous-model-construction
Setting
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes
OWASP:
- A08:2021 - Software and Data Integrity Failures
$guarded
to an empty array allows mass assignment to every property in a Laravel model. This explicitly overrides Eloquent’s safe-by-default mass assignment protections.Likelihood: LOW
Confidence: LOW
CWE:
- CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes
OWASP:
- A08:2021 - Software and Data Integrity Failures
laravel-active-debug-code
laravel-active-debug-code
Found an instance setting the APP_DEBUG environment variable to true. In your production environment, this should always be false. Otherwise, you risk exposing sensitive configuration values to potential attackers. Instead, set this to false.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-489: Active Debug Code
OWASP:
- A05:2021 - Security Misconfiguration
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-489: Active Debug Code
OWASP:
- A05:2021 - Security Misconfiguration
laravel-sql-injection
laravel-sql-injection
Detected a SQL query based on user input. This could lead to SQL injection, which could potentially result in sensitive data being exfiltrated by attackers. Instead, use parameterized queries and prepared statements.
Likelihood: HIGH
Confidence: MEDIUM
CWE:
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection
Likelihood: HIGH
Confidence: MEDIUM
CWE:
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection
laravel-blade-form-missing-csrf
laravel-blade-form-missing-csrf
Detected a form executing a state-changing HTTP method
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-352: Cross-Site Request Forgery (CSRF)
OWASP:
- A01:2021 - Broken Access Control
$METHOD
to route definition $...ROUTE
without a Laravel CSRF decorator or explicit CSRF token implementation. If this form modifies sensitive state this will open your application to Cross-Site Request Forgery (CSRF) attacks.Likelihood: LOW
Confidence: LOW
CWE:
- CWE-352: Cross-Site Request Forgery (CSRF)
OWASP:
- A01:2021 - Broken Access Control
laravel-api-route-sql-injection
laravel-api-route-sql-injection
HTTP method [ROUTE_NAME is vulnerable to SQL injection via string concatenation or unsafe interpolation.
Likelihood: HIGH
Confidence: MEDIUM
CWE:
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection
Likelihood: HIGH
Confidence: MEDIUM
CWE:
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection
laravel-cookie-http-only
laravel-cookie-http-only
laravel-cookie-secure-set
laravel-cookie-secure-set