Category : security

Can someone share the solution for the format string vulnerability for the following request in laravel 8 http://domain/api?key=APIKEY&origin=3891+Delwood+Drive%2C+Powell%2C+OH%2C +United+States&destination=ZAP%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s %25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%25n%25s%0A Sourc..

Read more

Laravel uses the package, and the code is from fruitcake/laravel-cors version 1 (currently it uses version 2) // If the request is not allowed, return 403 if (! $this->cors->isActualRequestAllowed($request)) { return new Response(‘Not allowed in CORS policy.’, 403); } https://github.com/fruitcake/laravel-cors/blob/1d127dbec313e2e227d65e0c483765d8d7559bf6/src/HandleCors.php#L45 My question is why it’s checking CORS server side? Sourc..

Read more

Recently I have a few websites frequently being hacked by hacker. Once it is being hacked, the hacker will upload a series of "hacker" files into the server root folder. After I cleaned the website, it will happen again several months later. This happen repeat again and again. The problem is I don’t know how ..

Read more

I turned on Github dependabot and it has listed security vulnerabilities. I was told to use composer update package/laravel. I did this on my localhost and it says that there is nothing to modify in the lock file. I am using Visual Studio Code and it is not showing anything has been updated. I am ..

Read more

I can not make safe my upload function. I can be hacked. For example; When I change my PDF raw content to html, I accepts to upload. Here’s my upload controller; $validator = Validator::make($data, [ ‘photo’ => ‘mimes:pdf’ ]); if ($validator->fails()) { return response()->json([ ‘message’ => error_formatter($validator), ‘errors’ => $validator->errors(), ]); } $file = $request->file(‘photo’); ..

Read more

I am new to Livewire and I’m trying to use a modal password confirmation in Laravel 8 using Jetstream/Livewire/TailwindCSS. I’d like to do this as an added layer of protection before providing the user with some sensitive information. As per documentation in https://jetstream.laravel.com/2.x/features/password-confirmation.html (#Modal Confirmation Via Livewire) I should be able to create a component ..

Read more

I am developing a project with Laravel. My directory structure on cPanel is as shown below. – company-app (folder) – company-files (folder) – public_html — company.domain.com (subdomain) I moved all Laravel files except public folder to "company-app" folder. I wanted to exclude it from the document root for security purposes. Apart from these, there are ..

Read more

I was developing an API using JWT Authentication. I wrote the below code `public function login(Request $request) { $credentials = $request->only(’email’, ‘password’); if ($token = $this->guard()->attempt($credentials)) { return $this->respondWithToken($token); } return response()->json([‘error’ => ‘Unauthorized’], 401); }` Here, an API request will be here using a post request and form data field in order to log ..

Read more

Please I need help with encrypting concatenated strings using TripleDES encryption Example string “12345678”,hfbcjehce ================== Sample Code public function encryptPayload($data) { $key= $this->encKey; $method = “des-ede3-cbc”; $source = mb_convert_encoding($key, ‘UTF-16LE’, ‘UTF-8’); $key = md5($source, true); // $key .= substr($key, 0, 8); $key .= substr($key, 0, 16); $iv = “{$content}{$content}{$content}{$content}{$content}{$content}{$content}{$content}”; //Pad for PKCS7 $encData = openssl_encrypt($data,$method, ..

Read more

Please I need help with encrypting concatenated strings using TripleDES encryption Example string “12345678”,hfbcjehce ================== Sample Code public function encryptPayload($data) { $key= $this->encKey; $method = “des-ede3-cbc”; $source = mb_convert_encoding($key, ‘UTF-16LE’, ‘UTF-8’); $key = md5($source, true); // $key .= substr($key, 0, 8); $key .= substr($key, 0, 16); $iv = “{$content}{$content}{$content}{$content}{$content}{$content}{$content}{$content}”; //Pad for PKCS7 $encData = openssl_encrypt($data,$method, ..

Read more