Laravel Horizon Dashboard - Unauthenticated

What is the "Laravel Horizon Dashboard - Unauthenticated?" module?

The "Laravel Horizon Dashboard - Unauthenticated" module is designed to detect the presence of an unauthenticated Laravel Horizon Dashboard. Laravel Horizon is a powerful queue monitoring tool for Laravel applications. This module focuses on identifying instances where the dashboard is accessible without proper authentication.

This module has a medium severity level, indicating that it poses a moderate risk if left unaddressed.

Author: vagnerd

Impact

If the Laravel Horizon Dashboard is left unauthenticated, it can potentially expose sensitive information about the application's queues and recent jobs. This can lead to unauthorized access and potential security breaches.

How does the module work?

The module works by sending HTTP requests to specific endpoints associated with the Laravel Horizon Dashboard. It then applies matching conditions to determine if the dashboard is accessible without authentication.

For example, one of the HTTP requests made by this module is a GET request to the "/api/stats" and "/horizon/api/stats" paths. The module checks if the response body contains specific keywords like "queueWithMaxRuntime", "recentJobs", and "status". It also verifies that the response headers include "application/json" and that the HTTP status code is 200.

If all the matching conditions are met, the module flags the Laravel Horizon Dashboard as unauthenticated.

Matching Conditions: - The response body must contain the keywords: "queueWithMaxRuntime", "recentJobs", and "status". - The response headers must include "application/json". - The HTTP status code must be 200.

For more information about Laravel Horizon, you can refer to the official documentation:

- https://github.com/laravel/horizon - https://laravel.com/docs/10.x/horizon#dashboard-autho