Ethical Hacking Automation

Automate Recon and scanning process with Vidoc. All security teams in one place

Laravel log file publicly accessible

By kannthu

High
Vidoc logoVidoc Module
#laravel#logs#exposure
Description

What is the "Laravel log file publicly accessible?" module?

The "Laravel log file publicly accessible" module is designed to detect a potential misconfiguration in a Laravel web application. It focuses on the log file of the application, which may contain sensitive information such as tokens, error messages, and syntax errors. This module has a high severity level, indicating that it poses a significant risk to the security of the application.

Impact

If the log file of a Laravel application is publicly accessible, it can expose sensitive information to unauthorized users. This information can be used by attackers to gain further access to the application, exploit vulnerabilities, or launch targeted attacks.

How the module works?

The "Laravel log file publicly accessible" module works by sending an HTTP GET request to the path "/storage/logs/laravel.log" of the target application. It then applies a set of matching conditions to determine if the log file is publicly accessible.

The matching conditions include:

- Checking the response body for specific words such as "InvalidArgumentException," "local.ERROR," "ErrorException," and "syntax error." If any of these words are found, it indicates that the log file may contain sensitive information. - Checking the response headers for the presence of "text/plain" or "text/x-log" content types. These content types are commonly associated with log files. - Verifying that the HTTP response status code is 200, indicating a successful request.

If all of these matching conditions are met, the module reports a potential misconfiguration, indicating that the log file is publicly accessible.

For example, the module may send the following HTTP request:

GET /storage/logs/laravel.log

It then analyzes the response to determine if the log file is publicly accessible based on the matching conditions.

Module preview

Concurrent Requests (1)
1. HTTP Request template
GET/storage/logs/larave...
Matching conditions
word: InvalidArgumentException, local.ERROR, E...and
word: text/plain, text/x-logand
status: 200
Passive global matcher
No matching conditions.
On match action
Report vulnerability