Automate Recon and scanning process with Vidoc. All security teams in one place
By kannthu
The "Laravel Debug Method Enabled" module is a test case designed to detect misconfigurations in Laravel applications. It targets the Laravel framework, which is a popular PHP framework used for web application development. The severity of this module is classified as medium.
Author: dhiyaneshDK
This module aims to identify if the Laravel debug mode is enabled. When debug mode is enabled, detailed error messages are displayed, which can potentially expose sensitive information about the application's configuration and code. This information can be exploited by attackers to gain unauthorized access or launch further attacks on the application.
The "Laravel Debug Method Enabled" module works by sending HTTP requests to the target application and analyzing the responses for specific conditions. It uses matching conditions to identify if the application returns an error message containing the phrase "Whoops! There was an error" and if the HTTP status code is 500 (Internal Server Error).
By detecting these conditions, the module can determine if the Laravel debug mode is enabled. If the conditions are met, it indicates a potential misconfiguration that should be addressed to enhance the security of the application.
Example HTTP request:
GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
The module matches the response against the following conditions:
- The response body contains the phrase "Whoops! There was an error". - The HTTP status code is 500 (Internal Server Error).If both conditions are met, the module reports that the Laravel debug mode is enabled and suggests taking appropriate actions to disable it in order to mitigate potential security risks.