Did successful XSS in a website.
Later on, found out that the web was built on laravel.
Still trying to figure out the level of negligence required to make a xss vulnerable laravel website

  • 7
    It’s not that hard on any sort of website. You just have to not know what you’re doing. πŸ˜‚
  • 1
    XSS is easily missed, or not tested for in general.

    Independent audits make sure those slips ups don't get left in prod for too long πŸ˜…
  • 1
    what would you say about a laravel app spitting out all env details cause app debug is true even when environment is production
  • 2
    And mysql host can be connected from anywhere.
  • 2
    @fahad3267 that's one incompetent dev leaving the .ENV open to the public, it's like leaving your .git/ folder open.

    Actually it's probably worse, I know have everything I need to do anything I want.

    db access should never be publicly accessible, firewall should be blocking direct access, even ssh into that server should be restricted to a whitelist and/or private keys.
  • 0
    Maybe confused between blade {{ and {!!
  • 2
    The Web isn't built on Laravel.
  • 2
    Your grammar is as horrible as mine.
    (The refers to the subject told before.)

    * Now don't say i don't get sarcasm
  • 4
    @fahad3267 you don't get sarcasm.
  • 1
    @Cultist @fahad3267

    Maybe becouse lack of context but I found that cute.¯\_(ツ)_/¯
Add Comment