How secure is laravel 5.1?
I've developed a few Laravel applications and found them to be pretty secure in my eyes.
I ran a variety of penetration tests, OWASP ZAP scanner, sqlsus and 5+ tools including bbqsql and similar things for DB pen tests, nmap for port scanning, then switched ZAP to attack mode to perform various XSS and CSRFs and found no vulnerabilities from Laravel itself - just a couple of things from my server itself which I patched up.
It's important to say that no application is 100% secure as it depends a lot on how you do things.
However, Laravel does do a pretty good job out of the box by protecting you from:
SQL injection: if you use Eloquent queries these will keep you safe. But you will be vulnerable if you use
DB::raw()queries as these can open you up to injection.CSRF: Laravel takes care of this with CSRF tokens that it checks on each
POSTrequest so make sure you use them, essentially this protects you from someone changing the nature of the request, i.e fromPOSTtoGET.XSS: First sanitise user input. Variables are not escaped using the blade syntax
{!! !!}, which resolves to<?= e($foo) ?>inside your HTML code, whereas{{ }}escapes the data.
This is a pretty short overview of Laravel security. Once you start opening yourself up with file uploads etc it can be a little bit more tricky, additionally doing unsafe things in PHP.
This article here, might be an interesting read to go a little more in depth with the above.
In short, I've found Laravel to be secure from all the attacks I've ever run by using Eloquent and sanitising input where required, along with the correct use of blade syntax and the CSRF token.
Related videos on Youtube
30 : 46
11 : 16
05 : 29
08 : 40
01 : 15
davejal
Data analysis and business intelligence is what I offer as an implementation consultant at Blu Dots. At home I spend time with my wife and kids and at night I start with my hobby. Coding and db design.
Updated on June 04, 2022Comments
-
davejal almost 2 years
After reading about SQL injection I wonder how secure it is to create apps in Laravel and how to test if your security meets today's standards?
-
davejal over 8 yearscould you elaborate on 'just a couple of things from .... patched up.'
-
James over 8 yearsThey were things to do with my apache installation and server configuration. Which I fixed by updating apache and changing some server settings. They were minor things and still hard to exploit but better safe than sorry.
-
jartaud about 8 yearsAre you sure about the {!! !!} thing?
-
James about 8 years@jartaud - yep. laravel.com/docs/5.1/blade#displaying-data
-
jartaud about 8 years{{"<b>Hello</b>"}} = <b>Hello</b> {!!"<b>Hello</b>"!!} = Hello (bold)
-
Mfoo almost 6 years@jartaud that is exactly what james stated...
-
jartaud about 5 years@Mfoo have you checked his post's diff?
